id | title | created | updated |
---|---|---|---|
Conformance Packs |
Conformance Packs |
1683841041000 |
1683841041000 |
{% hint style="info" %} This page was generated from content adapted from the AWS Developer Guide {% endhint %}
- Note
When deploying cross-account conformance packs, the name of the delivery Amazon S3 bucket should start withawsconfigconforms
. - Note
When deploying conformance packs to an organization, the name of the delivery Amazon S3 bucket should start withawsconfigconforms
.
- Note
However, you can update the compliance of the process check by choosing Edit Compliance and selecting the appropriate value from Compliant, Non-Compliant or Not-Applicable.
- Important
Conformance packs provide a general-purpose compliance framework to help you create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. AWS conformance pack sample templates intend to help you create your own conformance packs with different or additional rules, input parameters and remediation actions that suit your environment. The sample templates, including those related to compliance standards and industry benchmarks, are not designed to ensure your compliance with a specific governance standard. They can neither replace your internal efforts nor guarantee that you will pass a compliance assessment.
- Note
AWS Config Managed Rules are predefined rules owned by AWS Config.
AWS Config Custom Rules are rules that you create from scratch. There are two ways to create AWS Config custom rules: with Lambda functions (AWS Lambda Developer Guide) and with Guard (Guard GitHub Repository), a policy-as-code language. AWS Config custom rules created with AWS Lambda are called AWS Config Custom Lambda Rules and AWS Config custom rules created with Guard are called AWS Config Custom Policy Rules. - Note
Your file will contain a Parameters and Resources section. - Note
When selecting the AWS Config Rules to build your custom conformance pack, check you have the resources provisioned within your account that will be evaluated for the AWS Config Rules. - Note
When selecting the AWS Config rules to build your custom conformance pack, check that you have the resources that will be evaluated for the AWS Config rules provisioned within your account. For more information, see Supported Resource Types.
- Note
For more information on creating a YAML template for a conformance pack, see Custom Conformance Pack.
- Note
For deployments across different regions
The API call to deploy rules and conformance packs across accounts is region specific. At the organization level, you need to change the context of your API call to a different region if you want to deploy rules in other regions. For example, to deploy a rule in US East (N. Virginia), change the region to US East (N. Virginia) and then callPutOrganizationConfigRule
.
For accounts within an organzation
If a new account joins an organization, the rule or conformance pack is deployed to that account. When an account leaves an organization, the rule or conformance pack is removed.
If you deploy an organizational rule or conformance pack in an organization administrator account, and then establish a delegated administrator and deploy an organizational rule or conformance pack in the delegated administrator account, you won't be able to see the organizational rule or conformance pack in the organization administrator account from the delegated administrator account or see the organizational rule or conformance pack in the delegated administrator account from organization administrator account. The DescribeOrganizationConfigRules and DescribeOrganizationConformancePacks APIs can only see and interact with the organization-related resource that were deployed from within the account calling those APIs.
Retry mechanism for new accounts added to an organization
Deployment of existing organizational rules and conformance packs will only be retried for 7 hours after an account is added to your organization if a recorder is not available. You are expected to create a recorder if one doesn't exist within 7 hours of adding an account to your organization.