# AWS Config Construct Library
<!--BEGIN STABILITY BANNER-->---
Features | Stability
---------------------------------------------------------------------------------------|------------
CFN Resources | 
Higher level constructs for Config Rules | 
Higher level constructs for initial set-up (delivery channel & configuration recorder) | 
> **CFN Resources:** All classes with the `Cfn` prefix in this module ([CFN Resources](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib)) are always
> stable and safe to use.
<!-- -->
> **Stable:** Higher level constructs in this module that are marked stable will not undergo any
> breaking changes. They will strictly follow the [Semantic Versioning](https://semver.org/) model.
---
<!--END STABILITY BANNER-->
[AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) provides a detailed view of the configuration of AWS resources in your AWS account.
This includes how the resources are related to one another and how they were configured in the
past so that you can see how the configurations and relationships change over time.
This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
## Initial Setup
Before using the constructs provided in this module, you need to set up AWS Config
in the region in which it will be used. This setup includes the one-time creation of the
following resources per region:
* `ConfigurationRecorder`: Configure which resources will be recorded for config changes.
* `DeliveryChannel`: Configure where to store the recorded data.
The following guides provide the steps for getting started with AWS Config:
* [Using the AWS Console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html)
* [Using the AWS CLI](https://docs.aws.amazon.com/config/latest/developerguide/gs-cli.html)
## Rules
AWS Config can evaluate the configuration settings of your AWS resources by creating AWS Config rules,
which represent your ideal configuration settings.
See [Evaluating Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) to learn more about AWS Config rules.
### AWS Managed Rules
AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config
uses to evaluate whether your AWS resources comply with common best practices.
For example, you could create a managed rule that checks whether active access keys are rotated
within the number of days specified.
```python
# https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
config.ManagedRule(self, "AccessKeysRotated",
identifier=config.ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
input_parameters={
"max_access_key_age": 60
},
# default is 24 hours
maximum_execution_frequency=config.MaximumExecutionFrequency.TWELVE_HOURS
)
```
Identifiers for AWS managed rules are available through static constants in the `ManagedRuleIdentifiers` class.
You can find supported input parameters in the [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
The following higher level constructs for AWS managed rules are available.
#### Access Key rotation
Checks whether your active access keys are rotated within the number of days specified.
```python
# compliant if access keys have been rotated within the last 90 days
config.AccessKeysRotated(self, "AccessKeyRotated")
```
#### CloudFormation Stack drift detection
Checks whether your CloudFormation stack's actual configuration differs, or has drifted,
from it's expected configuration.
```python
# compliant if stack's status is 'IN_SYNC'
# non-compliant if the stack's drift status is 'DRIFTED'
config.CloudFormationStackDriftDetectionCheck(self, "Drift",
own_stack_only=True
)
```
#### CloudFormation Stack notifications
Checks whether your CloudFormation stacks are sending event notifications to a SNS topic.
```python
# topics to which CloudFormation stacks may send event notifications
topic1 = sns.Topic(self, "AllowedTopic1")
topic2 = sns.Topic(self, "AllowedTopic2")
# non-compliant if CloudFormation stack does not send notifications to 'topic1' or 'topic2'
config.CloudFormationStackNotificationCheck(self, "NotificationCheck",
topics=[topic1, topic2]
)
```
### Custom rules
You can develop custom rules and add them to AWS Config. You associate each custom rule with an
AWS Lambda function, which contains the logic that evaluates whether your AWS resources comply
with the rule.
### Triggers
AWS Lambda executes functions in response to events that are published by AWS Services.
The function for a custom Config rule receives an event that is published by AWS Config,
and is responsible for evaluating the compliance of the rule.
Evaluations can be triggered by configuration changes, periodically, or both.
To create a custom rule, define a `CustomRule` and specify the Lambda Function
to run and the trigger types.
```python
# eval_compliance_fn: lambda.Function
config.CustomRule(self, "CustomRule",
lambda_function=eval_compliance_fn,
configuration_changes=True,
periodic=True,
# default is 24 hours
maximum_execution_frequency=config.MaximumExecutionFrequency.SIX_HOURS
)
```
When the trigger for a rule occurs, the Lambda function is invoked by publishing an event.
See [example events for AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_example-events.html)
The AWS documentation has examples of Lambda functions for evaluations that are
[triggered by configuration changes](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs-sample.html#event-based-example-rule) and [triggered periodically](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs-sample.html#periodic-example-rule)
### Scope
By default rules are triggered by changes to all [resources](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources).
Use the `RuleScope` APIs (`fromResource()`, `fromResources()` or `fromTag()`) to restrict
the scope of both managed and custom rules:
```python
# eval_compliance_fn: lambda.Function
ssh_rule = config.ManagedRule(self, "SSH",
identifier=config.ManagedRuleIdentifiers.EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED,
rule_scope=config.RuleScope.from_resource(config.ResourceType.EC2_SECURITY_GROUP, "sg-1234567890abcdefgh")
)
custom_rule = config.CustomRule(self, "Lambda",
lambda_function=eval_compliance_fn,
configuration_changes=True,
rule_scope=config.RuleScope.from_resources([config.ResourceType.CLOUDFORMATION_STACK, config.ResourceType.S3_BUCKET])
)
tag_rule = config.CustomRule(self, "CostCenterTagRule",
lambda_function=eval_compliance_fn,
configuration_changes=True,
rule_scope=config.RuleScope.from_tag("Cost Center", "MyApp")
)
```
### Events
You can define Amazon EventBridge event rules which trigger when a compliance check fails
or when a rule is re-evaluated.
Use the `onComplianceChange()` APIs to trigger an EventBridge event when a compliance check
of your AWS Config Rule fails:
```python
# Topic to which compliance notification events will be published
compliance_topic = sns.Topic(self, "ComplianceTopic")
rule = config.CloudFormationStackDriftDetectionCheck(self, "Drift")
rule.on_compliance_change("TopicEvent",
target=targets.SnsTopic(compliance_topic)
)
```
Use the `onReEvaluationStatus()` status to trigger an EventBridge event when an AWS Config
rule is re-evaluated.
```python
# Topic to which re-evaluation notification events will be published
re_evaluation_topic = sns.Topic(self, "ComplianceTopic")
rule = config.CloudFormationStackDriftDetectionCheck(self, "Drift")
rule.on_re_evaluation_status("ReEvaluationEvent",
target=targets.SnsTopic(re_evaluation_topic)
)
```
### Example
The following example creates a custom rule that evaluates whether EC2 instances are compliant.
Compliance events are published to an SNS topic.
```python
# Lambda function containing logic that evaluates compliance with the rule.
eval_compliance_fn = lambda_.Function(self, "CustomFunction",
code=lambda_.AssetCode.from_inline("exports.handler = (event) => console.log(event);"),
handler="index.handler",
runtime=lambda_.Runtime.NODEJS_14_X
)
# A custom rule that runs on configuration changes of EC2 instances
custom_rule = config.CustomRule(self, "Custom",
configuration_changes=True,
lambda_function=eval_compliance_fn,
rule_scope=config.RuleScope.from_resource(config.ResourceType.EC2_INSTANCE)
)
# A rule to detect stack drifts
drift_rule = config.CloudFormationStackDriftDetectionCheck(self, "Drift")
# Topic to which compliance notification events will be published
compliance_topic = sns.Topic(self, "ComplianceTopic")
# Send notification on compliance change events
drift_rule.on_compliance_change("ComplianceChange",
target=targets.SnsTopic(compliance_topic)
)
```
Raw data
{
"_id": null,
"home_page": "https://github.com/aws/aws-cdk",
"name": "aws-cdk.aws-config",
"maintainer": "",
"docs_url": null,
"requires_python": "~=3.7",
"maintainer_email": "",
"keywords": "",
"author": "Amazon Web Services",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/ca/fe/48a9f575651d14478ba30b5ad9fb7ebe0e1816beece54e649e9b63ce3caa/aws-cdk.aws-config-1.203.0.tar.gz",
"platform": null,
"description": "# AWS Config Construct Library\n\n<!--BEGIN STABILITY BANNER-->---\n\n\nFeatures | Stability\n---------------------------------------------------------------------------------------|------------\nCFN Resources | \nHigher level constructs for Config Rules | \nHigher level constructs for initial set-up (delivery channel & configuration recorder) | \n\n> **CFN Resources:** All classes with the `Cfn` prefix in this module ([CFN Resources](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib)) are always\n> stable and safe to use.\n\n<!-- -->\n\n> **Stable:** Higher level constructs in this module that are marked stable will not undergo any\n> breaking changes. They will strictly follow the [Semantic Versioning](https://semver.org/) model.\n\n---\n<!--END STABILITY BANNER-->\n\n[AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) provides a detailed view of the configuration of AWS resources in your AWS account.\nThis includes how the resources are related to one another and how they were configured in the\npast so that you can see how the configurations and relationships change over time.\n\nThis module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.\n\n## Initial Setup\n\nBefore using the constructs provided in this module, you need to set up AWS Config\nin the region in which it will be used. This setup includes the one-time creation of the\nfollowing resources per region:\n\n* `ConfigurationRecorder`: Configure which resources will be recorded for config changes.\n* `DeliveryChannel`: Configure where to store the recorded data.\n\nThe following guides provide the steps for getting started with AWS Config:\n\n* [Using the AWS Console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html)\n* [Using the AWS CLI](https://docs.aws.amazon.com/config/latest/developerguide/gs-cli.html)\n\n## Rules\n\nAWS Config can evaluate the configuration settings of your AWS resources by creating AWS Config rules,\nwhich represent your ideal configuration settings.\n\nSee [Evaluating Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) to learn more about AWS Config rules.\n\n### AWS Managed Rules\n\nAWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config\nuses to evaluate whether your AWS resources comply with common best practices.\n\nFor example, you could create a managed rule that checks whether active access keys are rotated\nwithin the number of days specified.\n\n```python\n# https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html\nconfig.ManagedRule(self, \"AccessKeysRotated\",\n identifier=config.ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,\n input_parameters={\n \"max_access_key_age\": 60\n },\n\n # default is 24 hours\n maximum_execution_frequency=config.MaximumExecutionFrequency.TWELVE_HOURS\n)\n```\n\nIdentifiers for AWS managed rules are available through static constants in the `ManagedRuleIdentifiers` class.\nYou can find supported input parameters in the [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).\n\nThe following higher level constructs for AWS managed rules are available.\n\n#### Access Key rotation\n\nChecks whether your active access keys are rotated within the number of days specified.\n\n```python\n# compliant if access keys have been rotated within the last 90 days\nconfig.AccessKeysRotated(self, \"AccessKeyRotated\")\n```\n\n#### CloudFormation Stack drift detection\n\nChecks whether your CloudFormation stack's actual configuration differs, or has drifted,\nfrom it's expected configuration.\n\n```python\n# compliant if stack's status is 'IN_SYNC'\n# non-compliant if the stack's drift status is 'DRIFTED'\nconfig.CloudFormationStackDriftDetectionCheck(self, \"Drift\",\n own_stack_only=True\n)\n```\n\n#### CloudFormation Stack notifications\n\nChecks whether your CloudFormation stacks are sending event notifications to a SNS topic.\n\n```python\n# topics to which CloudFormation stacks may send event notifications\ntopic1 = sns.Topic(self, \"AllowedTopic1\")\ntopic2 = sns.Topic(self, \"AllowedTopic2\")\n\n# non-compliant if CloudFormation stack does not send notifications to 'topic1' or 'topic2'\nconfig.CloudFormationStackNotificationCheck(self, \"NotificationCheck\",\n topics=[topic1, topic2]\n)\n```\n\n### Custom rules\n\nYou can develop custom rules and add them to AWS Config. You associate each custom rule with an\nAWS Lambda function, which contains the logic that evaluates whether your AWS resources comply\nwith the rule.\n\n### Triggers\n\nAWS Lambda executes functions in response to events that are published by AWS Services.\nThe function for a custom Config rule receives an event that is published by AWS Config,\nand is responsible for evaluating the compliance of the rule.\n\nEvaluations can be triggered by configuration changes, periodically, or both.\nTo create a custom rule, define a `CustomRule` and specify the Lambda Function\nto run and the trigger types.\n\n```python\n# eval_compliance_fn: lambda.Function\n\n\nconfig.CustomRule(self, \"CustomRule\",\n lambda_function=eval_compliance_fn,\n configuration_changes=True,\n periodic=True,\n\n # default is 24 hours\n maximum_execution_frequency=config.MaximumExecutionFrequency.SIX_HOURS\n)\n```\n\nWhen the trigger for a rule occurs, the Lambda function is invoked by publishing an event.\nSee [example events for AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_example-events.html)\n\nThe AWS documentation has examples of Lambda functions for evaluations that are\n[triggered by configuration changes](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs-sample.html#event-based-example-rule) and [triggered periodically](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs-sample.html#periodic-example-rule)\n\n### Scope\n\nBy default rules are triggered by changes to all [resources](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources).\n\nUse the `RuleScope` APIs (`fromResource()`, `fromResources()` or `fromTag()`) to restrict\nthe scope of both managed and custom rules:\n\n```python\n# eval_compliance_fn: lambda.Function\nssh_rule = config.ManagedRule(self, \"SSH\",\n identifier=config.ManagedRuleIdentifiers.EC2_SECURITY_GROUPS_INCOMING_SSH_DISABLED,\n rule_scope=config.RuleScope.from_resource(config.ResourceType.EC2_SECURITY_GROUP, \"sg-1234567890abcdefgh\")\n)\ncustom_rule = config.CustomRule(self, \"Lambda\",\n lambda_function=eval_compliance_fn,\n configuration_changes=True,\n rule_scope=config.RuleScope.from_resources([config.ResourceType.CLOUDFORMATION_STACK, config.ResourceType.S3_BUCKET])\n)\n\ntag_rule = config.CustomRule(self, \"CostCenterTagRule\",\n lambda_function=eval_compliance_fn,\n configuration_changes=True,\n rule_scope=config.RuleScope.from_tag(\"Cost Center\", \"MyApp\")\n)\n```\n\n### Events\n\nYou can define Amazon EventBridge event rules which trigger when a compliance check fails\nor when a rule is re-evaluated.\n\nUse the `onComplianceChange()` APIs to trigger an EventBridge event when a compliance check\nof your AWS Config Rule fails:\n\n```python\n# Topic to which compliance notification events will be published\ncompliance_topic = sns.Topic(self, \"ComplianceTopic\")\n\nrule = config.CloudFormationStackDriftDetectionCheck(self, \"Drift\")\nrule.on_compliance_change(\"TopicEvent\",\n target=targets.SnsTopic(compliance_topic)\n)\n```\n\nUse the `onReEvaluationStatus()` status to trigger an EventBridge event when an AWS Config\nrule is re-evaluated.\n\n```python\n# Topic to which re-evaluation notification events will be published\nre_evaluation_topic = sns.Topic(self, \"ComplianceTopic\")\n\nrule = config.CloudFormationStackDriftDetectionCheck(self, \"Drift\")\nrule.on_re_evaluation_status(\"ReEvaluationEvent\",\n target=targets.SnsTopic(re_evaluation_topic)\n)\n```\n\n### Example\n\nThe following example creates a custom rule that evaluates whether EC2 instances are compliant.\nCompliance events are published to an SNS topic.\n\n```python\n# Lambda function containing logic that evaluates compliance with the rule.\neval_compliance_fn = lambda_.Function(self, \"CustomFunction\",\n code=lambda_.AssetCode.from_inline(\"exports.handler = (event) => console.log(event);\"),\n handler=\"index.handler\",\n runtime=lambda_.Runtime.NODEJS_14_X\n)\n\n# A custom rule that runs on configuration changes of EC2 instances\ncustom_rule = config.CustomRule(self, \"Custom\",\n configuration_changes=True,\n lambda_function=eval_compliance_fn,\n rule_scope=config.RuleScope.from_resource(config.ResourceType.EC2_INSTANCE)\n)\n\n# A rule to detect stack drifts\ndrift_rule = config.CloudFormationStackDriftDetectionCheck(self, \"Drift\")\n\n# Topic to which compliance notification events will be published\ncompliance_topic = sns.Topic(self, \"ComplianceTopic\")\n\n# Send notification on compliance change events\ndrift_rule.on_compliance_change(\"ComplianceChange\",\n target=targets.SnsTopic(compliance_topic)\n)\n```\n\n\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "The CDK Construct Library for AWS::Config",
"version": "1.203.0",
"project_urls": {
"Homepage": "https://github.com/aws/aws-cdk",
"Source": "https://github.com/aws/aws-cdk.git"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "ab4424714508e03cdb620d9e09864e1bdd9eba222e9728118aea33dc6d7eeec9",
"md5": "9cf70bd58517c3141a413398ed58d65a",
"sha256": "a3297becddf4954930cedb89720908658721592414dca20226a11069440ea679"
},
"downloads": -1,
"filename": "aws_cdk.aws_config-1.203.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "9cf70bd58517c3141a413398ed58d65a",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "~=3.7",
"size": 316473,
"upload_time": "2023-05-31T22:53:57",
"upload_time_iso_8601": "2023-05-31T22:53:57.347461Z",
"url": "https://files.pythonhosted.org/packages/ab/44/24714508e03cdb620d9e09864e1bdd9eba222e9728118aea33dc6d7eeec9/aws_cdk.aws_config-1.203.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "cafe48a9f575651d14478ba30b5ad9fb7ebe0e1816beece54e649e9b63ce3caa",
"md5": "b519e561e05acfbb3fc7fcf5b2ca8cb0",
"sha256": "82a79992e7ae17d56abe2220109a75bbb7d46eefe5e0534a7b7f98c537b15af7"
},
"downloads": -1,
"filename": "aws-cdk.aws-config-1.203.0.tar.gz",
"has_sig": false,
"md5_digest": "b519e561e05acfbb3fc7fcf5b2ca8cb0",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "~=3.7",
"size": 316115,
"upload_time": "2023-05-31T23:01:38",
"upload_time_iso_8601": "2023-05-31T23:01:38.790302Z",
"url": "https://files.pythonhosted.org/packages/ca/fe/48a9f575651d14478ba30b5ad9fb7ebe0e1816beece54e649e9b63ce3caa/aws-cdk.aws-config-1.203.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-05-31 23:01:38",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "aws",
"github_project": "aws-cdk",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "aws-cdk.aws-config"
}
JSON
