Create a custom rule to evaluate target resources when the predefined rule templates in Cloud Config do not meet your requirements. You visually configure the rule's three core elements: resource feature, operator, and desired value.
Background
For more information about the concepts, use cases, and key features of custom condition rules, see Definition and working principles of custom condition rules.
Procedure
Log on to the Cloud Config console.
Optional. In the upper-left corner, select an account group.
This operation is required only if you are using a management account of a resource directory. Otherwise, you do not need to perform the operation.
In the left-side navigation pane, choose .
-
On the Rules page, click Create Rule.
-
On the Select Create Method page, select Based on Condition, select a Resource Type, set the conditions for the resource type, and then click Next.
To set the conditions:
-
Set the rule conditions.
Note-
For more information about the resource types and their properties supported by Cloud Config, see Supported resource types and resource relationships.
-
The resource configuration code in the dry run panel shows data from the first available resource of the selected resource type. For more information about how to view resources, see Search for and filter resources.
-
For more information about how to set the resource feature, operator, and desired value for a conditional rule, see Basic elements of a custom condition rule.
-
Single-condition evaluation
Example: Check if an ECS instance has deletion protection enabled. An instance is compliant if protection is enabled; otherwise, it is non-compliant.
-
From the Select Resource Type drop-down list, select Elastic Compute Service (ECS) > ECS instance.
-
Click Show dry run panel.
-
On the Visual editor tab, keep the default conditional operator
and. In the Resource Type field, select Resource Property > DeletionProtection. For the Operator, select StringEquals. In the desired value field, enter false.
-
-
Multi-condition evaluation
Example: A resource is compliant if it meets either of the following two conditions; otherwise, it is non-compliant.
Condition 1: An enabled trail exists in ActionTrail.
Condition 2: The ActionTrail trail is configured for all regions.
-
From the Select Resource Type drop-down list, select ActionTrail > ActionTrail trail.
-
Click Show dry run panel.
-
On the Visual editor tab, select the
orconditional operator. In the Resource Type field, select Resource Property > Status. For the Operator, select StringEquals. In the desired value field, enter Enable. -
Click Add Condition. In the new Resource Type field, select Resource Property > TrailRegion. For the Operator, select StringEquals. In the desired value field, enter All.
-
NoteTo write the condition logic directly in code, click the Script editor tab in the upper-right corner of the dry run panel.
-
-
In the upper-left corner of the dry run panel, click Dry run.
The validation result is displayed as Compliant or Non-compliant, indicating whether the sample resource configuration meets your defined conditions.
-
Result is Compliant
This usually means your rule conditions are correctly configured. Proceed to the next step.
-
Result is Non-compliant
-
A desired value for a condition may be incorrect. Review and correct the failed conditions, then run the dry run again.
-
The resource configuration is Non-compliant. If this result is expected, you can proceed to the next step.
-
-
-
-
On the Set Basic Properties page, set the rule name, risk level, trigger, and description, and then click Next.
-
On the Set Effective Scope page, set the effective scope for the resources, and then click Next.
-
On the Set Correction page, click Submit.
You can enable the Set Correction switch to configure a custom remediation. For more information, see Set a custom remediation.