Data Source schema for AWS::Config::ConfigRule
id
(String) Uniquely identifies the resource.arn
(String)compliance
(Attributes) Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance. (see below for nested schema)config_rule_id
(String)config_rule_name
(String) A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.description
(String) The description that you provide for the CC rule.evaluation_modes
(Attributes List) The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only. (see below for nested schema)input_parameters
(String) A string, in JSON format, that is passed to the CC rule Lambda function.maximum_execution_frequency
(String) The maximum frequency with which CC runs evaluations for a rule. You can specify a value for MaximumExecutionFrequency
when:
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency
parameter.
scope
(Attributes) Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
The scope can be empty. (see below for nested schema)source
(Attributes) Provides the rule owner (<code>md5-da3bef31f2e5d1d09dc44c0742b76cd4</code>CUSTOM_POLICY<code>md5-f797f45d6dbf63553d0e584d0b842419</code>CUSTOM_LAMBDA
for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. (see below for nested schema)compliance
Read-Only:
type
(String) Compliance type determined by the Config ruleevaluation_modes
Read-Only:
mode
(String) The mode of an evaluation. The valid values are Detective or Proactive.scope
Read-Only:
compliance_resource_id
(String) The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for ComplianceResourceTypes
.compliance_resource_types
(List of String) The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId
.tag_key
(String) The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.tag_value
(String) The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue
, you must also specify a value for TagKey
.source
Read-Only:
custom_policy_details
(Attributes) Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY
. (see below for nested schema)owner
(String) Indicates whether AWS or the customer owns and manages the CC rule.
CC Managed Rules are predefined rules owned by AWS. For more information, see Managed Rules in the developer guide.
CC Custom Rules are rules that you can develop either with Guard (CUSTOM_POLICY
) or LAMlong (CUSTOM_LAMBDA
). For more information, see Custom Rules in the developer guide.source_details
(Attributes List) Provides the source and the message types that cause CC to evaluate your AWS resources against a rule. It also provides the frequency with which you want CC to run evaluations for the rule if the trigger type is periodic.
If the owner is set to CUSTOM_POLICY
, the only acceptable values for the CC rule trigger message type are ConfigurationItemChangeNotification
and OversizedConfigurationItemChangeNotification
. (see below for nested schema)source_identifier
(String) For CC Managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY
is a managed rule. To reference a managed rule, see List of Managed Rules.
For CC Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's LAMlong function, such as arn:aws:lambda:us-east-2:123456789012:function:custom_rule_name
.
For CC Custom Policy rules, this field will be ignored.source.custom_policy_details
Read-Only:
enable_debug_log_delivery
(Boolean) The boolean expression for enabling debug logging for your CC Custom Policy rule. The default value is false
.policy_runtime
(String) The runtime system for your CC Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by CC Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.policy_text
(String) The policy definition containing the logic for your CC Custom Policy rule.source.source_details
Read-Only:
event_source
(String) The source of the event, such as an AWS service, that triggers CC to evaluate your AWS resources.maximum_execution_frequency
(String) The frequency at which you want CC to run evaluations for a custom rule with a periodic trigger. If you specify a value for MaximumExecutionFrequency
, then MessageType
must use the ScheduledNotification
value.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency
parameter.
Based on the valid value you choose, CC runs evaluations once for each valid value. For example, if you choose Three_Hours
, CC runs evaluations once every three hours. In this case, Three_Hours
is the frequency of this rule.message_type
(String) The type of notification that triggers CC to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers an oversized configuration item. CC may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification
- Triggers a periodic evaluation at the frequency specified for MaximumExecutionFrequency
.ConfigurationSnapshotDeliveryCompleted
- Triggers a periodic evaluation when CC delivers a configuration snapshot.If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for ConfigurationItemChangeNotification
and one for OversizedConfigurationItemChangeNotification
.