AWS Config Organization Managed Rule
This page shows how to write Terraform and CloudFormation for AWS Config Organization Managed Rule and write them securely.
aws_config_organization_managed_rule (Terraform)
The Organization Managed Rule in AWS Config can be configured in Terraform with the resource name aws_config_organization_managed_rule
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_organization_managed_rule" "iam_policy_organization_config_rule" {
input_parameters = <<EOF
{
"RequireUppercaseCharacters": "true",
"RequireLowercaseCharacters": "true",
"RequireSymbols": "true",
resource "aws_config_organization_managed_rule" "required_tags" {
name = "RequiredTags"
rule_identifier = "REQUIRED_TAGS"
input_parameters = <<POLICY
resource "aws_config_organization_managed_rule" "iam_mfa" {
name = "IAMAccountMFAEnabled"
rule_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"
depends_on = [
module.aws-config
resource "aws_config_organization_managed_rule" "cloudtrail-enabled" {
count = var.organization_config_master == true ? 1 : 0
name = "cloudtrail-enabled"
rule_identifier = "CLOUD_TRAIL_ENABLED"
}
resource "aws_config_organization_managed_rule" "required_tags" {
name = "RequiredTags"
rule_identifier = "REQUIRED_TAGS"
input_parameters = <<POLICY
Parameters
-
arn
optional computed - string -
description
optional - string -
excluded_accounts
optional - set of string -
id
optional computed - string -
input_parameters
optional - string -
maximum_execution_frequency
optional - string -
name
required - string -
resource_id_scope
optional - string -
resource_types_scope
optional - set of string -
rule_identifier
required - string -
tag_key_scope
optional - string -
tag_value_scope
optional - string -
timeouts
single block
Explanation in Terraform Registry
Manages a Config Organization Managed Rule. More information about these rules can be found in the Enabling AWS Config Rules Across all Accounts in Your Organization and AWS Config Managed Rules documentation. For working with Organization Custom Rules (those invoking a custom Lambda Function), see the
aws_config_organization_custom_rule
resource.NOTE: This resource must be created in the Organization master account and rules will include the master account unless its ID is added to the
excluded_accounts
argument. NOTE: Every Organization account except those configured in theexcluded_accounts
argument must have a Configuration Recorder with proper IAM permissions before the rule will successfully create or update. See also theaws_config_configuration_recorder
resource.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::OrganizationConfigRule OrganizationManagedRuleMetadata (CloudFormation)
The OrganizationConfigRule OrganizationManagedRuleMetadata in Config can be configured in CloudFormation with the resource name AWS::Config::OrganizationConfigRule OrganizationManagedRuleMetadata
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
Description
The description that you provide for organization config rule.
Required: No
Type: String
Minimum: 0
Maximum: 256
Update requires: No interruption
InputParameters
A string, in JSON format, that is passed to organization config rule Lambda function.
Required: No
Type: String
Minimum: 1
Maximum: 2048
Update requires: No interruption
MaximumExecutionFrequency
The maximum frequency with which AWS Config runs evaluations for a rule. You are using an AWS Config managed rule that is triggered at a periodic frequency.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency
parameter.
Required: No
Type: String
Allowed values: One_Hour | Six_Hours | Three_Hours | Twelve_Hours | TwentyFour_Hours
Update requires: No interruption
ResourceIdScope
The ID of the AWS resource that was evaluated.
Required: No
Type: String
Minimum: 1
Maximum: 768
Update requires: No interruption
ResourceTypesScope
The type of the AWS resource that was evaluated.
Required: No
Type: List of String
Maximum: 100
Update requires: No interruption
RuleIdentifier
For organization config managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY
is a managed rule. To reference a managed rule, see Using AWS Config managed rules.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
Update requires: No interruption
TagKeyScope
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
Required: No
Type: String
Minimum: 1
Maximum: 128
Update requires: No interruption
TagValueScope
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
Required: No
Type: String
Minimum: 1
Maximum: 256
Update requires: No interruption
Explanation in CloudFormation Registry
An object that specifies organization managed rule metadata such as resource type and ID of AWS resource along with the rule identifier. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic.
Frequently asked questions
What is AWS Config Organization Managed Rule?
AWS Config Organization Managed Rule is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Organization Managed Rule?
For Terraform, the shintaro-uchiyama/base-app, javahometech/aws-configrule and darogina/terragrunt-aws-modules source code examples are useful. See the Terraform Example section for further details.