- Evaluate the compliance status of AWS resource configurations against predefined or custom conditions.
Rule Types
- AWS Managed Rules – Over 75 prebuilt checks maintained by AWS (e.g.,
s3-bucket-public-read-prohibited).
- Custom Rules – Written using AWS Lambda to define bespoke compliance logic.
Example Checks
- Ensure all EBS volumes use
gp2 type.
- Verify all EC2 instances are
t2.micro for dev accounts.
Evaluation Triggers
- Configuration change – Runs whenever a tracked resource’s configuration changes.
- Periodic – Runs at set intervals (e.g., every 24 hours).
AWS Config Rules do not block actions; they report non-compliance for follow-up or automation via EventBridge.
Pricing
- $0.003 per recorded configuration item (per region).
- $0.001 per rule evaluation (per region).