Interface Summary
Interface	Description
AccessKeysRotatedProps	(experimental) Construction properties for a AccessKeysRotated.
CfnAggregationAuthorizationProps	Properties for defining a `AWS::Config::AggregationAuthorization`.
CfnConfigRule.ScopeProperty
CfnConfigRule.SourceDetailProperty
CfnConfigRule.SourceProperty
CfnConfigRuleProps	Properties for defining a `AWS::Config::ConfigRule`.
CfnConfigurationAggregator.AccountAggregationSourceProperty
CfnConfigurationAggregator.OrganizationAggregationSourceProperty
CfnConfigurationAggregatorProps	Properties for defining a `AWS::Config::ConfigurationAggregator`.
CfnConfigurationRecorder.RecordingGroupProperty
CfnConfigurationRecorderProps	Properties for defining a `AWS::Config::ConfigurationRecorder`.
CfnConformancePack.ConformancePackInputParameterProperty
CfnConformancePackProps	Properties for defining a `AWS::Config::ConformancePack`.
CfnDeliveryChannel.ConfigSnapshotDeliveryPropertiesProperty
CfnDeliveryChannelProps	Properties for defining a `AWS::Config::DeliveryChannel`.
CfnOrganizationConfigRule.OrganizationCustomRuleMetadataProperty
CfnOrganizationConfigRule.OrganizationManagedRuleMetadataProperty
CfnOrganizationConfigRuleProps	Properties for defining a `AWS::Config::OrganizationConfigRule`.
CfnOrganizationConformancePack.ConformancePackInputParameterProperty
CfnOrganizationConformancePackProps	Properties for defining a `AWS::Config::OrganizationConformancePack`.
CfnRemediationConfiguration.ExecutionControlsProperty
CfnRemediationConfiguration.RemediationParameterValueProperty
CfnRemediationConfiguration.ResourceValueProperty
CfnRemediationConfiguration.SsmControlsProperty
CfnRemediationConfiguration.StaticValueProperty
CfnRemediationConfigurationProps	Properties for defining a `AWS::Config::RemediationConfiguration`.
CfnStoredQueryProps	Properties for defining a `AWS::Config::StoredQuery`.
CloudFormationStackDriftDetectionCheckProps	(experimental) Construction properties for a CloudFormationStackDriftDetectionCheck.
CloudFormationStackNotificationCheckProps	(experimental) Construction properties for a CloudFormationStackNotificationCheck.
CustomRuleProps	(experimental) Construction properties for a CustomRule.
IRule	(experimental) Interface representing an AWS Config rule.
IRule.Jsii$Default	Internal default implementation for `IRule`.
ManagedRuleProps	(experimental) Construction properties for a ManagedRule.
RuleProps	(experimental) Construction properties for a new rule.

Class Summary
Class	Description
AccessKeysRotated	(experimental) Checks whether the active access keys are rotated within the number of days specified in `maxAge`.
AccessKeysRotated.Builder	(experimental) A fluent builder for `AccessKeysRotated`.
AccessKeysRotatedProps.Builder	A builder for `AccessKeysRotatedProps`
AccessKeysRotatedProps.Jsii$Proxy	An implementation for `AccessKeysRotatedProps`
CfnAggregationAuthorization	A CloudFormation `AWS::Config::AggregationAuthorization`.
CfnAggregationAuthorization.Builder	A fluent builder for `CfnAggregationAuthorization`.
CfnAggregationAuthorizationProps.Builder	A builder for `CfnAggregationAuthorizationProps`
CfnAggregationAuthorizationProps.Jsii$Proxy	An implementation for `CfnAggregationAuthorizationProps`
CfnConfigRule	A CloudFormation `AWS::Config::ConfigRule`.
CfnConfigRule.Builder	A fluent builder for `CfnConfigRule`.
CfnConfigRule.ScopeProperty.Builder	A builder for `CfnConfigRule.ScopeProperty`
CfnConfigRule.ScopeProperty.Jsii$Proxy	An implementation for `CfnConfigRule.ScopeProperty`
CfnConfigRule.SourceDetailProperty.Builder	A builder for `CfnConfigRule.SourceDetailProperty`
CfnConfigRule.SourceDetailProperty.Jsii$Proxy	An implementation for `CfnConfigRule.SourceDetailProperty`
CfnConfigRule.SourceProperty.Builder	A builder for `CfnConfigRule.SourceProperty`
CfnConfigRule.SourceProperty.Jsii$Proxy	An implementation for `CfnConfigRule.SourceProperty`
CfnConfigRuleProps.Builder	A builder for `CfnConfigRuleProps`
CfnConfigRuleProps.Jsii$Proxy	An implementation for `CfnConfigRuleProps`
CfnConfigurationAggregator	A CloudFormation `AWS::Config::ConfigurationAggregator`.
CfnConfigurationAggregator.AccountAggregationSourceProperty.Builder	A builder for `CfnConfigurationAggregator.AccountAggregationSourceProperty`
CfnConfigurationAggregator.AccountAggregationSourceProperty.Jsii$Proxy	An implementation for `CfnConfigurationAggregator.AccountAggregationSourceProperty`
CfnConfigurationAggregator.Builder	A fluent builder for `CfnConfigurationAggregator`.
CfnConfigurationAggregator.OrganizationAggregationSourceProperty.Builder	A builder for `CfnConfigurationAggregator.OrganizationAggregationSourceProperty`
CfnConfigurationAggregator.OrganizationAggregationSourceProperty.Jsii$Proxy	An implementation for `CfnConfigurationAggregator.OrganizationAggregationSourceProperty`
CfnConfigurationAggregatorProps.Builder	A builder for `CfnConfigurationAggregatorProps`
CfnConfigurationAggregatorProps.Jsii$Proxy	An implementation for `CfnConfigurationAggregatorProps`
CfnConfigurationRecorder	A CloudFormation `AWS::Config::ConfigurationRecorder`.
CfnConfigurationRecorder.Builder	A fluent builder for `CfnConfigurationRecorder`.
CfnConfigurationRecorder.RecordingGroupProperty.Builder	A builder for `CfnConfigurationRecorder.RecordingGroupProperty`
CfnConfigurationRecorder.RecordingGroupProperty.Jsii$Proxy	An implementation for `CfnConfigurationRecorder.RecordingGroupProperty`
CfnConfigurationRecorderProps.Builder	A builder for `CfnConfigurationRecorderProps`
CfnConfigurationRecorderProps.Jsii$Proxy	An implementation for `CfnConfigurationRecorderProps`
CfnConformancePack	A CloudFormation `AWS::Config::ConformancePack`.
CfnConformancePack.Builder	A fluent builder for `CfnConformancePack`.
CfnConformancePack.ConformancePackInputParameterProperty.Builder	A builder for `CfnConformancePack.ConformancePackInputParameterProperty`
CfnConformancePack.ConformancePackInputParameterProperty.Jsii$Proxy	An implementation for `CfnConformancePack.ConformancePackInputParameterProperty`
CfnConformancePackProps.Builder	A builder for `CfnConformancePackProps`
CfnConformancePackProps.Jsii$Proxy	An implementation for `CfnConformancePackProps`
CfnDeliveryChannel	A CloudFormation `AWS::Config::DeliveryChannel`.
CfnDeliveryChannel.Builder	A fluent builder for `CfnDeliveryChannel`.
CfnDeliveryChannel.ConfigSnapshotDeliveryPropertiesProperty.Builder	A builder for `CfnDeliveryChannel.ConfigSnapshotDeliveryPropertiesProperty`
CfnDeliveryChannel.ConfigSnapshotDeliveryPropertiesProperty.Jsii$Proxy	An implementation for `CfnDeliveryChannel.ConfigSnapshotDeliveryPropertiesProperty`
CfnDeliveryChannelProps.Builder	A builder for `CfnDeliveryChannelProps`
CfnDeliveryChannelProps.Jsii$Proxy	An implementation for `CfnDeliveryChannelProps`
CfnOrganizationConfigRule	A CloudFormation `AWS::Config::OrganizationConfigRule`.
CfnOrganizationConfigRule.Builder	A fluent builder for `CfnOrganizationConfigRule`.
CfnOrganizationConfigRule.OrganizationCustomRuleMetadataProperty.Builder	A builder for `CfnOrganizationConfigRule.OrganizationCustomRuleMetadataProperty`
CfnOrganizationConfigRule.OrganizationCustomRuleMetadataProperty.Jsii$Proxy	An implementation for `CfnOrganizationConfigRule.OrganizationCustomRuleMetadataProperty`
CfnOrganizationConfigRule.OrganizationManagedRuleMetadataProperty.Builder	A builder for `CfnOrganizationConfigRule.OrganizationManagedRuleMetadataProperty`
CfnOrganizationConfigRule.OrganizationManagedRuleMetadataProperty.Jsii$Proxy	An implementation for `CfnOrganizationConfigRule.OrganizationManagedRuleMetadataProperty`
CfnOrganizationConfigRuleProps.Builder	A builder for `CfnOrganizationConfigRuleProps`
CfnOrganizationConfigRuleProps.Jsii$Proxy	An implementation for `CfnOrganizationConfigRuleProps`
CfnOrganizationConformancePack	A CloudFormation `AWS::Config::OrganizationConformancePack`.
CfnOrganizationConformancePack.Builder	A fluent builder for `CfnOrganizationConformancePack`.
CfnOrganizationConformancePack.ConformancePackInputParameterProperty.Builder	A builder for `CfnOrganizationConformancePack.ConformancePackInputParameterProperty`
CfnOrganizationConformancePack.ConformancePackInputParameterProperty.Jsii$Proxy	An implementation for `CfnOrganizationConformancePack.ConformancePackInputParameterProperty`
CfnOrganizationConformancePackProps.Builder	A builder for `CfnOrganizationConformancePackProps`
CfnOrganizationConformancePackProps.Jsii$Proxy	An implementation for `CfnOrganizationConformancePackProps`
CfnRemediationConfiguration	A CloudFormation `AWS::Config::RemediationConfiguration`.
CfnRemediationConfiguration.Builder	A fluent builder for `CfnRemediationConfiguration`.
CfnRemediationConfiguration.ExecutionControlsProperty.Builder	A builder for `CfnRemediationConfiguration.ExecutionControlsProperty`
CfnRemediationConfiguration.ExecutionControlsProperty.Jsii$Proxy	An implementation for `CfnRemediationConfiguration.ExecutionControlsProperty`
CfnRemediationConfiguration.RemediationParameterValueProperty.Builder	A builder for `CfnRemediationConfiguration.RemediationParameterValueProperty`
CfnRemediationConfiguration.RemediationParameterValueProperty.Jsii$Proxy	An implementation for `CfnRemediationConfiguration.RemediationParameterValueProperty`
CfnRemediationConfiguration.ResourceValueProperty.Builder	A builder for `CfnRemediationConfiguration.ResourceValueProperty`
CfnRemediationConfiguration.ResourceValueProperty.Jsii$Proxy	An implementation for `CfnRemediationConfiguration.ResourceValueProperty`
CfnRemediationConfiguration.SsmControlsProperty.Builder	A builder for `CfnRemediationConfiguration.SsmControlsProperty`
CfnRemediationConfiguration.SsmControlsProperty.Jsii$Proxy	An implementation for `CfnRemediationConfiguration.SsmControlsProperty`
CfnRemediationConfiguration.StaticValueProperty.Builder	A builder for `CfnRemediationConfiguration.StaticValueProperty`
CfnRemediationConfiguration.StaticValueProperty.Jsii$Proxy	An implementation for `CfnRemediationConfiguration.StaticValueProperty`
CfnRemediationConfigurationProps.Builder	A builder for `CfnRemediationConfigurationProps`
CfnRemediationConfigurationProps.Jsii$Proxy	An implementation for `CfnRemediationConfigurationProps`
CfnStoredQuery	A CloudFormation `AWS::Config::StoredQuery`.
CfnStoredQuery.Builder	A fluent builder for `CfnStoredQuery`.
CfnStoredQueryProps.Builder	A builder for `CfnStoredQueryProps`
CfnStoredQueryProps.Jsii$Proxy	An implementation for `CfnStoredQueryProps`
CloudFormationStackDriftDetectionCheck	(experimental) Checks whether your CloudFormation stacks' actual configuration differs, or has drifted, from its expected configuration.
CloudFormationStackDriftDetectionCheck.Builder	(experimental) A fluent builder for `CloudFormationStackDriftDetectionCheck`.
CloudFormationStackDriftDetectionCheckProps.Builder	A builder for `CloudFormationStackDriftDetectionCheckProps`
CloudFormationStackDriftDetectionCheckProps.Jsii$Proxy	An implementation for `CloudFormationStackDriftDetectionCheckProps`
CloudFormationStackNotificationCheck	(experimental) Checks whether your CloudFormation stacks are sending event notifications to a SNS topic.
CloudFormationStackNotificationCheck.Builder	(experimental) A fluent builder for `CloudFormationStackNotificationCheck`.
CloudFormationStackNotificationCheckProps.Builder	A builder for `CloudFormationStackNotificationCheckProps`
CloudFormationStackNotificationCheckProps.Jsii$Proxy	An implementation for `CloudFormationStackNotificationCheckProps`
CustomRule	(experimental) A new custom rule.
CustomRule.Builder	(experimental) A fluent builder for `CustomRule`.
CustomRuleProps.Builder	A builder for `CustomRuleProps`
CustomRuleProps.Jsii$Proxy	An implementation for `CustomRuleProps`
IRule.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ManagedRule	(experimental) A new managed rule.
ManagedRule.Builder	(experimental) A fluent builder for `ManagedRule`.
ManagedRuleIdentifiers	(experimental) Managed rules that are supported by AWS Config.
ManagedRuleProps.Builder	A builder for `ManagedRuleProps`
ManagedRuleProps.Jsii$Proxy	An implementation for `ManagedRuleProps`
ResourceType	(experimental) Resources types that are supported by AWS Config.
RuleProps.Builder	A builder for `RuleProps`
RuleProps.Jsii$Proxy	An implementation for `RuleProps`
RuleScope	(experimental) Determines which resources trigger an evaluation of an AWS Config rule.

Enum Summary
Enum Description

MaximumExecutionFrequency
(experimental) The maximum frequency at which the AWS Config rule runs evaluations.

Enum Summary
Enum	Description
MaximumExecutionFrequency	(experimental) The maximum frequency at which the AWS Config rule runs evaluations.

Package software.amazon.awscdk.services.config Description

AWS Config Construct Library

---

Features | Stability ---------------------------------------------------------------------------------------|------------ CFN Resources | Higher level constructs for Config Rules | Higher level constructs for initial set-up (delivery channel & configuration recorder) |

CFN Resources: All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

Stable: Higher level constructs in this module that are marked stable will not undergo any breaking changes. They will strictly follow the Semantic Versioning model.

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

This module is part of the AWS Cloud Development Kit project.

Initial Setup

Before using the constructs provided in this module, you need to set up AWS Config in the region in which it will be used. This setup includes the one-time creation of the following resources per region:

ConfigurationRecorder: Configure which resources will be recorded for config changes.
DeliveryChannel: Configure where to store the recorded data.

The following guides provide the steps for getting started with AWS Config:

Rules

AWS Config can evaluate the configuration settings of your AWS resources by creating AWS Config rules, which represent your ideal configuration settings.

See Evaluating Resources with AWS Config Rules to learn more about AWS Config rules.

AWS Managed Rules

AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices.

For example, you could create a managed rule that checks whether active access keys are rotated within the number of days specified.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 import software.amazon.awscdk.*;
 
 
 // https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
 // https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
 new ManagedRule(this, "AccessKeysRotated", new ManagedRuleProps()
         .identifier(config.ManagedRuleIdentifiers.getACCESS_KEYS_ROTATED())
         .inputParameters(Map.of(
                 "maxAccessKeyAge", 60))
         .maximumExecutionFrequency(config.MaximumExecutionFrequency.getTWELVE_HOURS()));

Identifiers for AWS managed rules are available through static constants in the ManagedRuleIdentifiers class. You can find supported input parameters in the List of AWS Config Managed Rules.

The following higher level constructs for AWS managed rules are available.

Access Key rotation

Checks whether your active access keys are rotated within the number of days specified.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 import software.amazon.awscdk.aws_cdk;
 
 
 // compliant if access keys have been rotated within the last 90 days
 // compliant if access keys have been rotated within the last 90 days
 new AccessKeysRotated(this, "AccessKeyRotated");

CloudFormation Stack drift detection

Checks whether your CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 import software.amazon.awscdk.aws_cdk;
 
 
 // compliant if stack's status is 'IN_SYNC'
 // non-compliant if the stack's drift status is 'DRIFTED'
 // compliant if stack's status is 'IN_SYNC'
 // non-compliant if the stack's drift status is 'DRIFTED'
 new CloudFormationStackDriftDetectionCheck(stack, "Drift", new CloudFormationStackDriftDetectionCheckProps()
         .ownStackOnly(true));

CloudFormation Stack notifications

Checks whether your CloudFormation stacks are sending event notifications to a SNS topic.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 import software.amazon.awscdk.aws_cdk;
 
 
 // topics to which CloudFormation stacks may send event notifications
 Topic topic1 = new Topic(stack, "AllowedTopic1");
 Topic topic2 = new Topic(stack, "AllowedTopic2");
 
 // non-compliant if CloudFormation stack does not send notifications to 'topic1' or 'topic2'
 // non-compliant if CloudFormation stack does not send notifications to 'topic1' or 'topic2'
 new CloudFormationStackNotificationCheck(this, "NotificationCheck", new CloudFormationStackNotificationCheckProps()
         .topics(asList(topic1, topic2)));

Custom rules

You can develop custom rules and add them to AWS Config. You associate each custom rule with an AWS Lambda function, which contains the logic that evaluates whether your AWS resources comply with the rule.

Triggers

AWS Lambda executes functions in response to events that are published by AWS Services. The function for a custom Config rule receives an event that is published by AWS Config, and is responsible for evaluating the compliance of the rule.

Evaluations can be triggered by configuration changes, periodically, or both. To create a custom rule, define a CustomRule and specify the Lambda Function to run and the trigger types.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 
 
 new CustomRule(this, "CustomRule", new CustomRuleProps()
         .lambdaFunction(evalComplianceFn)
         .configurationChanges(true)
         .periodic(true)
         .maximumExecutionFrequency(config.MaximumExecutionFrequency.getSIX_HOURS()));

When the trigger for a rule occurs, the Lambda function is invoked by publishing an event. See example events for AWS Config Rules

The AWS documentation has examples of Lambda functions for evaluations that are triggered by configuration changes and triggered periodically

Scope

By default rules are triggered by changes to all resources.

Use the RuleScope APIs (fromResource(), fromResources() or fromTag()) to restrict the scope of both managed and custom rules:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 
 
 ManagedRule sshRule = new ManagedRule(this, "SSH", new ManagedRuleProps()
         .identifier(config.ManagedRuleIdentifiers.getEC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED())
         .ruleScope(config.RuleScope.fromResource(config.ResourceType.getEC2_SECURITY_GROUP(), "sg-1234567890abcdefgh")));
 
 CustomRule customRule = new CustomRule(this, "Lambda", new CustomRuleProps()
         .lambdaFunction(evalComplianceFn)
         .configurationChanges(true)
         .ruleScope(config.RuleScope.fromResources(asList(config.ResourceType.getCLOUDFORMATION_STACK(), config.ResourceType.getS3_BUCKET()))));
 
 CustomRule tagRule = new CustomRule(this, "CostCenterTagRule", new CustomRuleProps()
         .lambdaFunction(evalComplianceFn)
         .configurationChanges(true)
         .ruleScope(config.RuleScope.fromTag("Cost Center", "MyApp")));

Events

You can define Amazon EventBridge event rules which trigger when a compliance check fails or when a rule is re-evaluated.

Use the onComplianceChange() APIs to trigger an EventBridge event when a compliance check of your AWS Config Rule fails:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 import software.amazon.awscdk.aws_sns;
 import software.amazon.awscdk.aws_events_targets;
 
 
 // Topic to which compliance notification events will be published
 Topic complianceTopic = new Topic(this, "ComplianceTopic");
 
 CloudFormationStackDriftDetectionCheck rule = new CloudFormationStackDriftDetectionCheck(this, "Drift");
 rule.onComplianceChange("TopicEvent", new OnEventOptions()
         .target(new SnsTopic(complianceTopic)));

Use the onReEvaluationStatus() status to trigger an EventBridge event when an AWS Config rule is re-evaluated.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 import software.amazon.awscdk.aws_sns;
 import software.amazon.awscdk.aws_events_targets;
 
 
 // Topic to which re-evaluation notification events will be published
 Topic reEvaluationTopic = new Topic(this, "ComplianceTopic");
 rule.onReEvaluationStatus("ReEvaluationEvent", Map.of(
         "target", new SnsTopic(reEvaluationTopic)));

Example

The following example creates a custom rule that evaluates whether EC2 instances are compliant. Compliance events are published to an SNS topic.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 import software.amazon.awscdk.aws_config;
 import software.amazon.awscdk.aws_lambda;
 import software.amazon.awscdk.aws_sns;
 import software.amazon.awscdk.aws_events_targets;
 
 
 // Lambda function containing logic that evaluates compliance with the rule.
 Function evalComplianceFn = new Function(this, "CustomFunction", new FunctionProps()
         .code(lambda.AssetCode.fromInline("exports.handler = (event) => console.log(event);"))
         .handler("index.handler")
         .runtime(lambda.Runtime.getNODEJS_12_X()));
 
 // A custom rule that runs on configuration changes of EC2 instances
 CustomRule customRule = new CustomRule(this, "Custom", new CustomRuleProps()
         .configurationChanges(true)
         .lambdaFunction(evalComplianceFn)
         .ruleScope(config.RuleScope.fromResource(asList(config.ResourceType.getEC2_INSTANCE()))));
 
 // A rule to detect stack drifts
 CloudFormationStackDriftDetectionCheck driftRule = new CloudFormationStackDriftDetectionCheck(this, "Drift");
 
 // Topic to which compliance notification events will be published
 Topic complianceTopic = new Topic(this, "ComplianceTopic");
 
 // Send notification on compliance change events
 driftRule.onComplianceChange("ComplianceChange", new OnEventOptions()
         .target(new SnsTopic(complianceTopic)));