Select Edit Rule and Rule to change the rule configuration settings and define a remediation action for a noncompligate rule. Choose Rules on the left, and then choose Add Rule on the Rules page to add new rules to the list of AWS Config rules that publishes an event when it detects a configuration change for a resource that is within a rule. The following sample event shows that the rule was triggered by a configuration change for an EC2 instance. Custom Lambda rules allow you to use Java or Python to create a Lambda function for a custom AWS Config rule. A Lambda function is custom code that you load into AWS Lambda and is called by events published by an event source. If the Lambda function is associated with an AWS Config rule, AWS Config calls it when the rule is launched. The Lambda function then evaluates the configuration information sent by AWS Config and returns the evaluation results. For more information about Lambda functions, see Function and Event Sources in the AWS Lambda Developer Guide. AWS Config tracks changes to the configuration of your AWS resources and periodically sends the updated configuration details to an Amazon S3 bucket that you specify. For each type of resource registered by AWS Config, it sends a configuration history file every six hours.
Each configuration history file contains details about the resources that were modified during this six-hour period. Each file contains resources of one type, such as Amazon EC2 instances or Amazon EBS volumes. If no configuration changes occur, AWS Config does not send a file. You can also create custom rules to evaluate additional resources that AWS Config does not yet save. For more information, see AWS Config Custom Rules and Evaluating Additional Resource Types. Use the put-config-rule command with the –cli-input-json parameter to pass your JSON configuration to AWS Config: key/value pairs, which the function processes as part of its evaluation logic. You set parameters when you use the AWS Config console to create a custom Lambda rule. You can also set parameters using the InputParameters attribute in the AWS Config PutConfigRule API request or the AWS CLI put-config-rule command. AWS Config sends a configuration snapshot to your Amazon S3 bucket when you use the deliver-config-snapshot command with the AWS CLI or the DeliverConfigSnapshot action with the AWS Config API.
A configuration snapshot contains configuration details for all resources that AWS Config saves to your AWS account. The configuration history file and configuration snapshot are in JSON format. How do I be notified when changes are made to the hosted area records on Route 53? The Rules page displays your rules, and their current compliance translates into a table. The result of each rule is evaluation. until AWS Config has completed the evaluation of your resources against the rule. You can update the results using the Refresh button. When AWS Config completes assessments, you can see which rules and resource types are compatible or non-compliant. For more information, see Configuration Compatibility View. AWS Config tracks all changes to your resources by calling the Describe or List API call for each resource in your account. The service uses the same API calls to collect configuration details for all associated resources. AWS Config provides only configuration history files and configuration snapshots to the specified S3 bucket. AWS Config does not change the lifecycle policies for objects in the S3 bucket.
You can use lifecycle policies to specify whether you want to delete or archive objects in Amazon S3 Glacier. For more information, see Lifecycle Configuration Management in the Amazon Simple Storage Service User Guide. You can also read the Blog post Archiving Amazon S3 Data in S3 Glacier. The AWS Config console displays the compliance status of your rules and resources. You can see how your AWS resources as a whole match the desired configurations and know which specific resources are not compliant. You can also use the AWS CLI, AWS Config API, and AWS SDKs to make requests to the AWS Config Compliance Information Service. When you enable AWS Config, it first discovers the supported AWS resources in your account and generates a configuration item for each resource. AWS Config also generates configuration items when a resource`s configuration changes and keeps historical records of your resources` configuration items from the moment you start the configuration record. By default, AWS Config creates configuration items for each supported resource in the region. If you do not want AWS Config to create configuration items for all supported resources, you can specify the types of resources to track.
AWS Config provides a set of managed automation documents with corrective actions. You can also create custom automation documents and associate them with AWS Config rules. Select Rules. The Rules page displays all the rules that are currently in your AWS account. It lists the name, associated corrective action, and compliance status of each rule. If you choose Add Rule, you can see the aws Config-managed rules available on the Add Rule page. For a complete list of rules managed by AWS Config, see List of Rules Managed by AWS Config. In addition to the rules managed by AWS Config, you can also create your own custom rule using the Guard or AWS Lambda functions. An event that triggers the evaluation of a rule. If the event is published in response to a resource configuration change, the value of this attribute is a string that contains a JSON-configurationItem or a ConfigurationItemSummary (for oversized configuration items). The configuration item represents the state of the resource at the time AWS Config detects the change.