Skip to content
Alchemy
GitHubXDiscord

ConfigRule

The ConfigRule resource allows you to manage AWS Config Rules which evaluate the configuration settings of your AWS resources.

Minimal Example

Section titled “Minimal Example”

Create a simple ConfigRule that checks if EC2 instances have a specific tag:

import AWS from "alchemy/aws/control";


const ec2TagRule = await AWS.Config.ConfigRule("ec2TagRule", {
  ConfigRuleName: "ec2-instance-tag-check",
  Description: "Check whether EC2 instances have a 'Project' tag",
  Source: {
    Owner: "AWS",
    SourceIdentifier: "EC2_INSTANCE_TAGS"
  },
  Scope: {
    ComplianceResourceTypes: ["AWS::EC2::Instance"]
  },
  MaximumExecutionFrequency: "Six_Hours"
});

Advanced Configuration

Section titled “Advanced Configuration”

This example demonstrates how to set up a ConfigRule with an evaluation mode and custom input parameters:

import AWS from "alchemy/aws/control";


const advancedRule = await AWS.Config.ConfigRule("advancedComplianceRule", {
  ConfigRuleName: "custom-compliance-rule",
  Description: "Custom compliance rule for S3 bucket encryption",
  Source: {
    Owner: "CUSTOM_LAMBDA",
    SourceIdentifier: "arn:aws:lambda:us-east-1:123456789012:function:customComplianceChecker"
  },
  Scope: {
    ComplianceResourceTypes: ["AWS::S3::Bucket"]
  },
  EvaluationModes: [
    {
      Mode: "MANUAL"
    }
  ],
  InputParameters: {
    encryptionStatus: "ENABLED"
  }
});

Compliance Monitoring

Section titled “Compliance Monitoring”

This example illustrates how to create a ConfigRule that checks for compliance against a specific IAM policy:

import AWS from "alchemy/aws/control";


const iamPolicyComplianceRule = await AWS.Config.ConfigRule("iamPolicyComplianceRule", {
  ConfigRuleName: "iam-policy-compliance-check",
  Description: "Ensure IAM policies do not allow public access",
  Source: {
    Owner: "AWS",
    SourceIdentifier: "IAM_POLICY_COMPLIANCE"
  },
  Scope: {
    ComplianceResourceTypes: ["AWS::IAM::Policy"]
  },
  MaximumExecutionFrequency: "One_Hour"
});

Evaluating Resource Compliance

Section titled “Evaluating Resource Compliance”

This example demonstrates a ConfigRule that evaluates compliance based on the presence of a specific tag in resources:

import AWS from "alchemy/aws/control";


const tagComplianceRule = await AWS.Config.ConfigRule("tagComplianceRule", {
  ConfigRuleName: "required-tag-check",
  Description: "Checks that all resources have the 'Environment' tag",
  Source: {
    Owner: "AWS",
    SourceIdentifier: "RESOURCE_TAGGING"
  },
  Scope: {
    ComplianceResourceTypes: ["AWS::S3::Bucket", "AWS::EC2::Instance", "AWS::IAM::Role"]
  },
  InputParameters: {
    requiredTagKey: "Environment"
  }
});