AWS Native is in preview. AWS Classic is fully supported.
aws-native.configuration.ConfigRule
Explore with Pulumi AI
AWS Native is in preview. AWS Classic is fully supported.
You must first create and start the CC configuration recorder in order to create CC managed rules with CFNlong. For more information, see Managing the Configuration Recorder.
Adds or updates an CC rule to evaluate if your AWS resources comply with your desired configurations. For information on how many CC rules you can have per account, see Service Limits in the Developer Guide.
There are two types of rules: Managed Rules and Custom Rules. You can use the ConfigRule
resource to create both CC Managed Rules and CC Custom Rules.
CC Managed Rules are predefined, customizable rules created by CC. For a list of managed rules, see List of Managed Rules. If you are adding an CC managed rule, you must specify the rule’s identifier for the SourceIdentifier
key.
CC Custom Rules are rules that you create from scratch. There are two ways to create CC custom rules: with Lambda functions (Developer Guide) and with CFNGUARDshort (Guard GitHub Repository), a policy-as-code language. CC custom rules created with LAMlong are called Custom Lambda Rules and CC custom rules created with CFNGUARDshort are called Custom Policy Rules.
If you are adding a new CC Custom LAM rule, you first need to create an LAMlong function that the rule invokes to evaluate your resources. When you use the ConfigRule
resource to add a Custom LAM rule to CC, you must specify the Amazon Resource Name (ARN) that LAMlong assigns to the function. You specify the ARN in the SourceIdentifier
key. This key is part of the Source
object, which is part of the ConfigRule
object.
For any new CC rule that you add, specify the ConfigRuleName
in the ConfigRule
object. Do not specify the ConfigRuleArn
or the ConfigRuleId
. These values are generated by CC for new rules.
If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName
, ConfigRuleId
, or ConfigRuleArn
in the ConfigRule
data type that you use in this request.
For more information about developing and using CC rules, see Evaluating Resources with Rules in the Developer Guide.
Create ConfigRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ConfigRule(name: string, args: ConfigRuleArgs, opts?: CustomResourceOptions);
@overload
def ConfigRule(resource_name: str,
args: ConfigRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ConfigRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
source: Optional[ConfigRuleSourceArgs] = None,
compliance: Optional[CompliancePropertiesArgs] = None,
config_rule_name: Optional[str] = None,
description: Optional[str] = None,
evaluation_modes: Optional[Sequence[ConfigRuleEvaluationModeConfigurationArgs]] = None,
input_parameters: Optional[Any] = None,
maximum_execution_frequency: Optional[str] = None,
scope: Optional[ConfigRuleScopeArgs] = None)
func NewConfigRule(ctx *Context, name string, args ConfigRuleArgs, opts ...ResourceOption) (*ConfigRule, error)
public ConfigRule(string name, ConfigRuleArgs args, CustomResourceOptions? opts = null)
public ConfigRule(String name, ConfigRuleArgs args)
public ConfigRule(String name, ConfigRuleArgs args, CustomResourceOptions options)
type: aws-native:configuration:ConfigRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ConfigRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ConfigRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ConfigRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ConfigRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ConfigRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
ConfigRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ConfigRule resource accepts the following input properties:
- Source
Pulumi.
Aws Native. Configuration. Inputs. Config Rule Source - Provides the rule owner (```` for managed rules,
CUSTOM_POLICY
for Custom Policy rules, andCUSTOM_LAMBDA
for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. - Compliance
Pulumi.
Aws Native. Configuration. Inputs. Compliance Properties - Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance.
- Config
Rule stringName - A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
- Description string
- The description that you provide for the CC rule.
- Evaluation
Modes List<Pulumi.Aws Native. Configuration. Inputs. Config Rule Evaluation Mode Configuration> - The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
- Input
Parameters object A string, in JSON format, that is passed to the CC rule Lambda function.
Search the CloudFormation User Guide for
AWS::Config::ConfigRule
for more information about the expected schema for this property.- Maximum
Execution stringFrequency The maximum frequency with which CC runs evaluations for a rule. You can specify a value for
MaximumExecutionFrequency
when:- You are using an AWS managed rule that is triggered at a periodic frequency.
- Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the
MaximumExecutionFrequency
parameter.- Scope
Pulumi.
Aws Native. Configuration. Inputs. Config Rule Scope - Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. The scope can be empty.
- Source
Config
Rule Source Args - Provides the rule owner (```` for managed rules,
CUSTOM_POLICY
for Custom Policy rules, andCUSTOM_LAMBDA
for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. - Compliance
Compliance
Properties Args - Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance.
- Config
Rule stringName - A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
- Description string
- The description that you provide for the CC rule.
- Evaluation
Modes []ConfigRule Evaluation Mode Configuration Args - The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
- Input
Parameters interface{} A string, in JSON format, that is passed to the CC rule Lambda function.
Search the CloudFormation User Guide for
AWS::Config::ConfigRule
for more information about the expected schema for this property.- Maximum
Execution stringFrequency The maximum frequency with which CC runs evaluations for a rule. You can specify a value for
MaximumExecutionFrequency
when:- You are using an AWS managed rule that is triggered at a periodic frequency.
- Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the
MaximumExecutionFrequency
parameter.- Scope
Config
Rule Scope Args - Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. The scope can be empty.
- source
Config
Rule Source - Provides the rule owner (```` for managed rules,
CUSTOM_POLICY
for Custom Policy rules, andCUSTOM_LAMBDA
for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. - compliance
Compliance
Properties - Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance.
- config
Rule StringName - A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
- description String
- The description that you provide for the CC rule.
- evaluation
Modes List<ConfigRule Evaluation Mode Configuration> - The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
- input
Parameters Object A string, in JSON format, that is passed to the CC rule Lambda function.
Search the CloudFormation User Guide for
AWS::Config::ConfigRule
for more information about the expected schema for this property.- maximum
Execution StringFrequency The maximum frequency with which CC runs evaluations for a rule. You can specify a value for
MaximumExecutionFrequency
when:- You are using an AWS managed rule that is triggered at a periodic frequency.
- Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the
MaximumExecutionFrequency
parameter.- scope
Config
Rule Scope - Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. The scope can be empty.
- source
Config
Rule Source - Provides the rule owner (```` for managed rules,
CUSTOM_POLICY
for Custom Policy rules, andCUSTOM_LAMBDA
for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. - compliance
Compliance
Properties - Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance.
- config
Rule stringName - A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
- description string
- The description that you provide for the CC rule.
- evaluation
Modes ConfigRule Evaluation Mode Configuration[] - The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
- input
Parameters any A string, in JSON format, that is passed to the CC rule Lambda function.
Search the CloudFormation User Guide for
AWS::Config::ConfigRule
for more information about the expected schema for this property.- maximum
Execution stringFrequency The maximum frequency with which CC runs evaluations for a rule. You can specify a value for
MaximumExecutionFrequency
when:- You are using an AWS managed rule that is triggered at a periodic frequency.
- Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the
MaximumExecutionFrequency
parameter.- scope
Config
Rule Scope - Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. The scope can be empty.
- source
Config
Rule Source Args - Provides the rule owner (```` for managed rules,
CUSTOM_POLICY
for Custom Policy rules, andCUSTOM_LAMBDA
for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. - compliance
Compliance
Properties Args - Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance.
- config_
rule_ strname - A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
- description str
- The description that you provide for the CC rule.
- evaluation_
modes Sequence[ConfigRule Evaluation Mode Configuration Args] - The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
- input_
parameters Any A string, in JSON format, that is passed to the CC rule Lambda function.
Search the CloudFormation User Guide for
AWS::Config::ConfigRule
for more information about the expected schema for this property.- maximum_
execution_ strfrequency The maximum frequency with which CC runs evaluations for a rule. You can specify a value for
MaximumExecutionFrequency
when:- You are using an AWS managed rule that is triggered at a periodic frequency.
- Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the
MaximumExecutionFrequency
parameter.- scope
Config
Rule Scope Args - Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. The scope can be empty.
- source Property Map
- Provides the rule owner (```` for managed rules,
CUSTOM_POLICY
for Custom Policy rules, andCUSTOM_LAMBDA
for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources. - compliance Property Map
- Indicates whether an AWS resource or CC rule is compliant and provides the number of contributors that affect the compliance.
- config
Rule StringName - A name for the CC rule. If you don't specify a name, CFN generates a unique physical ID and uses that ID for the rule name. For more information, see Name Type.
- description String
- The description that you provide for the CC rule.
- evaluation
Modes List<Property Map> - The modes the CC rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
- input
Parameters Any A string, in JSON format, that is passed to the CC rule Lambda function.
Search the CloudFormation User Guide for
AWS::Config::ConfigRule
for more information about the expected schema for this property.- maximum
Execution StringFrequency The maximum frequency with which CC runs evaluations for a rule. You can specify a value for
MaximumExecutionFrequency
when:- You are using an AWS managed rule that is triggered at a periodic frequency.
- Your custom rule is triggered when CC delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the
MaximumExecutionFrequency
parameter.- scope Property Map
- Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. The scope can be empty.
Outputs
All input properties are implicitly available as output properties. Additionally, the ConfigRule resource produces the following output properties:
- Arn string
- The Amazon Resource Name (ARN) of the AWS Config rule, such as
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi
. - Config
Rule stringId - The ID of the AWS Config rule, such as
config-rule-a1bzhi
. - Id string
- The provider-assigned unique ID for this managed resource.
- Arn string
- The Amazon Resource Name (ARN) of the AWS Config rule, such as
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi
. - Config
Rule stringId - The ID of the AWS Config rule, such as
config-rule-a1bzhi
. - Id string
- The provider-assigned unique ID for this managed resource.
- arn String
- The Amazon Resource Name (ARN) of the AWS Config rule, such as
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi
. - config
Rule StringId - The ID of the AWS Config rule, such as
config-rule-a1bzhi
. - id String
- The provider-assigned unique ID for this managed resource.
- arn string
- The Amazon Resource Name (ARN) of the AWS Config rule, such as
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi
. - config
Rule stringId - The ID of the AWS Config rule, such as
config-rule-a1bzhi
. - id string
- The provider-assigned unique ID for this managed resource.
- arn str
- The Amazon Resource Name (ARN) of the AWS Config rule, such as
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi
. - config_
rule_ strid - The ID of the AWS Config rule, such as
config-rule-a1bzhi
. - id str
- The provider-assigned unique ID for this managed resource.
- arn String
- The Amazon Resource Name (ARN) of the AWS Config rule, such as
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-a1bzhi
. - config
Rule StringId - The ID of the AWS Config rule, such as
config-rule-a1bzhi
. - id String
- The provider-assigned unique ID for this managed resource.
Supporting Types
ComplianceProperties, CompliancePropertiesArgs
- Type string
- Compliance type determined by the Config rule
- Type string
- Compliance type determined by the Config rule
- type String
- Compliance type determined by the Config rule
- type string
- Compliance type determined by the Config rule
- type str
- Compliance type determined by the Config rule
- type String
- Compliance type determined by the Config rule
ConfigRuleCustomPolicyDetails, ConfigRuleCustomPolicyDetailsArgs
- Enable
Debug boolLog Delivery - The boolean expression for enabling debug logging for your CC Custom Policy rule. The default value is
false
. - Policy
Runtime string - The runtime system for your CC Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by CC Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- Policy
Text string - The policy definition containing the logic for your CC Custom Policy rule.
- Enable
Debug boolLog Delivery - The boolean expression for enabling debug logging for your CC Custom Policy rule. The default value is
false
. - Policy
Runtime string - The runtime system for your CC Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by CC Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- Policy
Text string - The policy definition containing the logic for your CC Custom Policy rule.
- enable
Debug BooleanLog Delivery - The boolean expression for enabling debug logging for your CC Custom Policy rule. The default value is
false
. - policy
Runtime String - The runtime system for your CC Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by CC Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- policy
Text String - The policy definition containing the logic for your CC Custom Policy rule.
- enable
Debug booleanLog Delivery - The boolean expression for enabling debug logging for your CC Custom Policy rule. The default value is
false
. - policy
Runtime string - The runtime system for your CC Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by CC Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- policy
Text string - The policy definition containing the logic for your CC Custom Policy rule.
- enable_
debug_ boollog_ delivery - The boolean expression for enabling debug logging for your CC Custom Policy rule. The default value is
false
. - policy_
runtime str - The runtime system for your CC Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by CC Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- policy_
text str - The policy definition containing the logic for your CC Custom Policy rule.
- enable
Debug BooleanLog Delivery - The boolean expression for enabling debug logging for your CC Custom Policy rule. The default value is
false
. - policy
Runtime String - The runtime system for your CC Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by CC Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
- policy
Text String - The policy definition containing the logic for your CC Custom Policy rule.
ConfigRuleEvaluationModeConfiguration, ConfigRuleEvaluationModeConfigurationArgs
- Mode string
- The mode of an evaluation. The valid values are Detective or Proactive.
- Mode string
- The mode of an evaluation. The valid values are Detective or Proactive.
- mode String
- The mode of an evaluation. The valid values are Detective or Proactive.
- mode string
- The mode of an evaluation. The valid values are Detective or Proactive.
- mode str
- The mode of an evaluation. The valid values are Detective or Proactive.
- mode String
- The mode of an evaluation. The valid values are Detective or Proactive.
ConfigRuleScope, ConfigRuleScopeArgs
- Compliance
Resource stringId - The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
ComplianceResourceTypes
. - Compliance
Resource List<string>Types - The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for
ComplianceResourceId
. - Tag
Key string - The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
- Tag
Value string - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for
TagValue
, you must also specify a value forTagKey
.
- Compliance
Resource stringId - The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
ComplianceResourceTypes
. - Compliance
Resource []stringTypes - The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for
ComplianceResourceId
. - Tag
Key string - The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
- Tag
Value string - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for
TagValue
, you must also specify a value forTagKey
.
- compliance
Resource StringId - The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
ComplianceResourceTypes
. - compliance
Resource List<String>Types - The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for
ComplianceResourceId
. - tag
Key String - The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
- tag
Value String - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for
TagValue
, you must also specify a value forTagKey
.
- compliance
Resource stringId - The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
ComplianceResourceTypes
. - compliance
Resource string[]Types - The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for
ComplianceResourceId
. - tag
Key string - The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
- tag
Value string - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for
TagValue
, you must also specify a value forTagKey
.
- compliance_
resource_ strid - The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
ComplianceResourceTypes
. - compliance_
resource_ Sequence[str]types - The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for
ComplianceResourceId
. - tag_
key str - The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
- tag_
value str - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for
TagValue
, you must also specify a value forTagKey
.
- compliance
Resource StringId - The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for
ComplianceResourceTypes
. - compliance
Resource List<String>Types - The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for
ComplianceResourceId
. - tag
Key String - The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
- tag
Value String - The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for
TagValue
, you must also specify a value forTagKey
.
ConfigRuleSource, ConfigRuleSourceArgs
- Owner string
- Indicates whether AWS or the customer owns and manages the CC rule.
CC Managed Rules are predefined rules owned by AWS. For more information, see Managed Rules in the developer guide.
CC Custom Rules are rules that you can develop either with Guard (
CUSTOM_POLICY
) or LAMlong (CUSTOM_LAMBDA
). For more information, see Custom Rules in the developer guide. - Custom
Policy Pulumi.Details Aws Native. Configuration. Inputs. Config Rule Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY
. - Source
Details List<Pulumi.Aws Native. Configuration. Inputs. Config Rule Source Detail> - Provides the source and the message types that cause CC to evaluate your AWS resources against a rule. It also provides the frequency with which you want CC to run evaluations for the rule if the trigger type is periodic.
If the owner is set to
CUSTOM_POLICY
, the only acceptable values for the CC rule trigger message type areConfigurationItemChangeNotification
andOversizedConfigurationItemChangeNotification
. - Source
Identifier string - For CC Managed rules, a predefined identifier from a list. For example,
IAM_PASSWORD_POLICY
is a managed rule. To reference a managed rule, see List of Managed Rules. For CC Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's LAMlong function, such asarn:aws:lambda:us-east-2:123456789012:function:custom_rule_name
. For CC Custom Policy rules, this field will be ignored.
- Owner string
- Indicates whether AWS or the customer owns and manages the CC rule.
CC Managed Rules are predefined rules owned by AWS. For more information, see Managed Rules in the developer guide.
CC Custom Rules are rules that you can develop either with Guard (
CUSTOM_POLICY
) or LAMlong (CUSTOM_LAMBDA
). For more information, see Custom Rules in the developer guide. - Custom
Policy ConfigDetails Rule Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY
. - Source
Details []ConfigRule Source Detail - Provides the source and the message types that cause CC to evaluate your AWS resources against a rule. It also provides the frequency with which you want CC to run evaluations for the rule if the trigger type is periodic.
If the owner is set to
CUSTOM_POLICY
, the only acceptable values for the CC rule trigger message type areConfigurationItemChangeNotification
andOversizedConfigurationItemChangeNotification
. - Source
Identifier string - For CC Managed rules, a predefined identifier from a list. For example,
IAM_PASSWORD_POLICY
is a managed rule. To reference a managed rule, see List of Managed Rules. For CC Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's LAMlong function, such asarn:aws:lambda:us-east-2:123456789012:function:custom_rule_name
. For CC Custom Policy rules, this field will be ignored.
- owner String
- Indicates whether AWS or the customer owns and manages the CC rule.
CC Managed Rules are predefined rules owned by AWS. For more information, see Managed Rules in the developer guide.
CC Custom Rules are rules that you can develop either with Guard (
CUSTOM_POLICY
) or LAMlong (CUSTOM_LAMBDA
). For more information, see Custom Rules in the developer guide. - custom
Policy ConfigDetails Rule Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY
. - source
Details List<ConfigRule Source Detail> - Provides the source and the message types that cause CC to evaluate your AWS resources against a rule. It also provides the frequency with which you want CC to run evaluations for the rule if the trigger type is periodic.
If the owner is set to
CUSTOM_POLICY
, the only acceptable values for the CC rule trigger message type areConfigurationItemChangeNotification
andOversizedConfigurationItemChangeNotification
. - source
Identifier String - For CC Managed rules, a predefined identifier from a list. For example,
IAM_PASSWORD_POLICY
is a managed rule. To reference a managed rule, see List of Managed Rules. For CC Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's LAMlong function, such asarn:aws:lambda:us-east-2:123456789012:function:custom_rule_name
. For CC Custom Policy rules, this field will be ignored.
- owner string
- Indicates whether AWS or the customer owns and manages the CC rule.
CC Managed Rules are predefined rules owned by AWS. For more information, see Managed Rules in the developer guide.
CC Custom Rules are rules that you can develop either with Guard (
CUSTOM_POLICY
) or LAMlong (CUSTOM_LAMBDA
). For more information, see Custom Rules in the developer guide. - custom
Policy ConfigDetails Rule Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY
. - source
Details ConfigRule Source Detail[] - Provides the source and the message types that cause CC to evaluate your AWS resources against a rule. It also provides the frequency with which you want CC to run evaluations for the rule if the trigger type is periodic.
If the owner is set to
CUSTOM_POLICY
, the only acceptable values for the CC rule trigger message type areConfigurationItemChangeNotification
andOversizedConfigurationItemChangeNotification
. - source
Identifier string - For CC Managed rules, a predefined identifier from a list. For example,
IAM_PASSWORD_POLICY
is a managed rule. To reference a managed rule, see List of Managed Rules. For CC Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's LAMlong function, such asarn:aws:lambda:us-east-2:123456789012:function:custom_rule_name
. For CC Custom Policy rules, this field will be ignored.
- owner str
- Indicates whether AWS or the customer owns and manages the CC rule.
CC Managed Rules are predefined rules owned by AWS. For more information, see Managed Rules in the developer guide.
CC Custom Rules are rules that you can develop either with Guard (
CUSTOM_POLICY
) or LAMlong (CUSTOM_LAMBDA
). For more information, see Custom Rules in the developer guide. - custom_
policy_ Configdetails Rule Custom Policy Details - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY
. - source_
details Sequence[ConfigRule Source Detail] - Provides the source and the message types that cause CC to evaluate your AWS resources against a rule. It also provides the frequency with which you want CC to run evaluations for the rule if the trigger type is periodic.
If the owner is set to
CUSTOM_POLICY
, the only acceptable values for the CC rule trigger message type areConfigurationItemChangeNotification
andOversizedConfigurationItemChangeNotification
. - source_
identifier str - For CC Managed rules, a predefined identifier from a list. For example,
IAM_PASSWORD_POLICY
is a managed rule. To reference a managed rule, see List of Managed Rules. For CC Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's LAMlong function, such asarn:aws:lambda:us-east-2:123456789012:function:custom_rule_name
. For CC Custom Policy rules, this field will be ignored.
- owner String
- Indicates whether AWS or the customer owns and manages the CC rule.
CC Managed Rules are predefined rules owned by AWS. For more information, see Managed Rules in the developer guide.
CC Custom Rules are rules that you can develop either with Guard (
CUSTOM_POLICY
) or LAMlong (CUSTOM_LAMBDA
). For more information, see Custom Rules in the developer guide. - custom
Policy Property MapDetails - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to
CUSTOM_POLICY
. - source
Details List<Property Map> - Provides the source and the message types that cause CC to evaluate your AWS resources against a rule. It also provides the frequency with which you want CC to run evaluations for the rule if the trigger type is periodic.
If the owner is set to
CUSTOM_POLICY
, the only acceptable values for the CC rule trigger message type areConfigurationItemChangeNotification
andOversizedConfigurationItemChangeNotification
. - source
Identifier String - For CC Managed rules, a predefined identifier from a list. For example,
IAM_PASSWORD_POLICY
is a managed rule. To reference a managed rule, see List of Managed Rules. For CC Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's LAMlong function, such asarn:aws:lambda:us-east-2:123456789012:function:custom_rule_name
. For CC Custom Policy rules, this field will be ignored.
ConfigRuleSourceDetail, ConfigRuleSourceDetailArgs
- Event
Source string - The source of the event, such as an AWS service, that triggers CC to evaluate your AWS resources.
- Message
Type string The type of notification that triggers CC to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers an oversized configuration item. CC may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification
- Triggers a periodic evaluation at the frequency specified forMaximumExecutionFrequency
.ConfigurationSnapshotDeliveryCompleted
- Triggers a periodic evaluation when CC delivers a configuration snapshot.
If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for
ConfigurationItemChangeNotification
and one forOversizedConfigurationItemChangeNotification
.- Maximum
Execution stringFrequency - The frequency at which you want CC to run evaluations for a custom rule with a periodic trigger. If you specify a value for
MaximumExecutionFrequency
, thenMessageType
must use theScheduledNotification
value. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for theMaximumExecutionFrequency
parameter. Based on the valid value you choose, CC runs evaluations once for each valid value. For example, if you chooseThree_Hours
, CC runs evaluations once every three hours. In this case,Three_Hours
is the frequency of this rule.
- Event
Source string - The source of the event, such as an AWS service, that triggers CC to evaluate your AWS resources.
- Message
Type string The type of notification that triggers CC to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers an oversized configuration item. CC may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification
- Triggers a periodic evaluation at the frequency specified forMaximumExecutionFrequency
.ConfigurationSnapshotDeliveryCompleted
- Triggers a periodic evaluation when CC delivers a configuration snapshot.
If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for
ConfigurationItemChangeNotification
and one forOversizedConfigurationItemChangeNotification
.- Maximum
Execution stringFrequency - The frequency at which you want CC to run evaluations for a custom rule with a periodic trigger. If you specify a value for
MaximumExecutionFrequency
, thenMessageType
must use theScheduledNotification
value. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for theMaximumExecutionFrequency
parameter. Based on the valid value you choose, CC runs evaluations once for each valid value. For example, if you chooseThree_Hours
, CC runs evaluations once every three hours. In this case,Three_Hours
is the frequency of this rule.
- event
Source String - The source of the event, such as an AWS service, that triggers CC to evaluate your AWS resources.
- message
Type String The type of notification that triggers CC to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers an oversized configuration item. CC may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification
- Triggers a periodic evaluation at the frequency specified forMaximumExecutionFrequency
.ConfigurationSnapshotDeliveryCompleted
- Triggers a periodic evaluation when CC delivers a configuration snapshot.
If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for
ConfigurationItemChangeNotification
and one forOversizedConfigurationItemChangeNotification
.- maximum
Execution StringFrequency - The frequency at which you want CC to run evaluations for a custom rule with a periodic trigger. If you specify a value for
MaximumExecutionFrequency
, thenMessageType
must use theScheduledNotification
value. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for theMaximumExecutionFrequency
parameter. Based on the valid value you choose, CC runs evaluations once for each valid value. For example, if you chooseThree_Hours
, CC runs evaluations once every three hours. In this case,Three_Hours
is the frequency of this rule.
- event
Source string - The source of the event, such as an AWS service, that triggers CC to evaluate your AWS resources.
- message
Type string The type of notification that triggers CC to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers an oversized configuration item. CC may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification
- Triggers a periodic evaluation at the frequency specified forMaximumExecutionFrequency
.ConfigurationSnapshotDeliveryCompleted
- Triggers a periodic evaluation when CC delivers a configuration snapshot.
If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for
ConfigurationItemChangeNotification
and one forOversizedConfigurationItemChangeNotification
.- maximum
Execution stringFrequency - The frequency at which you want CC to run evaluations for a custom rule with a periodic trigger. If you specify a value for
MaximumExecutionFrequency
, thenMessageType
must use theScheduledNotification
value. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for theMaximumExecutionFrequency
parameter. Based on the valid value you choose, CC runs evaluations once for each valid value. For example, if you chooseThree_Hours
, CC runs evaluations once every three hours. In this case,Three_Hours
is the frequency of this rule.
- event_
source str - The source of the event, such as an AWS service, that triggers CC to evaluate your AWS resources.
- message_
type str The type of notification that triggers CC to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers an oversized configuration item. CC may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification
- Triggers a periodic evaluation at the frequency specified forMaximumExecutionFrequency
.ConfigurationSnapshotDeliveryCompleted
- Triggers a periodic evaluation when CC delivers a configuration snapshot.
If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for
ConfigurationItemChangeNotification
and one forOversizedConfigurationItemChangeNotification
.- maximum_
execution_ strfrequency - The frequency at which you want CC to run evaluations for a custom rule with a periodic trigger. If you specify a value for
MaximumExecutionFrequency
, thenMessageType
must use theScheduledNotification
value. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for theMaximumExecutionFrequency
parameter. Based on the valid value you choose, CC runs evaluations once for each valid value. For example, if you chooseThree_Hours
, CC runs evaluations once every three hours. In this case,Three_Hours
is the frequency of this rule.
- event
Source String - The source of the event, such as an AWS service, that triggers CC to evaluate your AWS resources.
- message
Type String The type of notification that triggers CC to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification
- Triggers an evaluation when CC delivers an oversized configuration item. CC may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification
- Triggers a periodic evaluation at the frequency specified forMaximumExecutionFrequency
.ConfigurationSnapshotDeliveryCompleted
- Triggers a periodic evaluation when CC delivers a configuration snapshot.
If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for
ConfigurationItemChangeNotification
and one forOversizedConfigurationItemChangeNotification
.- maximum
Execution StringFrequency - The frequency at which you want CC to run evaluations for a custom rule with a periodic trigger. If you specify a value for
MaximumExecutionFrequency
, thenMessageType
must use theScheduledNotification
value. By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for theMaximumExecutionFrequency
parameter. Based on the valid value you choose, CC runs evaluations once for each valid value. For example, if you chooseThree_Hours
, CC runs evaluations once every three hours. In this case,Three_Hours
is the frequency of this rule.
Package Details
- Repository
- AWS Native pulumi/pulumi-aws-native
- License
- Apache-2.0
AWS Native is in preview. AWS Classic is fully supported.