This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::Config::ConfigRule **Note** You must first create and start the AWS Config configuration recorder in order to create AWS Config managed rules with AWS CloudFormation. For more information, see [Managing the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html). Adds or updates an AWS Config rule to evaluate if your AWS resources comply with your desired configurations. For information on how many AWS Config rules you can have per account, see [https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the *AWS Config Developer Guide*. There are two types of rules: *AWS Config Managed Rules* and *AWS Config Custom Rules*. You can use the `ConfigRule` resource to create both AWS Config Managed Rules and AWS Config Custom Rules. AWS Config Managed Rules are predefined, customizable rules created by AWS Config. For a list of managed rules, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). If you are adding an AWS Config managed rule, you must specify the rule's identifier for the `SourceIdentifier` key. AWS Config Custom Rules are rules that you create from scratch. There are two ways to create AWS Config custom rules: with Lambda functions ([AWS Lambda Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with Guard ([Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language. AWS Config custom rules created with AWS Lambda are called *AWS Config Custom Lambda Rules* and AWS Config custom rules created with Guard are called *AWS Config Custom Policy Rules*. If you are adding a new AWS Config Custom Lambda rule, you first need to create an AWS Lambda function that the rule invokes to evaluate your resources. When you use the `ConfigRule` resource to add a Custom Lambda rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. You specify the ARN in the `SourceIdentifier` key. This key is part of the `Source` object, which is part of the `ConfigRule` object. For any new AWS Config rule that you add, specify the `ConfigRuleName` in the `ConfigRule` object. Do not specify the `ConfigRuleArn` or the `ConfigRuleId`. These values are generated by AWS Config for new rules. If you are updating a rule that you added previously, you can specify the rule by `ConfigRuleName`, `ConfigRuleId`, or `ConfigRuleArn` in the `ConfigRule` data type that you use in this request. For more information about developing and using AWS Config rules, see [Evaluating Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Config::ConfigRule", "Properties" : { "[Compliance](#cfn-config-configrule-compliance)" : Compliance, "[ConfigRuleName](#cfn-config-configrule-configrulename)" : String, "[Description](#cfn-config-configrule-description)" : String, "[EvaluationModes](#cfn-config-configrule-evaluationmodes)" : [ EvaluationModeConfiguration, ... ], "[InputParameters](#cfn-config-configrule-inputparameters)" : Json, "[MaximumExecutionFrequency](#cfn-config-configrule-maximumexecutionfrequency)" : String, "[Scope](#cfn-config-configrule-scope)" : Scope, "[Source](#cfn-config-configrule-source)" : Source } } ``` ### YAML ``` Type: AWS::Config::ConfigRule Properties: [Compliance](#cfn-config-configrule-compliance): Compliance [ConfigRuleName](#cfn-config-configrule-configrulename): String [Description](#cfn-config-configrule-description): String [EvaluationModes](#cfn-config-configrule-evaluationmodes): - EvaluationModeConfiguration [InputParameters](#cfn-config-configrule-inputparameters): Json [MaximumExecutionFrequency](#cfn-config-configrule-maximumexecutionfrequency): String [Scope](#cfn-config-configrule-scope): Scope [Source](#cfn-config-configrule-source): Source ``` ## Properties `Compliance` Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance. *Required*: No *Type*: [Compliance](aws-properties-config-configrule-compliance.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ConfigRuleName` A name for the AWS Config rule. If you don't specify a name, CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). *Required*: No *Type*: String *Pattern*: `.*\S.*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Description` The description that you provide for the AWS Config rule. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EvaluationModes` The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only. *Required*: No *Type*: Array of [EvaluationModeConfiguration](aws-properties-config-configrule-evaluationmodeconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InputParameters` A string, in JSON format, that is passed to the AWS Config rule Lambda function. *Required*: No *Type*: Json *Minimum*: `1` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaximumExecutionFrequency` The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for `MaximumExecutionFrequency` when: + You are using an AWS managed rule that is triggered at a periodic frequency. + Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html). By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter. *Required*: No *Type*: String *Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Scope` Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. *Required*: No *Type*: [Scope](aws-properties-config-configrule-scope.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Source` Provides the rule owner (` AWS ` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. *Required*: Yes *Type*: [Source](aws-properties-config-configrule-source.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the rule name, such as `mystack-MyConfigRule-12ABCFPXHV4OV`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` The Amazon Resource Name (ARN) of the AWS Config rule, such as `arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi`. `Compliance.Type` Property description not available. `ConfigRuleId` The ID of the AWS Config rule, such as `config-rule-a1bzhi`. ## Examples **Topics** + [Config Rule](#aws-resource-config-configrule--examples--Config_Rule) + [Create Rule Using Lambda Function](#aws-resource-config-configrule--examples--Create_Rule_Using_Lambda_Function) ### Config Rule The following example uses an AWS managed rule that checks whether EC2 volumes resource types have a CostCenter tag. #### JSON ``` "ConfigRuleForVolumeTags": { "Type": "AWS::Config::ConfigRule", "Properties": { "InputParameters": {"tag1Key": "CostCenter"}, "Scope": { "ComplianceResourceTypes": ["AWS::EC2::Volume"] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" } } } ``` #### YAML ``` ConfigRuleForVolumeTags: Type: AWS::Config::ConfigRule Properties: InputParameters: | {"tag1Key": "CostCenter"} Scope: ComplianceResourceTypes: - "AWS::EC2::Volume" Source: Owner: AWS SourceIdentifier: "REQUIRED_TAGS" ``` ### Create Rule Using Lambda Function The following example is the AWS Lambda function’s code to check whether an EC2 volume has the AutoEnableIO property set to true. To deploy with AWS CloudFormation, follow the steps in [Deploy Node.js Lambda functions with .zip file archives](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-package.html). #### ``` import { ConfigServiceClient, PutEvaluationsCommand } from "@aws-sdk/client-config-service"; import { EC2Client, DescribeVolumeAttributeCommand } from "@aws-sdk/client-ec2" const configClient = new ConfigServiceClient({}); const ec2Client = new EC2Client({}); export const handler = async function (event, context) { await evaluateCompliance(event, async function (compliance, annotation, event) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; if (annotation) { var putEvaluationsRequest = { Evaluations: [{ ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: compliance, OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime), Annotation: annotation }], ResultToken: event.resultToken }; } else { var putEvaluationsRequest = { Evaluations: [{ ComplianceResourceType: configurationItem.resourceType, ComplianceResourceId: configurationItem.resourceId, ComplianceType: compliance, OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime) }], ResultToken: event.resultToken }; } await configClient.send(new PutEvaluationsCommand(putEvaluationsRequest)); }); }; async function evaluateCompliance(event, doReturn) { var configurationItem = JSON.parse(event.invokingEvent).configurationItem; var status = configurationItem.configurationItemStatus; if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered')) { doReturn('NOT_APPLICABLE', '', event); } else { const input = { VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO' }; const command = new DescribeVolumeAttributeCommand(input); const response = await ec2Client.send(command); if (response.AutoEnableIO.Value) doReturn('COMPLIANT', '', event); else doReturn('NON_COMPLIANT', 'Annotation describing why NON_COMPLIANT', event); }; } ``` # AWS::Config::ConfigRule Compliance Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Type](#cfn-config-configrule-compliance-type)" : String } ``` ### YAML ``` [Type](#cfn-config-configrule-compliance-type): String ``` ## Properties `Type` Indicates whether an AWS resource or AWS Config rule is compliant. A resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules. A rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply. AWS Config returns the `INSUFFICIENT_DATA` value when no evaluation results are available for the AWS resource or AWS Config rule. For the `Compliance` data type, AWS Config supports only `COMPLIANT`, `NON_COMPLIANT`, and `INSUFFICIENT_DATA` values. AWS Config does not support the `NOT_APPLICABLE` value for the `Compliance` data type. *Required*: No *Type*: String *Allowed values*: `COMPLIANT | NON_COMPLIANT | NOT_APPLICABLE | INSUFFICIENT_DATA` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule CustomPolicyDetails Provides the CustomPolicyDetails, the rule owner (` AWS ` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the events that cause the evaluation of your AWS resources. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EnableDebugLogDelivery](#cfn-config-configrule-custompolicydetails-enabledebuglogdelivery)" : Boolean, "[PolicyRuntime](#cfn-config-configrule-custompolicydetails-policyruntime)" : String, "[PolicyText](#cfn-config-configrule-custompolicydetails-policytext)" : String } ``` ### YAML ``` [EnableDebugLogDelivery](#cfn-config-configrule-custompolicydetails-enabledebuglogdelivery): Boolean [PolicyRuntime](#cfn-config-configrule-custompolicydetails-policyruntime): String [PolicyText](#cfn-config-configrule-custompolicydetails-policytext): String ``` ## Properties `EnableDebugLogDelivery` The boolean expression for enabling debug logging for your AWS Config Custom Policy rule. The default value is `false`. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyRuntime` The runtime system for your AWS Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard). *Required*: No *Type*: String *Pattern*: `guard\-2\.x\.x` *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyText` The policy definition containing the logic for your AWS Config Custom Policy rule. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `10000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule EvaluationModeConfiguration The configuration object for AWS Config rule evaluation mode. The supported valid values are Detective or Proactive. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Mode](#cfn-config-configrule-evaluationmodeconfiguration-mode)" : String } ``` ### YAML ``` [Mode](#cfn-config-configrule-evaluationmodeconfiguration-mode): String ``` ## Properties `Mode` The mode of an evaluation. The valid values are Detective or Proactive. *Required*: No *Type*: String *Allowed values*: `DETECTIVE | PROACTIVE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule Scope Defines which resources trigger an evaluation for an AWS Config rule. The scope can include one or more resource types, a combination of a tag key and value, or a combination of one resource type and one resource ID. Specify a scope to constrain which resources trigger an evaluation for a rule. Otherwise, evaluations for the rule are triggered when any resource in your recording group changes in configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ComplianceResourceId](#cfn-config-configrule-scope-complianceresourceid)" : String, "[ComplianceResourceTypes](#cfn-config-configrule-scope-complianceresourcetypes)" : [ String, ... ], "[TagKey](#cfn-config-configrule-scope-tagkey)" : String, "[TagValue](#cfn-config-configrule-scope-tagvalue)" : String } ``` ### YAML ``` [ComplianceResourceId](#cfn-config-configrule-scope-complianceresourceid): String [ComplianceResourceTypes](#cfn-config-configrule-scope-complianceresourcetypes): - String [TagKey](#cfn-config-configrule-scope-tagkey): String [TagValue](#cfn-config-configrule-scope-tagvalue): String ``` ## Properties `ComplianceResourceId` The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for `ComplianceResourceTypes`. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `768` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceResourceTypes` The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for `ComplianceResourceId`. *Required*: No *Type*: Array of String *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagKey` The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TagValue` The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for `TagValue`, you must also specify a value for `TagKey`. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples **Topics** + [Multiple Resource Types with Tag-Based Scope](#aws-properties-config-configrule-scope--examples--Multiple_Resource_Types_with_Tag-Based_Scope) + [Single Resource Specific Scope](#aws-properties-config-configrule-scope--examples--Single_Resource_Specific_Scope) ### Multiple Resource Types with Tag-Based Scope This example configures AWS Config to evaluate both Amazon EC2 instances and volumes that are tagged with "`Environment`=`Production`". This is useful when you want to monitor compliance for multiple resource types that share specific tags. #### YAML ``` Scope: ComplianceResourceTypes: - "AWS::EC2::Instance" - "AWS::EC2::Volume" TagKey: "Environment" TagValue: "Production" ``` #### JSON ``` { "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance", "AWS::EC2::Volume" ], "TagKey": "Environment", "TagValue": "Production" } } ``` ### Single Resource Specific Scope This example shows how to target a specific Amazon EC2 instance for evaluation using its resource ID. When using `ComplianceResourceId`, you must specify exactly one resource type in `ComplianceResourceTypes`. #### YAML ``` Scope: ComplianceResourceId: "i-1234567890abcdef0" ComplianceResourceTypes: - "AWS::EC2::Instance" ``` #### JSON ``` { "Scope": { "ComplianceResourceId": "i-1234567890abcdef0", "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] } } ``` # AWS::Config::ConfigRule Source Provides the CustomPolicyDetails, the rule owner (` AWS ` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the events that cause the evaluation of your AWS resources. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CustomPolicyDetails](#cfn-config-configrule-source-custompolicydetails)" : CustomPolicyDetails, "[Owner](#cfn-config-configrule-source-owner)" : String, "[SourceDetails](#cfn-config-configrule-source-sourcedetails)" : [ SourceDetail, ... ], "[SourceIdentifier](#cfn-config-configrule-source-sourceidentifier)" : String } ``` ### YAML ``` [CustomPolicyDetails](#cfn-config-configrule-source-custompolicydetails): CustomPolicyDetails [Owner](#cfn-config-configrule-source-owner): String [SourceDetails](#cfn-config-configrule-source-sourcedetails): - SourceDetail [SourceIdentifier](#cfn-config-configrule-source-sourceidentifier): String ``` ## Properties `CustomPolicyDetails` Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to `CUSTOM_POLICY`. *Required*: No *Type*: [CustomPolicyDetails](aws-properties-config-configrule-custompolicydetails.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Owner` Indicates whether AWS or the customer owns and manages the AWS Config rule. AWS Config Managed Rules are predefined rules owned by AWS. For more information, see [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) in the *AWS Config developer guide*. AWS Config Custom Rules are rules that you can develop either with Guard (`CUSTOM_POLICY`) or AWS Lambda (`CUSTOM_LAMBDA`). For more information, see [AWS Config Custom Rules ](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html) in the *AWS Config developer guide*. *Required*: Yes *Type*: String *Allowed values*: `CUSTOM_LAMBDA | AWS | CUSTOM_POLICY` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceDetails` Provides the source and the message types that cause AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic. If the owner is set to `CUSTOM_POLICY`, the only acceptable values for the AWS Config rule trigger message type are `ConfigurationItemChangeNotification` and `OversizedConfigurationItemChangeNotification`. *Required*: No *Type*: Array of [SourceDetail](aws-properties-config-configrule-sourcedetail.md) *Minimum*: `0` *Maximum*: `25` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceIdentifier` For AWS Config Managed rules, a predefined identifier from a list. For example, `IAM_PASSWORD_POLICY` is a managed rule. To reference a managed rule, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). For AWS Config Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's AWS Lambda function, such as `arn:aws:lambda:us-east-2:123456789012:function:custom_rule_name`. For AWS Config Custom Policy rules, this field will be ignored. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Config::ConfigRule SourceDetail Provides the source and the message types that trigger AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic. You can specify the parameter values for `SourceDetail` only for custom rules. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EventSource](#cfn-config-configrule-sourcedetail-eventsource)" : String, "[MaximumExecutionFrequency](#cfn-config-configrule-sourcedetail-maximumexecutionfrequency)" : String, "[MessageType](#cfn-config-configrule-sourcedetail-messagetype)" : String } ``` ### YAML ``` [EventSource](#cfn-config-configrule-sourcedetail-eventsource): String [MaximumExecutionFrequency](#cfn-config-configrule-sourcedetail-maximumexecutionfrequency): String [MessageType](#cfn-config-configrule-sourcedetail-messagetype): String ``` ## Properties `EventSource` The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources. *Required*: Yes *Type*: String *Allowed values*: `aws.config` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaximumExecutionFrequency` The frequency at which you want AWS Config to run evaluations for a custom rule with a periodic trigger. If you specify a value for `MaximumExecutionFrequency`, then `MessageType` must use the `ScheduledNotification` value. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter. Based on the valid value you choose, AWS Config runs evaluations once for each valid value. For example, if you choose `Three_Hours`, AWS Config runs evaluations once every three hours. In this case, `Three_Hours` is the frequency of this rule. *Required*: No *Type*: String *Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MessageType` The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the following notification types: + `ConfigurationItemChangeNotification` - Triggers an evaluation when AWS Config delivers a configuration item as a result of a resource change. + `OversizedConfigurationItemChangeNotification` - Triggers an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS. + `ScheduledNotification` - Triggers a periodic evaluation at the frequency specified for `MaximumExecutionFrequency`. + `ConfigurationSnapshotDeliveryCompleted` - Triggers a periodic evaluation when AWS Config delivers a configuration snapshot. If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for `ConfigurationItemChangeNotification` and one for `OversizedConfigurationItemChangeNotification`. *Required*: Yes *Type*: String *Allowed values*: `ConfigurationItemChangeNotification | ConfigurationSnapshotDeliveryCompleted | ScheduledNotification | OversizedConfigurationItemChangeNotification` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)