Top / Amazon Web Service / AWS Config / Organization Custom Rule

AWS Config Organization Custom Rule

This page shows how to write Terraform and CloudFormation for AWS Config Organization Custom Rule and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_config_organization_custom_rule (Terraform)

The Organization Custom Rule in AWS Config can be configured in Terraform with the resource name aws_config_organization_custom_rule. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

config_organization_custom_rule_test.tf#L12
resource "aws_config_organization_custom_rule" "my_config_organization_custom_rule" {
  lambda_function_arn = "fake"
  name                = "example"
  trigger_types       = ["ConfigurationItemChangeNotification"]
}
config_organization_custom_rule_test.tf#L12
resource "aws_config_organization_custom_rule" "my_config_organization_custom_rule" {
  lambda_function_arn = "fake"
  name                = "example"
  trigger_types       = ["ConfigurationItemChangeNotification"]
}
main.tf#L7
resource "aws_config_organization_custom_rule" "this" {
  description                 = var.description
  excluded_accounts           = var.excluded_accounts
  input_parameters            = var.input_parameters
  lambda_function_arn         = var.lambda_function_arn
  maximum_execution_frequency = var.maximum_execution_frequency
rules.tf#L14
resource "aws_config_organization_custom_rule" "this" {
  for_each = { for rule in var.custom_rules : rule.name => rule }

  lambda_function_arn = module.lambda[each.value.name].function_arn
  name                = each.value.name
  trigger_types       = each.value.trigger_types

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages a Config Organization Custom Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Managed Rules (those invoking an AWS managed rule), see the aws_config_organization_managed__rule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument. NOTE: The proper Lambda permission to allow the AWS Config service invoke the Lambda Function must be in place before the rule will successfully create or update. See also the aws_lambda_permission resource.

>> from Terraform Registry

Tips: Best Practices for The Other AWS Config Resources

In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_config_configuration_aggregator

Ensure to enable AWS Config in all Regions

It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.

Review your AWS Config settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Config::OrganizationConfigRule OrganizationCustomRuleMetadata (CloudFormation)

The OrganizationConfigRule OrganizationCustomRuleMetadata in Config can be configured in CloudFormation with the resource name AWS::Config::OrganizationConfigRule OrganizationCustomRuleMetadata. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

Description The description that you provide for organization config rule.
Required: No
Type: String
Minimum: 0
Maximum: 256
Update requires: No interruption

InputParameters A string, in JSON format, that is passed to organization config rule Lambda function.
Required: No
Type: String
Minimum: 1
Maximum: 2048
Update requires: No interruption

LambdaFunctionArn The lambda function ARN.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
Update requires: No interruption

MaximumExecutionFrequency The maximum frequency with which AWS Config runs evaluations for a rule. Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency parameter. Required: No
Type: String
Allowed values: One_Hour | Six_Hours | Three_Hours | Twelve_Hours | TwentyFour_Hours
Update requires: No interruption

OrganizationConfigRuleTriggerTypes The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types:

  • ConfigurationItemChangeNotification - Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change.
  • OversizedConfigurationItemChangeNotification - Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.
  • ScheduledNotification - Triggers a periodic evaluation at the frequency specified for MaximumExecutionFrequency.Required: Yes
    Type: List of String
    Update requires: No interruption

ResourceIdScope The ID of the AWS resource that was evaluated.
Required: No
Type: String
Minimum: 1
Maximum: 768
Update requires: No interruption

ResourceTypesScope The type of the AWS resource that was evaluated.
Required: No
Type: List of String
Maximum: 100
Update requires: No interruption

TagKeyScope One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
Required: No
Type: String
Minimum: 1
Maximum: 128
Update requires: No interruption

TagValueScope The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
Required: No
Type: String
Minimum: 1
Maximum: 256
Update requires: No interruption

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

An object that specifies organization custom rule metadata such as resource type, resource ID of AWS resource, Lambda function ARN, and organization trigger types that trigger AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic.

>> from AWS CloudFormation Documentation

The Other Related AWS Config Resources

Frequently asked questions

What is AWS Config Organization Custom Rule?

AWS Config Organization Custom Rule is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Config Organization Custom Rule?

For Terraform, the gilyas/infracost, infracost/infracost and niveklabs/aws source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents