AWSCDK::Config

39 types

AWS Config Construct Library

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

This module is part of the AWS Cloud Development Kit project.

Initial Setup

Before using the constructs provided in this module, you need to set up AWS Config in the region in which it will be used. This setup includes the one-time creation of the following resources per region:

The following guides provide the steps for getting started with AWS Config:

Rules

AWS Config can evaluate the configuration settings of your AWS resources by creating AWS Config rules, which represent your ideal configuration settings.

See Evaluating Resources with AWS Config Rules to learn more about AWS Config rules.

AWS Managed Rules

AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices.

For example, you could create a managed rule that checks whether active access keys are rotated within the number of days specified.

# https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
AWSCDK::Config::ManagedRule.new(self, "AccessKeysRotated", {
    identifier: AWSCDK::Config::ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
    input_parameters: {
        max_access_key_age: 60,
    },

    # default is 24 hours
    maximum_execution_frequency: AWSCDK::Config::MaximumExecutionFrequency::TWELVE_HOURS,
})

Identifiers for AWS managed rules are available through static constants in the ManagedRuleIdentifiers class. You can find supported input parameters in the List of AWS Config Managed Rules.

The following higher level constructs for AWS managed rules are available.

Access Key rotation

Checks whether your active access keys are rotated within the number of days specified.

# compliant if access keys have been rotated within the last 90 days
AWSCDK::Config::AccessKeysRotated.new(self, "AccessKeyRotated")

CloudFormation Stack drift detection

Checks whether your CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration.

# compliant if stack's status is 'IN_SYNC'
# non-compliant if the stack's drift status is 'DRIFTED'
AWSCDK::Config::CloudFormationStackDriftDetectionCheck.new(self, "Drift", {
    own_stack_only: true,
})

CloudFormation Stack notifications

Checks whether your CloudFormation stacks are sending event notifications to a SNS topic.

# topics to which CloudFormation stacks may send event notifications
topic1 = AWSCDK::SNS::Topic.new(self, "AllowedTopic1")
topic2 = AWSCDK::SNS::Topic.new(self, "AllowedTopic2")

# non-compliant if CloudFormation stack does not send notifications to 'topic1' or 'topic2'
AWSCDK::Config::CloudFormationStackNotificationCheck.new(self, "NotificationCheck", {
    topics: [topic1, topic2],
})

Custom rules

You can develop custom rules and add them to AWS Config. You associate each custom rule with an AWS Lambda function and Guard.

Custom Lambda Rules

Lambda function which contains the logic that evaluates whether your AWS resources comply with the rule.

# Lambda function containing logic that evaluates compliance with the rule.
eval_compliance_fn = AWSCDK::Lambda::Function.new(self, "CustomFunction", {
    code: AWSCDK::Lambda::AssetCode.from_inline("exports.handler = (event) => console.log(event);"),
    handler: "index.handler",
    runtime: AWSCDK::Lambda::Runtime.NODEJS_LATEST,
})

# A custom rule that runs on configuration changes of EC2 instances
custom_rule = AWSCDK::Config::CustomRule.new(self, "Custom", {
    configuration_changes: true,
    lambda_function: eval_compliance_fn,
    rule_scope: AWSCDK::Config::RuleScope.from_resource(AWSCDK::Config::ResourceType.EC2_INSTANCE),
})

Custom Policy Rules

Guard which contains the logic that evaluates whether your AWS resources comply with the rule.

sample_policy_text = <<-'HERE'

# This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables
let status = ['ACTIVE']

rule tableisactive when
    resourceType == "AWS::DynamoDB::Table" {
    configuration.tableStatus == %status
}

rule checkcompliance when
    resourceType == "AWS::DynamoDB::Table"
    tableisactive {
        let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
        %pitr == "ENABLED"
}

HERE

AWSCDK::Config::CustomPolicy.new(self, "Custom", {
    policy_text: sample_policy_text,
    enable_debug_log: true,
    rule_scope: AWSCDK::Config::RuleScope.from_resources([
        AWSCDK::Config::ResourceType.DYNAMODB_TABLE,
    ]),
})

Triggers

AWS Lambda executes functions in response to events that are published by AWS Services. The function for a custom Config rule receives an event that is published by AWS Config, and is responsible for evaluating the compliance of the rule.

Evaluations can be triggered by configuration changes, periodically, or both. To create a custom rule, define a CustomRule and specify the Lambda Function to run and the trigger types.

eval_compliance_fn = nil # AWSCDK::Lambda::Function


AWSCDK::Config::CustomRule.new(self, "CustomRule", {
    lambda_function: eval_compliance_fn,
    configuration_changes: true,
    periodic: true,

    # default is 24 hours
    maximum_execution_frequency: AWSCDK::Config::MaximumExecutionFrequency::SIX_HOURS,
})

When the trigger for a rule occurs, the Lambda function is invoked by publishing an event. See example events for AWS Config Rules

The AWS documentation has examples of Lambda functions for evaluations that are triggered by configuration changes and triggered periodically

Scope

By default rules are triggered by changes to all resources.

Use the RuleScope APIs (from_resource(), from_resources() or from_tag()) to restrict the scope of both managed and custom rules:

eval_compliance_fn = nil # AWSCDK::Lambda::Function
ssh_rule = AWSCDK::Config::ManagedRule.new(self, "SSH", {
    identifier: AWSCDK::Config::ManagedRuleIdentifiers.EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED,
    rule_scope: AWSCDK::Config::RuleScope.from_resource(AWSCDK::Config::ResourceType.EC2_SECURITY_GROUP, "sg-1234567890abcdefgh"),
})
custom_rule = AWSCDK::Config::CustomRule.new(self, "Lambda", {
    lambda_function: eval_compliance_fn,
    configuration_changes: true,
    rule_scope: AWSCDK::Config::RuleScope.from_resources([AWSCDK::Config::ResourceType.CLOUDFORMATION_STACK, AWSCDK::Config::ResourceType.S3_BUCKET]),
})

tag_rule = AWSCDK::Config::CustomRule.new(self, "CostCenterTagRule", {
    lambda_function: eval_compliance_fn,
    configuration_changes: true,
    rule_scope: AWSCDK::Config::RuleScope.from_tag("Cost Center", "MyApp"),
})

Evaluation Mode

You can specify the evaluation mode for a rule to determine when AWS Config runs evaluations.

Use the evaluation_modes property to specify the evaluation mode:

fn = nil # AWSCDK::Lambda::Function
sample_policy_text = nil


AWSCDK::Config::ManagedRule.new(self, "ManagedRule", {
    identifier: AWSCDK::Config::ManagedRuleIdentifiers.API_GW_XRAY_ENABLED,
    evaluation_modes: AWSCDK::Config::EvaluationMode.DETECTIVE_AND_PROACTIVE,
})

AWSCDK::Config::CustomRule.new(self, "CustomRule", {
    lambda_function: fn,
    evaluation_modes: AWSCDK::Config::EvaluationMode.PROACTIVE,
})

AWSCDK::Config::CustomPolicy.new(self, "CustomPolicy", {
    policy_text: sample_policy_text,
    evaluation_modes: AWSCDK::Config::EvaluationMode.DETECTIVE,
})

Note: Proactive evaluation mode is not supported for all rules. See AWS Config documentation for more information.

Events

You can define Amazon EventBridge event rules which trigger when a compliance check fails or when a rule is re-evaluated.

Use the on_compliance_change() APIs to trigger an EventBridge event when a compliance check of your AWS Config Rule fails:

# Topic to which compliance notification events will be published
compliance_topic = AWSCDK::SNS::Topic.new(self, "ComplianceTopic")

rule = AWSCDK::Config::CloudFormationStackDriftDetectionCheck.new(self, "Drift")
rule.on_compliance_change("TopicEvent", {
    target: AWSCDK::EventsTargets::SNSTopic.new(compliance_topic),
})

Use the on_re_evaluation_status() status to trigger an EventBridge event when an AWS Config rule is re-evaluated.

# Topic to which re-evaluation notification events will be published
re_evaluation_topic = AWSCDK::SNS::Topic.new(self, "ComplianceTopic")

rule = AWSCDK::Config::CloudFormationStackDriftDetectionCheck.new(self, "Drift")
rule.on_re_evaluation_status("ReEvaluationEvent", {
    target: AWSCDK::EventsTargets::SNSTopic.new(re_evaluation_topic),
})

Example

The following example creates a custom rule that evaluates whether EC2 instances are compliant. Compliance events are published to an SNS topic.

# Lambda function containing logic that evaluates compliance with the rule.
eval_compliance_fn = AWSCDK::Lambda::Function.new(self, "CustomFunction", {
    code: AWSCDK::Lambda::AssetCode.from_inline("exports.handler = (event) => console.log(event);"),
    handler: "index.handler",
    runtime: AWSCDK::Lambda::Runtime.NODEJS_LATEST,
})

# A custom rule that runs on configuration changes of EC2 instances
custom_rule = AWSCDK::Config::CustomRule.new(self, "Custom", {
    configuration_changes: true,
    lambda_function: eval_compliance_fn,
    rule_scope: AWSCDK::Config::RuleScope.from_resource(AWSCDK::Config::ResourceType.EC2_INSTANCE),
})

# A rule to detect stack drifts
drift_rule = AWSCDK::Config::CloudFormationStackDriftDetectionCheck.new(self, "Drift")

# Topic to which compliance notification events will be published
compliance_topic = AWSCDK::SNS::Topic.new(self, "ComplianceTopic")

# Send notification on compliance change events
drift_rule.on_compliance_change("ComplianceChange", {
    target: AWSCDK::EventsTargets::SNSTopic.new(compliance_topic),
})

API Reference

Classes 20

AccessKeysRotatedChecks whether the active access keys are rotated within the number of days specified in ` CfnAggregationAuthorizationAn object that represents the authorizations granted to aggregator accounts and regions. CfnConfigRule> You must first create and start the AWS Config configuration recorder in order to create CfnConfigurationAggregatorThe details about the configuration aggregator, including information about source account CfnConfigurationRecorderThe `AWS::Config::ConfigurationRecorder` resource type describes the AWS resource types th CfnConformancePackA conformance pack is a collection of AWS Config rules and remediation actions that can be CfnDeliveryChannelSpecifies a delivery channel object to deliver configuration information to an Amazon S3 b CfnOrganizationConfigRuleAdds or updates an AWS Config rule for your entire organization to evaluate if your AWS re CfnOrganizationConformancePackOrganizationConformancePack deploys conformance packs across member accounts in an AWS Org CfnRemediationConfigurationAn object that represents the details about the remediation configuration that includes th CfnStoredQueryProvides the details of a stored query. CloudFormationStackDriftDetectionCheckChecks whether your CloudFormation stacks' actual configuration differs, or has drifted, f CloudFormationStackNotificationCheckChecks whether your CloudFormation stacks are sending event notifications to a SNS topic. CustomPolicyA new custom policy. CustomRuleA new custom rule. EvaluationModeThe mode of evaluation for the rule. ManagedRuleA new managed rule. ManagedRuleIdentifiersManaged rules that are supported by AWS Config. ResourceTypeResources types that are supported by AWS Config. RuleScopeDetermines which resources trigger an evaluation of an AWS Config rule.

Interfaces 18

AccessKeysRotatedPropsConstruction properties for a AccessKeysRotated. CfnAggregationAuthorizationPropsProperties for defining a `CfnAggregationAuthorization`. CfnConfigRulePropsProperties for defining a `CfnConfigRule`. CfnConfigurationAggregatorPropsProperties for defining a `CfnConfigurationAggregator`. CfnConfigurationRecorderPropsProperties for defining a `CfnConfigurationRecorder`. CfnConformancePackPropsProperties for defining a `CfnConformancePack`. CfnDeliveryChannelPropsProperties for defining a `CfnDeliveryChannel`. CfnOrganizationConfigRulePropsProperties for defining a `CfnOrganizationConfigRule`. CfnOrganizationConformancePackPropsProperties for defining a `CfnOrganizationConformancePack`. CfnRemediationConfigurationPropsProperties for defining a `CfnRemediationConfiguration`. CfnStoredQueryPropsProperties for defining a `CfnStoredQuery`. CloudFormationStackDriftDetectionCheckPropsConstruction properties for a CloudFormationStackDriftDetectionCheck. CloudFormationStackNotificationCheckPropsConstruction properties for a CloudFormationStackNotificationCheck. CustomPolicyPropsConstruction properties for a CustomPolicy. CustomRulePropsConstruction properties for a CustomRule. IRuleInterface representing an AWS Config rule. ManagedRulePropsConstruction properties for a ManagedRule. RulePropsConstruction properties for a new rule.

Enums 1

MaximumExecutionFrequencyThe maximum frequency at which the AWS Config rule runs evaluations.