AWS Config Organization Managed Rule

aws_config_organization_managed_rule (Terraform)

The Organization Managed Rule in AWS Config can be configured in Terraform with the resource name aws_config_organization_managed_rule. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

shintaro-uchiyama/base-app

resource "aws_config_organization_managed_rule" "iam_policy_organization_config_rule" {
  input_parameters  = <<EOF
    {
      "RequireUppercaseCharacters": "true",
      "RequireLowercaseCharacters": "true",
      "RequireSymbols": "true",

javahometech/aws-configrule

resource "aws_config_organization_managed_rule" "required_tags" {

  name            = "RequiredTags"
  rule_identifier = "REQUIRED_TAGS"

  input_parameters = <<POLICY

darogina/terragrunt-aws-modules

resource "aws_config_organization_managed_rule" "iam_mfa" {
  name            = "IAMAccountMFAEnabled"
  rule_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"

  depends_on = [
    module.aws-config

snapdocs/terraform-aws-config

resource "aws_config_organization_managed_rule" "cloudtrail-enabled" {
  count           = var.organization_config_master == true ? 1 : 0
  name            = "cloudtrail-enabled"
  rule_identifier = "CLOUD_TRAIL_ENABLED"
}

indukuri27/aws-configrule

resource "aws_config_organization_managed_rule" "required_tags" {

  name            = "RequiredTags"
  rule_identifier = "REQUIRED_TAGS"

  input_parameters = <<POLICY

Parameters

• arn optional computed - string
• description optional - string
• excluded_accounts optional - set of string
• id optional computed - string
• input_parameters optional - string
• maximum_execution_frequency optional - string
• name required - string
• resource_id_scope optional - string
• resource_types_scope optional - set of string
• rule_identifier required - string
• tag_key_scope optional - string
• tag_value_scope optional - string
• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

Manages a Config Organization Managed Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Custom Rules (those invoking a custom Lambda Function), see the aws_config_organization_custom_rule resource.

NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the excluded_accounts argument. NOTE: Every Organization account except those configured in the excluded_accounts argument must have a Configuration Recorder with proper IAM permissions before the rule will successfully create or update. See also the aws_config_configuration_recorder resource.

Tips: Best Practices for The Other AWS Config Resources

In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

aws_config_configuration_aggregator

Ensure to enable AWS Config in all Regions

It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.