Overview

Functions

A conformance package is a collection of rules. With conformance packages, you can evaluate resource compliance using multiple rules at the same time and centrally query conformance data.

After a conformance package is created, the compliance rules included will be displayed in the rule list. These rules cannot be updated, disabled, or deleted separately. They can only be deleted together with the conformance package.

If you are an organization administrator or a delegated administrator of Config, you can add organization conformance packages and then deploy organization conformance packages to all member accounts in your organization.

Constraints and Limitation

• Up to 50 conformance packages (including organization conformance packages) and 500 rules can be created in an account.
• The resource recorder must be enabled before you create a conformance package. Config only evaluates resources that are recorded by the resource recorder.

Concepts

Sample template

Sample templates are provided by Config for you to quickly create conformance packages quickly. Sample templates are scenario-based with appropriate compliance rules and parameters.

Pre-defined conformance package:

A pre-defined conformance package is created using a sample template. To deploy a pre-defined conformance package, you only need to configure a few parameters.

Custom conformance package:

A custom conformance package is created using a custom template. You can include both predefined and custom rules in a custom template. When you deploy a conformance package, you can upload a package template or use a package template stored in an OBS bucket. A custom template must be a JSON file. Other file formats, such as tf or zip, are not supported.

Compliance data

Compliance data is the results of resource compliance evaluation against a conformance package. Conformance data includes the following:

• Evaluation results for a conformance package: All rules in the conformance package are used for resource evaluation. If a resource is found to be noncompliant by any of the rules in the package, the evaluation result is noncompliant. If all resources are compliant, the evaluation result is compliant.
• Evaluation results for a rule: Each rule in the conformance package has an evaluation result. If a resource is found to be noncompliant, the result is noncompliant. If all resources are compliant, the result is compliant.
• Compliance score: The percentage of resources that are evaluated as compliant by a conformance package. A compliance score of 100 indicates that all resources evaluated are compliant. A score of 0 indicates that all resources evaluated are noncompliant.
  Figure 1 Compliance score formula:
  

Stack:

To create, update, and delete rules in a conformance package, an RFS resource stack is required. Stack is a concept of Resource Formation Service (RFS). For details, see Basic Concepts.

Status

When you deploy a conformance package, the package may be in the status of:

• Deployed: A conformance package has been deployed.
• Deploying: A conformance package is being deployed.
• Abnormal: Conformance package deployment failed.
• Rolled back: Some rules in a conformance package failed to be created and were rolled back, and other created rules were deleted.
• Rolling back: Some rules in a conformance package failed to be created and were rolled back, and other created rules were being deleted.
• Rollback failed: Some rules in a conformance package failed to be created and to be rolled back. You can access RFS to check out the reasons.
• Deleting: Rules in a conformance package and the package are being deleted.
• Exception: Deleting a conformance package failed.
• Updated: A compliance package is updated.
• Updating: A compliance package is being updated.
• Updating: A compliance package update is in progress.

Authorization

RFS resource stacks need to be authorized to create, delete, and update resources in a conformance package. When you create a conformance package, you need to assign RFS a required agency.

If you decide to not use custom authorization, Config will be automatically assigned an agency that contains required RFS permissions. You can also create a custom agency with IAM. The agency must contain required permissions for RFS to create, modify, and delete rules in a conformance package. For details about how to create an agency, see Creating an Agency (by a Delegating Party).