AWS Config Rules is a new set of cloud governance capabilities that allow IT Administrators to define guidelines for provisioning and configuring AWS resources and then continuously monitor compliance with those guidelines. AWS Config Rules lets you choose from a set of pre-built rules based on common AWS best practices or custom rules that you define. For example, ensure EBS volumes are encrypted, EC2 instances are properly tagged, and Elastic IP addresses (EIPs) are attached to instances. AWS Config Rules can continuously monitor configuration changes to your AWS resources and provides a new dashboard to track compliance status. Using Config Rules, an IT Administrator can quickly determine when and how a resource went out of compliance.
The Preview of AWS Config Rules is Available Now
Sign up for the Preview
You can enable AWS Config Rules with a few clicks in the AWS Management Console. Use predefined rule templates or create your own rules using AWS Lambda functions to enable more advanced compliance checks, workflows, and notifications. You can access information about the configuration of any resource using the AWS Management Console, CLI, or SDKs.
Click to enlarge
AWS Config Rules gives you a visual dashboard with lists, charts, and graphs to help you quickly spot non-compliant resources and take appropriate action. IT Administrators, Security Experts, Developers, and Operators can see a shared view of compliance. For organizations subject to established industry standards, Config Rules can help to ensure compliance.
AWS Config Rules provides you a near real-time view of your AWS resource compliance with organization policies and guidelines. There’s no need to start a compliance scan in order to see the status of your AWS resources. You can choose to evaluate rules each time an AWS resource changes or on a regular interval. You can also enable Amazon SNS to immediately send an email or text message when a configuration change is detected.
AWS Config Rules gives you an easy-to-navigate interface to support compliance audits and configuration troubleshooting. You can also schedule automatic account-wide compliance snapshots right from the console, giving you views of compliance over time.
You can choose from numerous AWS Partner Network (APN) partners who provide solutions that integrate with AWS Config Rules for resource discovery, change management, compliance, or security.
With AWS Config Rules, you are charged based on the number of active rules in your account. Each time an AWS resource is compared with a rule, the result is recorded as an evaluation result. You can choose to evaluate rules when AWS resources change or at periodic intervals like hourly or daily. A rule is active if it has one or more evaluations in a month.
Config Rules costs:
$2 per active rule per month.
For every active rule, your account receives at no extra charge for that month:
20,000 evaluations
Unused evaluations do not accumulate. If you need more evaluations for your rules, additional evaluations will be charged at:
$0.10 per thousand evaluations
Configuration snapshots and configuration history files are delivered to you in the Amazon S3 bucket that you choose, and configuration change notifications are delivered via Amazon Simple Notification Service (SNS). Standard rates for Amazon S3 and Amazon SNS apply. Customer managed rules are authored using AWS Lambda. Standard rates for AWS Lambda apply.
Except as otherwise noted, our prices are exclusive of applicable taxes and duties, including VAT, GST and applicable sales tax. To learn more, see the Config Rules Pricing FAQs »
What is a configuration rule?
A configuration rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recoded by AWS Config. The results of evaluating a rule against the configuration of a resource are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
Who should use Config Rules?
Any AWS customer looking to improve their security and governance posture on AWS by continuously evaluating the configuration of their resources would benefit from this capability. Administrators within larger organizations who recommend best practices for configuring resources can codify these rules as Config Rules, and enable self-governance among users. Information Security experts who monitor usage activity and configurations to detect vulnerabilities can benefit from Config Rules. Customers with workloads that need to comply with specific standards (e.g. PCI-DSS or HIPAA) can use this capability to assess compliance of their AWS infrastructure configurations, and generate reports for their auditors. Operators who manage large AWS infrastructure or components that change frequently can also benefit from Config Rules for troubleshooting.
Does the service guarantee that my configurations are never out of compliance?
Config Rules provides information about whether your resources are compliant with configuration rules you specify. It will evaluate rules as soon as updated Configuration Items (CIs) for the resource are available within AWS Config. It does not guarantee that resources will be compliant or prevent users from taking non-compliant actions. Further, Config Rules does not automatically snap non-compliant resources back into compliance.
Does the service prevent users from taking non-compliant actions?
Config Rules does not directly affect how end-users consume AWS. It evaluates resource configurations only after a configuration change has been completed and recorded by AWS Config. Config Rules does not prevent the user from making changes that could be non-compliant. To control what a user can provision on AWS and configuration parameters allowed during provisioning, please use AWS Identity and Access Management (IAM) Policies and AWS Service Catalog respectively.
Can rules be evaluated prior to provisioning a resource?
Config Rules evaluates rules after the Configuration Item (CI) for the resource is captured by AWS Config. It does not evaluate rules prior to provisioning a resource or prior to making configuration changes on the resource.
What is a resource’s configuration?
Configuration of a resource is defined by the data included in the Configuration Item (CI) of AWS Config. The initial release of Config Rules makes the CI for a resource available to relevant rules. Config Rules can use this information along with any other relevant information such as other attached resource, business hours, etc. to evaluate compliance of a resource’s configuration.
What is a rule?
A rule represents desired Configuration Item (CI) attribute values for resources and are evaluated by comparing those attribute values with CIs recorded by AWS Config. There are two types of rules:
- AWS managed rules: AWS managed rules are pre-built and managed by AWS. You simply choose the rule you want to enable, then supply a few configuration parameters to get started. Learn more »
- Customer managed rules: customer managed rules are custom rules, defined and built by you. You can create a function in AWS Lambda that can be invoked as part of a custom rule and these functions execute in your account. Learn more »
How are rules created?
Rules are typically set up by the AWS account administrator. They can be created by leveraging AWS managed rules – a predefined set of rules provided by AWS or through customer managed rules. With AWS managed rules updates to the rule are automatically applied to any account using that rule. In the customer-managed model, the customer has a full copy of the rule, and executes the rule within his/her own account. These rules are maintained by the customer.
How are rules evaluated?
Any rule can be setup as a change-triggered rule or as a periodic rule. A change-triggered rule is executed when AWS Config records a configuration change for any of the resources specified. Additionally, one of the following must be specified:
- Tag Key:(optional Value): A tag key:value implies any configuration changes recorded for resources with the specified tag key:value will trigger an evaluation of the rule.
- Resource type(s): Any configuration changes recorded for any resource within the specified resource type(s) will trigger an evaluation the rule.
- Resource ID: Any changes recorded to the resource specified by the resource type and resource ID will trigger an evaluation of the rule.
A periodic rule is triggered at a specified frequency. Available frequencies are 1hr, 3hr, 6hr, 12hr or 24hrs. A periodic rule has a full snapshot of current Configuration Items (CIs) for all resources available to the rule.
What is an evaluation?
Evaluation of a rule determines whether a rule is compliant with a resource at a particular point in time. It is the result of evaluating a rule against the configuration of a resource. Config Rules will capture and store the result of each evaluation. This result will include the resource, rule, time of evaluation and a link to Configuration Item (CI) that caused non-compliance.
What does compliance mean?
A resource is compliant if complies with all rules that apply to it. Otherwise it is noncompliant. Similarly, a rule is compliant if all resources evaluated by the rule comply with the rule. Otherwise it is noncompliant. In some cases, such as when inadequate permissions are available to the rule, an evaluation may not exist for the resource, leading to a state of insufficient data. This state is excluded from determining the compliance status of a resource or rule.
What information does the Config Rules dashboard provide?
The Config Rules dashboard gives you an overview of resources tracked by AWS Config, and a summary of current compliance by resource and by rule. When you view compliance by resource, you can determine if any rule that applies to the resource is currently not compliant. You can view compliance by rule, which tells you if any resource under the purview of the rule is currently non-compliant. Using these summary views, you can dive deeper into the Config timeline view of resources, to determine which configuration parameters changed. Using this dashboard, you can start with an overview and drill into fine-grained views that give you full information about changes in compliance status, and which changes caused non-compliance.
Does the pricing include the costs for AWS Lambda functions?
You can choose from a set of managed rules provided by AWS or you can author your own rules, written as AWS Lambda functions. Managed rules are fully managed and maintained by AWS and you do not pay any additional AWS Lambda charges to run them. Simply enable managed rules, provide any required parameters, and pay a single rate for each AWS Config rule. On the other hand, customer managed rules give you full control by executing these rules as AWS Lambda functions in your account. In addition to monthly charges for an active rule, standard AWS Lambda free tier and function execution rates apply to customer managed rules.
What is an active rule?
A rule is active if there is at least 1 evaluation recorded for the rule in a billing cycle (month). An evaluation is successfully recorded when an AWS resource is compared with a rule, and the result is recorded by AWS Config.
What does it shared quota mean?
You receive a quota 20,000 evaluations per active rule per month. For example, if you have 3 Config Rules, you get a quota of 60,000 evaluations for the account. You can choose spread this allowance across the rules in any way.
Do unused evaluations carry over to the next month?
Unused evaluations expire and are reset every billing cycle.
Could you share pricing examples for AWS Config Rules?
Pricing example 1:
AWS Config records each AWS resource and configuration change as a Configuration Item (CI). Assume you record 7,000 CIs/month and have created 5 active rules (2 periodic and 3 change triggered), reporting a combined total of 150 evaluations per day.
AWS Config costs: 7,000 * $0.003 = $21.00
Cost for 5 active rules = 5 * $2.00 = $10.00
Quota for evaluation results = 5 * 20,000 = 100,000
Number of evaluation results used = 150 evaluations * 30 days = 4,500 evaluations per month
Additional charges from evaluation results = $0.0
Total AWS Config monthly charges = $31.00
Pricing Example 2:
Assume you record 50,000 CIs/month and have created 2 active rules, and each of these is evaluated on every CI and report a result results each time.
AWS Config costs: 50,000 * $0.03 = $150.00
Cost for 2 active rules = 2 * $2.00 = $4.00
Quota for evaluation results = 2 * 20,000 = 40,000
Number of evaluation results used = 2 * 50,000 = 100,000
Additional charges from evaluation results = (100,000 – 40,000) = 60,000 * 0.0001 = $6.00
Total AWS Config monthly charges = $150.00 + $4.00+ $6.00 = $160.00
