Overview

Functions

A conformance package is a collection of rules. Config provides conformance packages for you to evaluate resource compliance against multiple rules at the same time and centrally query conformance data.

After a conformance package is created, the compliance rules included will be displayed in the rule list. These rules cannot be updated, disabled, or deleted separately. They can only be deleted together with the conformance package.

If you are an organization administrator or a delegated administrator of Config, you can add organization conformance packages and then deploy organization conformance packages to all member accounts in your organization.

Constraints and Limitation

• Up to 50 conformance packages (including organization conformance packages) and 500 rules can be created in an account.
• The resource recorder must be enabled before you create a conformance package.Config only evaluates resources that are recorded by the resource recorder.

Concepts

Sample template

Sample templates are provided by Config for you to create conformance packages quickly. Sample templates are scenario-based with proper compliance rules and parameters.

Pre-defined conformance package

A pre-defined conformance package is created using a sample template. You only need to specify values for the package parameters.

Custom conformance package

A custom conformance package is created using a custom template with compliance rules defined by you. You can upload a package template or use a package template stored in an OBS bucket to create a package. A custom template must be a JSON file. Other file formats, such as tf or zip, are not supported.

Compliance data

Compliance data is the results of resource compliance evaluation against a conformance package. Conformance data includes the following:

• Package-level data: indicates the data generated when all compliance rules in a package is used to evaluate resources. If there is any noncompliant resource, the evaluation result is noncompliant. If no resources are noncompliant, the evaluation result is compliant.
• Rule-level data: indicates the data generated when a single rule in a package is used to evaluate resources. If there is any noncompliant resource, the evaluation result is noncompliant. If no resources are evaluated to be noncompliant, the evaluation result is compliant.
• Compliance score: specifies the percentage of compliant resources in a conformance package compared to the total number of resources evaluated with the package. A compliance score of 100 indicates that all resources evaluated are compliant. A score of 0 indicates that all resources evaluated are noncompliant.
  Figure 1 Compliance score formula:
  

Stack:

A stack allows a rule to be created or deleted in a conformance package. Stack is a concept of RFS. For details, see stack.

Status

When you deploy a conformance package, the package may be in the status of:

• Deployed: A conformance package has been deployed.
• Deploying: A conformance package is being deployed.
• Abnormal: Conformance package deployment failed.
• Rolled back: Some rules in a conformance package failed to be created and were rolled back, and other created rules were deleted.
• Rolling back: Some rules in a conformance package failed to be created and were rolled back, and other created rules were being deleted.
• Rollback failed: Some rules in a conformance package failed to be created and to be rolled back. You can access RFS to check out the reasons.
• Deleting: Rules in a conformance package and the package are being deleted.
• Exception: Deleting a conformance package failed.
• Updated: A compliance package is updated.
• Updating: A compliance package is being updated.
• Updating: A compliance package update is in progress.

Authorization

Config rules are created and deleted using stacks of RFS. To deploy a conformance package, you need to obtain a corresponding RFS agency to grant you necessary permissions.

• Quick authorization: This option creates an agency named rms_conformance_pack_agency for you to create, update, or delete rules, and to create or delete a conformance package.
• Custom authorization: You can create an agency and perform custom authorization through IAM. The agency must contain required permissions for a compliance package to work properly. This agency must contain the permissions for RFS to create, update, or delete rules. For details about how to create an agency, see Creating an Agency (by a Delegating Party).