AWS Config Organization Managed Rule

This page shows how to write Terraform and CloudFormation for AWS Config Organization Managed Rule and write them securely.

aws_config_organization_managed_rule (Terraform)

The Organization Managed Rule in AWS Config can be configured in Terraform with the resource name aws_config_organization_managed_rule. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

github-iconshintaro-uchiyama/base-app
resource "aws_config_organization_managed_rule" "iam_policy_organization_config_rule" {
  input_parameters  = <<EOF
    {
      "RequireUppercaseCharacters": "true",
      "RequireLowercaseCharacters": "true",
      "RequireSymbols": "true",
github-iconjavahometech/aws-configrule
resource "aws_config_organization_managed_rule" "required_tags" {

  name            = "RequiredTags"
  rule_identifier = "REQUIRED_TAGS"

  input_parameters = <<POLICY
github-icondarogina/terragrunt-aws-modules
resource "aws_config_organization_managed_rule" "iam_mfa" {
  name            = "IAMAccountMFAEnabled"
  rule_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"

  depends_on = [
    module.aws-config
github-iconsnapdocs/terraform-aws-config
resource "aws_config_organization_managed_rule" "cloudtrail-enabled" {
  count           = var.organization_config_master == true ? 1 : 0
  name            = "cloudtrail-enabled"
  rule_identifier = "CLOUD_TRAIL_ENABLED"
}

github-iconindukuri27/aws-configrule
resource "aws_config_organization_managed_rule" "required_tags" {

  name            = "RequiredTags"
  rule_identifier = "REQUIRED_TAGS"

  input_parameters = <<POLICY

Parameters

Explanation in Terraform Registry

Manages a Config Organization Managed Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Custom Rules (those invoking a custom Lambda Function), see the aws_config_organization_custom_rule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument. NOTE: Every Organization account except those configured in the excluded_accounts argument must have a Configuration Recorder with proper IAM permissions before the rule will successfully create or update. See also the aws_config_configuration_recorder resource.

AWS::Config::OrganizationConfigRule OrganizationManagedRuleMetadata (CloudFormation)

The OrganizationConfigRule OrganizationManagedRuleMetadata in Config can be configured in CloudFormation with the resource name AWS::Config::OrganizationConfigRule OrganizationManagedRuleMetadata. The following sections describe how to use the resource and its parameters.

Parameters

Description The description that you provide for organization config rule.
Required: No
Type: String
Minimum: 0
Maximum: 256
Update requires: No interruption

InputParameters A string, in JSON format, that is passed to organization config rule Lambda function.
Required: No
Type: String
Minimum: 1
Maximum: 2048
Update requires: No interruption

MaximumExecutionFrequency The maximum frequency with which AWS Config runs evaluations for a rule. You are using an AWS Config managed rule that is triggered at a periodic frequency.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency parameter. Required: No
Type: String
Allowed values: One_Hour | Six_Hours | Three_Hours | Twelve_Hours | TwentyFour_Hours
Update requires: No interruption

ResourceIdScope The ID of the AWS resource that was evaluated.
Required: No
Type: String
Minimum: 1
Maximum: 768
Update requires: No interruption

ResourceTypesScope The type of the AWS resource that was evaluated.
Required: No
Type: List of String
Maximum: 100
Update requires: No interruption

RuleIdentifier For organization config managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, see Using AWS Config managed rules.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
Update requires: No interruption

TagKeyScope One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
Required: No
Type: String
Minimum: 1
Maximum: 128
Update requires: No interruption

TagValueScope The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
Required: No
Type: String
Minimum: 1
Maximum: 256
Update requires: No interruption

Explanation in CloudFormation Registry

An object that specifies organization managed rule metadata such as resource type and ID of AWS resource along with the rule identifier. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic.

Frequently asked questions

What is AWS Config Organization Managed Rule?

AWS Config Organization Managed Rule is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Config Organization Managed Rule?

For Terraform, the shintaro-uchiyama/base-app, javahometech/aws-configrule and darogina/terragrunt-aws-modules source code examples are useful. See the Terraform Example section for further details.