AWS Config Config Rule

This page shows how to write Terraform and CloudFormation for AWS Config Config Rule and write them securely.

aws_config_config_rule (Terraform)

The Config Rule in AWS Config can be configured in Terraform with the resource name aws_config_config_rule. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

guardrails-detective.tf#L9
resource "aws_config_config_rule" "volume_inuse" {
    count = var.set_guardrails_detection || var.check_ec2_volume_inuse ? 1 : 0

    name = "Compasso-Baseline-EC2VolumeInUseCheck"
    description = "A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated."

config_rules.tf#L102
resource "aws_config_config_rule" "cloud_trail_enabled" {
  name = "cloud_trail_enabled"

  source {
    owner             = "AWS"
    source_identifier = "CLOUD_TRAIL_ENABLED"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an AWS Config Rule.

Note: Config Rule requires an existing Configuration Recorder to be present. Use of depends_on is recommended (as shown below) to avoid race conditions.

Tips: Best Practices for The Other AWS Config Resources

In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_config_configuration_aggregator

Ensure to enable AWS Config in all Regions

It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.

Review your AWS Config settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Config::ConfigRule (CloudFormation)

The ConfigRule in Config can be configured in CloudFormation with the resource name AWS::Config::ConfigRule. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

cf-config-rules-all.yml#L5
        Type: "AWS::Config::ConfigRule"
        Properties:
            ConfigRuleName: "cloud-trail-enabled"
            Description: "Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use."
            Source:
                Owner: "AWS"
aws-config-rules.yml#L33
    Type: AWS::Config::ConfigRule
    Condition: MainRegion
    Properties:
      ConfigRuleName: 'CloudTrailEnabled'
      Description: 'Verifies that CloudTrail is enabled.'
      Source:
Operational-Best-Practices-for-ABS-CCIGv2-Standard.yaml#L95
    Type: AWS::Config::ConfigRule
  AccountPartOfOrganizations:
    Properties:
      ConfigRuleName: account-part-of-organizations
      Source:
        Owner: AWS
Operational-Best-Practices-for-NYDFS-23-NYCRR-500.yaml#L87
    Type: AWS::Config::ConfigRule
  AcmCertificateExpirationCheck:
    Properties:
      ConfigRuleName: acm-certificate-expiration-check
      InputParameters:
        daysToExpiration:
product-50-config.yaml#L7
    Type: "AWS::Config::ConfigRule"
    Properties:
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::Instance"
      Source:
baseline-awsconfig.json#L74
          "Type": "AWS::Config::ConfigRule",
          "DependsOn": [
              "ConfigDeliveryChannel",
              "ConfigConfigurationRecorder"
          ],
          "Properties": {
aws_config.json#L4
    "path": "/PropertyTypes/AWS::Config::ConfigRule.Scope/Properties/ComplianceResourceTypes/Value",
    "value": {
      "ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
    }
  },
  {
aws_config.json#L4
    "path": "/PropertyTypes/AWS::Config::ConfigRule.Scope/Properties/ComplianceResourceTypes/Value",
    "value": {
      "ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
    }
  },
  {
AwsDiGavBlueprint.template.json#L2789
        "TemplateBody": "################################################################################\n#\n#   Conformance Pack:\n#     Operational Best Practices for AWS Identity and Access Management\n#\n#   See Parameters section for names and descriptions of required parameters.\n#\n################################################################################\n\nParameters:\n    AccessKeysRotatedParameterMaxAccessKeyAge:\n      Description: Maximum number of days without rotation. Default 90.\n      Type: String\n      Default: 90\n    IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge:\n      Description: Maximum number of days a credential cannot be used. The default value\n        is 90 days.\n      Type: String\n      Default: 90\nResources:\n    AccessKeysRotated:\n      Properties:\n        ConfigRuleName: AccessKeysRotated\n        Description: Checks whether the active access keys are rotated within the number\n          of days specified in maxAccessKeyAge. The rule is non-compliant if the access\n          keys have not been rotated for more than maxAccessKeyAge number of days.\n        InputParameters:\n          maxAccessKeyAge:\n            Ref: AccessKeysRotatedParameterMaxAccessKeyAge\n        Source:\n          Owner: AWS\n          SourceIdentifier: ACCESS_KEYS_ROTATED\n      Type: AWS::Config::ConfigRule\n    IAMGroupHasUsersCheck:\n      Properties:\n        ConfigRuleName: IAMGroupHasUsersCheck\n        Description: Checks whether IAM groups have at least one IAM user.\n        Source:\n          Owner: AWS\n          SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK\n      Type: AWS::Config::ConfigRule\n    IAMPasswordPolicy:\n      Properties:\n        ConfigRuleName: IAMPasswordPolicy\n        Description: Checks whether the account password policy for IAM users meets\n          the specified requirements.\n        Source:\n          Owner: AWS\n          SourceIdentifier: IAM_PASSWORD_POLICY\n      Type: AWS::Config::ConfigRule\n    IAMPolicyNoStatementsWithAdminAccess:\n      Properties:\n        ConfigRuleName: IAMPolicyNoStatementsWithAdminAccess\n        Description: 'Checks whether the default version of AWS Identity and Access\n          Management (IAM) policies do not have administrator access. If any statement\n          has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\", the rule is\n          non-compliant.'\n        Source:\n          Owner: AWS\n          SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS\n      Type: AWS::Config::ConfigRule\n    IAMRootAccessKeyCheck:\n      Properties:\n        ConfigRuleName: IAMRootAccessKeyCheck\n        Description: Checks whether the root user access key is available. The rule\n          is compliant if the user access key does not exist.\n        Source:\n          Owner: AWS\n          SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK\n      Type: AWS::Config::ConfigRule\n    IAMUserGroupMembershipCheck:\n      Properties:\n        ConfigRuleName: IAMUserGroupMembershipCheck\n        Description: Checks whether IAM users are members of at least one IAM group.\n        Source:\n          Owner: AWS\n          SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK\n      Type: AWS::Config::ConfigRule\n    IAMUserMFAEnabled:\n      Properties:\n        ConfigRuleName: IAMUserMFAEnabled\n        Description: Checks whether the AWS Identity and Access Management users have\n          multi-factor authentication (MFA) enabled.\n        Source:\n          Owner: AWS\n          SourceIdentifier: IAM_USER_MFA_ENABLED\n      Type: AWS::Config::ConfigRule\n    IAMUserNoPoliciesCheck:\n      Properties:\n        ConfigRuleName: IAMUserNoPoliciesCheck\n        Description: Checks that none of your IAM users have policies attached. IAM\n          users must inherit permissions from IAM groups or roles.\n        Source:\n          Owner: AWS\n          SourceIdentifier: IAM_USER_NO_POLICIES_CHECK\n      Type: AWS::Config::ConfigRule\n    IAMUserUnusedCredentialsCheck:\n      Properties:\n        ConfigRuleName: IAMUserUnusedCredentialsCheck\n        Description: Checks whether your AWS Identity and Access Management (IAM) users\n          have passwords or active access keys that have not been used within the specified\n          number of days you provided.\n        InputParameters:\n          maxCredentialUsageAge:\n            Ref: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge\n        Source:\n          Owner: AWS\n          SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK\n      Type: AWS::Config::ConfigRule\n    MFAEnabledForIAMConsoleAccess:\n      Properties:\n        ConfigRuleName: MFAEnabledForIAMConsoleAccess\n        Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled\n          for all AWS Identity and Access Management (IAM) users that use a console\n          password. The rule is compliant if MFA is enabled.\n        Source:\n          Owner: AWS\n          SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS\n      Type: AWS::Config::ConfigRule\n    RootAccountHardwareMFAEnabled:\n      Properties:\n        ConfigRuleName: RootAccountHardwareMFAEnabled\n        Description: Checks whether your AWS account is enabled to use multi-factor\n          authentication (MFA) hardware device to sign in with root credentials.\n        Source:\n          Owner: AWS\n          SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED\n      Type: AWS::Config::ConfigRule\n    RootAccountMFAEnabled:\n      Properties:\n        ConfigRuleName: RootAccountMFAEnabled\n        Description: Checks whether the root user of your AWS account requires multi-factor\n          authentication for console sign-in.\n        Source:\n          Owner: AWS\n          SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED\n      Type: AWS::Config::ConfigRule"
      },
      "DependsOn": [
        "ConfigEnabledPromiseConfigRecorder0A75B039"
      ],
      "Metadata": {
ConfigStack.template.json#L164
      "Type": "AWS::Config::ConfigRule",
      "Properties": {
        "Source": {
          "Owner": "AWS",
          "SourceIdentifier": "ENCRYPTED_VOLUMES"
        }

Parameters

Explanation in CloudFormation Registry

Specifies an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.

You can use this action for custom AWS Config rules and AWS managed Config rules. A custom AWS Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.

If you are adding a new custom AWS Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the PutConfigRule action to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object. If you are adding an AWS managed Config rule, specify the rule's identifier for the SourceIdentifier key. To reference AWS managed Config rule identifiers, see About AWS Managed Config Rules.

For any new rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values are generated by AWS Config for new rules.

If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request.

The maximum number of rules that AWS Config supports is 150.

For information about requesting a rule limit increase, see AWS Config Limits in the AWS General Reference Guide.

For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide.

Frequently asked questions

What is AWS Config Config Rule?

AWS Config Config Rule is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Config Config Rule?

For Terraform, the jslopes8/aws_account_setup and affinitywaterltd/terraform-aws-config source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the gabe1314/aws_cloudformation, PatrickJD/AWS and mewil/aws-config-rules source code examples are useful. See the CloudFormation Example section for further details.