Updated on 2025-02-19 GMT+08:00

Overview

Functions

A conformance package is a collection of rules. With conformance packages, you can evaluate resource compliance using multiple rules at the same time and centrally query conformance data.

After a conformance package is created, the compliance rules included will be displayed in the rule list. These rules cannot be updated, disabled, or deleted separately. They can only be deleted together with the conformance package.

If you are an organization administrator or a delegated administrator of Config, you can add organization conformance packages and deploy these packages to all member accounts that are in the normal state in your organization.

Constraints and Limitation

  • Up to 50 conformance packages (including organization conformance packages) and 500 rules can be created in an account.
  • The resource recorder must be enabled before you create a conformance package. Config only evaluates resources that are recorded by the resource recorder.
  • To deploy an organization conformance package to a member, the member account must be in the normal state, and the resource recorder must be enabled for the member.

Concepts

Sample template

Sample templates are provided by Config for you to quickly create conformance packages quickly. Sample templates are scenario-based with appropriate compliance rules and parameters.

Pre-defined conformance package:

A pre-defined conformance package is created using a sample template. To deploy a pre-defined conformance package, you only need to configure a few parameters.

Custom conformance package:

A custom conformance package is created using a custom template. You can include both predefined and custom rules in a custom template. When you deploy a conformance package, you can upload a package template or use a package template stored in an OBS bucket. A custom template must be a JSON file. Other file formats, such as tf or zip, are not supported.

Compliance data

Compliance data is the results of resource compliance evaluation against a conformance package. Conformance data includes the following:

  • Evaluation results of a conformance package: All rules in the conformance package are used to evaluate resources. If a resource is found to be noncompliant by any of the rules in the package, the evaluation result is noncompliant. If all resources are compliant, the evaluation result is compliant.
  • Evaluation results of a rule: Each rule in the conformance package has an evaluation result. If a resource is found to be noncompliant, the result is noncompliant. If all resources are compliant, the result is compliant.
  • Compliance score: The percentage of resources that are evaluated as compliant by a conformance package. A compliance score of 100 indicates that all resources evaluated are compliant. A score of 0 indicates that all resources evaluated are noncompliant.
    Figure 1 Compliance score formula:

Stack:

To create, update, and delete rules in a conformance package, an RFS resource stack is required. Stack is a concept of Resource Formation Service (RFS). For details, see Basic Concepts.

Status

Table 1 Conformance package deployment states

Value

State

Description

CREATE_SUCCESSFUL

Deployed

A conformance package has been deployed.

CREATE_IN_PROGRESS

Deploying

A conformance package is being deployed.

CREATE_FAILED

Abnormal

A conformance package fails to be deployed.

DELETE_IN_PROGRESS

Deleting

A conformance package is being deleted.

DELETE_FAILED

Deletion failed

A conformance package fails to be deleted.

ROLLBACK_SUCCESSFUL

Rolled back

Some rules in a conformance package failed to be created and were rolled back, and created rules were deleted.

ROLLBACK_IN_PROGRESS

Rolling back

Some rules in a conformance package failed to be created and were rolled back, and created rules were being deleted.

ROLLBACK_FAILED

Rollback failed

Some rules in a conformance package failed to be created, and rollback also failed. You can access RFS to check out the reasons.

UPDATE_SUCCESSFUL

Updated

A conformance package is updated.

UPDATE_IN_PROGRESS

Updating

A conformance package is being updated.

UPDATE_FAILED

Update failed

A conformance package fails to be updated.

Authorization

RFS resource stacks need to be authorized to create, delete, and update resources in a conformance package. When you create a conformance package, you need to assign RFS a required agency.

If you decide to not use custom authorization, Config will be automatically assigned an agency that contains required RFS permissions. You can also create a custom agency with IAM. The agency must contain required permissions for RFS to create, modify, and delete rules in a conformance package. For details about how to create an agency, see Creating an Agency (by a Delegating Party).

If you want to use a template in your OBS bucket to create a conformance package, configure a proper IAM policy and an OBS bucket policy to ensure that the template can be accessed. For more details, see Object Storage Service User Guide and Resource Formation Service User Guide.