This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).
# AWS::Config::ConfigRule
**Note**
You must first create and start the AWS Config configuration recorder in order to create AWS Config managed rules with AWS CloudFormation. For more information, see [Managing the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html).
Adds or updates an AWS Config rule to evaluate if your AWS resources comply with your desired configurations. For information on how many AWS Config rules you can have per account, see [https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the *AWS Config Developer Guide*.
There are two types of rules: *AWS Config Managed Rules* and *AWS Config Custom Rules*. You can use the `ConfigRule` resource to create both AWS Config Managed Rules and AWS Config Custom Rules.
AWS Config Managed Rules are predefined, customizable rules created by AWS Config. For a list of managed rules, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). If you are adding an AWS Config managed rule, you must specify the rule's identifier for the `SourceIdentifier` key.
AWS Config Custom Rules are rules that you create from scratch. There are two ways to create AWS Config custom rules: with Lambda functions ([AWS Lambda Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/gettingstarted-concepts.html#gettingstarted-concepts-function)) and with Guard ([Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard)), a policy-as-code language. AWS Config custom rules created with AWS Lambda are called *AWS Config Custom Lambda Rules* and AWS Config custom rules created with Guard are called *AWS Config Custom Policy Rules*.
If you are adding a new AWS Config Custom Lambda rule, you first need to create an AWS Lambda function that the rule invokes to evaluate your resources. When you use the `ConfigRule` resource to add a Custom Lambda rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. You specify the ARN in the `SourceIdentifier` key. This key is part of the `Source` object, which is part of the `ConfigRule` object.
For any new AWS Config rule that you add, specify the `ConfigRuleName` in the `ConfigRule` object. Do not specify the `ConfigRuleArn` or the `ConfigRuleId`. These values are generated by AWS Config for new rules.
If you are updating a rule that you added previously, you can specify the rule by `ConfigRuleName`, `ConfigRuleId`, or `ConfigRuleArn` in the `ConfigRule` data type that you use in this request.
For more information about developing and using AWS Config rules, see [Evaluating Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide*.
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
{
"Type" : "AWS::Config::ConfigRule",
"Properties" : {
"[Compliance](#cfn-config-configrule-compliance)" : Compliance,
"[ConfigRuleName](#cfn-config-configrule-configrulename)" : String,
"[Description](#cfn-config-configrule-description)" : String,
"[EvaluationModes](#cfn-config-configrule-evaluationmodes)" : [ EvaluationModeConfiguration, ... ],
"[InputParameters](#cfn-config-configrule-inputparameters)" : Json,
"[MaximumExecutionFrequency](#cfn-config-configrule-maximumexecutionfrequency)" : String,
"[Scope](#cfn-config-configrule-scope)" : Scope,
"[Source](#cfn-config-configrule-source)" : Source
}
}
```
### YAML
```
Type: AWS::Config::ConfigRule
Properties:
[Compliance](#cfn-config-configrule-compliance):
Compliance
[ConfigRuleName](#cfn-config-configrule-configrulename): String
[Description](#cfn-config-configrule-description): String
[EvaluationModes](#cfn-config-configrule-evaluationmodes):
- EvaluationModeConfiguration
[InputParameters](#cfn-config-configrule-inputparameters): Json
[MaximumExecutionFrequency](#cfn-config-configrule-maximumexecutionfrequency): String
[Scope](#cfn-config-configrule-scope):
Scope
[Source](#cfn-config-configrule-source):
Source
```
## Properties
`Compliance`
Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.
*Required*: No
*Type*: [Compliance](aws-properties-config-configrule-compliance.md)
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`ConfigRuleName`
A name for the AWS Config rule. If you don't specify a name, CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html).
*Required*: No
*Type*: String
*Pattern*: `.*\S.*`
*Minimum*: `1`
*Maximum*: `128`
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`Description`
The description that you provide for the AWS Config rule.
*Required*: No
*Type*: String
*Minimum*: `0`
*Maximum*: `256`
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`EvaluationModes`
The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
*Required*: No
*Type*: Array of [EvaluationModeConfiguration](aws-properties-config-configrule-evaluationmodeconfiguration.md)
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`InputParameters`
A string, in JSON format, that is passed to the AWS Config rule Lambda function.
*Required*: No
*Type*: Json
*Minimum*: `1`
*Maximum*: `1024`
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`MaximumExecutionFrequency`
The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for `MaximumExecutionFrequency` when:
+ You are using an AWS managed rule that is triggered at a periodic frequency.
+ Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html).
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter.
*Required*: No
*Type*: String
*Allowed values*: `One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours`
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`Scope`
Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
*Required*: No
*Type*: [Scope](aws-properties-config-configrule-scope.md)
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`Source`
Provides the rule owner (` AWS ` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.
*Required*: Yes
*Type*: [Source](aws-properties-config-configrule-source.md)
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
## Return values
### Ref
When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the rule name, such as `mystack-MyConfigRule-12ABCFPXHV4OV`.
For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).
### Fn::GetAtt
The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).
####
`Arn`
The Amazon Resource Name (ARN) of the AWS Config rule, such as `arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi`.
`Compliance.Type`
Property description not available.
`ConfigRuleId`
The ID of the AWS Config rule, such as `config-rule-a1bzhi`.
## Examples
**Topics**
+ [Config Rule](#aws-resource-config-configrule--examples--Config_Rule)
+ [Create Rule Using Lambda Function](#aws-resource-config-configrule--examples--Create_Rule_Using_Lambda_Function)
### Config Rule
The following example uses an AWS managed rule that checks whether EC2 volumes resource types have a CostCenter tag.
#### JSON
```
"ConfigRuleForVolumeTags": {
"Type": "AWS::Config::ConfigRule",
"Properties": {
"InputParameters": {"tag1Key": "CostCenter"},
"Scope": {
"ComplianceResourceTypes": ["AWS::EC2::Volume"]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "REQUIRED_TAGS"
}
}
}
```
#### YAML
```
ConfigRuleForVolumeTags:
Type: AWS::Config::ConfigRule
Properties:
InputParameters: |
{"tag1Key": "CostCenter"}
Scope:
ComplianceResourceTypes:
- "AWS::EC2::Volume"
Source:
Owner: AWS
SourceIdentifier: "REQUIRED_TAGS"
```
### Create Rule Using Lambda Function
The following example is the AWS Lambda function’s code to check whether an EC2 volume has the AutoEnableIO property set to true. To deploy with AWS CloudFormation, follow the steps in [Deploy Node.js Lambda functions with .zip file archives](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-package.html).
####
```
import { ConfigServiceClient, PutEvaluationsCommand } from "@aws-sdk/client-config-service";
import { EC2Client, DescribeVolumeAttributeCommand } from "@aws-sdk/client-ec2"
const configClient = new ConfigServiceClient({});
const ec2Client = new EC2Client({});
export const handler = async function (event, context) {
await evaluateCompliance(event, async function (compliance, annotation, event) {
var configurationItem = JSON.parse(event.invokingEvent).configurationItem;
if (annotation) {
var putEvaluationsRequest = {
Evaluations: [{
ComplianceResourceType: configurationItem.resourceType,
ComplianceResourceId: configurationItem.resourceId,
ComplianceType: compliance,
OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime),
Annotation: annotation
}],
ResultToken: event.resultToken
};
} else {
var putEvaluationsRequest = {
Evaluations: [{
ComplianceResourceType: configurationItem.resourceType,
ComplianceResourceId: configurationItem.resourceId,
ComplianceType: compliance,
OrderingTimestamp: new Date(configurationItem.configurationItemCaptureTime)
}],
ResultToken: event.resultToken
};
}
await configClient.send(new PutEvaluationsCommand(putEvaluationsRequest));
});
};
async function evaluateCompliance(event, doReturn) {
var configurationItem = JSON.parse(event.invokingEvent).configurationItem;
var status = configurationItem.configurationItemStatus;
if (configurationItem.resourceType !== 'AWS::EC2::Volume' || event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered')) {
doReturn('NOT_APPLICABLE', '', event);
} else {
const input = { VolumeId: configurationItem.resourceId, Attribute: 'autoEnableIO' };
const command = new DescribeVolumeAttributeCommand(input);
const response = await ec2Client.send(command);
if (response.AutoEnableIO.Value) doReturn('COMPLIANT', '', event);
else doReturn('NON_COMPLIANT', 'Annotation describing why NON_COMPLIANT', event);
};
}
```