Updated on 2024-11-12 GMT+08:00

Overview

Overview

You can create a rule to evaluate your resource compliance. When creating a rule, you need to select a built-in policy or a custom policy, specify a monitoring scope, and specify the trigger type. Evaluation results are provided for you to check resource compliance.

If you are an organization administrator or a delegated administrator of Config, you can also add organization rules and deploy the rules to all member accounts (in the normal sate) in your organization.

Config also allows you to remediate noncompliant resources with an RFS template or FunctionGraph function.

Restrictions and Limitations

  • You can add up to 500 rules (including organization rules and rules included in conformance packages) with an account.
  • The resource recorder must be enabled for adding, modifying, enabling, or triggering a rule. If the resource recorder is disabled, you can only view, disable, and delete rules.

    You cannot modify, disable, enable, or delete an individual organization rule that is deployed to your account or an individual rule of a conformance package. Only the organization administrator or delegated administrator of Config who creates the organization rule can modify or delete it. To modify or delete a rule of a conformance package, modify or delete the package. For details, see Organization Rules and Conformance Packages.

  • The resource recorder must be enabled for adding, modifying, and triggering organization rules. If the resource recorder is disabled, you can only view and delete organization rules.
  • The Organization Rules tab is inaccessible for a non-organization member.
  • Organization rules will only be deployed to member accounts that are in the normal state.
  • Currently, you can only add remediation actions to non-organization rules that are not included in a conformance package.
  • Currently, only the ap-southeast-1 region support applying remediation actions on resources with RFS templates. In addition, to create a remediation template with RFS, at least five stacks are required.
  • You can only add one remediation action to each rule.
  • To delete a rule, you need to delete the remediation action assigned and disable the rule.
  • You can select up to 100 resources as remediation exceptions for each rule, however there is no limitation on how many resources the system will automatically add as remediation exceptions based on the remediation retry rules.

To evaluate resources with rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:

  • If the resource recorder is disabled, no resources will be available for evaluation, but you can still view historical evaluation results.
  • If the resource recorder is enabled and a monitoring scope is configured, only resources within the monitoring scope can be evaluated.

For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.