AWS Config Config Rule

This page shows how to write Terraform and CloudFormation for AWS Config Config Rule and write them securely.


Fix issues in your cloud & app configurations

Test for misconfigurations of this resource in your cloud.


Terraform Example (aws_config_config_rule)

Provides an AWS Config Rule.

Note: Config Rule requires an existing Configuration Recorder to be present. Use of depends_on is recommended (as shown below) to avoid race conditions.


Example Usage (from GitHub)

resource "aws_config_config_rule" "volume_inuse" {
    count = var.set_guardrails_detection || var.check_ec2_volume_inuse ? 1 : 0

    name = "Compasso-Baseline-EC2VolumeInUseCheck"
    description = "A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated."

resource "aws_config_config_rule" "cloud_trail_enabled" {
  name = "cloud_trail_enabled"

  source {
    owner             = "AWS"
    source_identifier = "CLOUD_TRAIL_ENABLED"

CloudFormation Example (AWS::Config::ConfigRule)

Specifies an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.

You can use this action for custom AWS Config rules and AWS managed Config rules. A custom AWS Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.

If you are adding a new custom AWS Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the PutConfigRule action to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object. If you are adding an AWS managed Config rule, specify the rule's identifier for the SourceIdentifier key. To reference AWS managed Config rule identifiers, see About AWS Managed Config Rules.

For any new rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values are generated by AWS Config for new rules.

If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request.

The maximum number of rules that AWS Config supports is 150.

For information about requesting a rule limit increase, see AWS Config Limits in the AWS General Reference Guide.

For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide.


Frequently asked questions

What is AWS Config Config Rule?

AWS Config Config Rule is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Config Config Rule?

For Terraform, the jslopes8/aws_account_setup and affinitywaterltd/terraform-aws-config source code examples are useful. See the Terraform Example section for further details.