This process will guide you through the process of creating a custom rule, the rule can evaluate each of your EC2 instance is t2.micro type. AWS Config for this rule will run based on an assessment of the event, which means that AWS Config detected each time an instance configuration changes will check your instance configuration. Examples will t2.micro AWS Config labeled compliant instance and mark all other examples not compliant instance. Compliance status is displayed in the console AWS Config.
To ensure the best results of the procedure, your AWS account should have one or more EC2 instances. Your example should contain at least one instance t2.micro instance and other types.
To create this rule, first create an AWS Lambda functions by customizing a blueprint AWS Lambda console. Then, you need to create a custom rule in AWS Config, and the function associated with this rule.
AWS Lambda functions to create custom rules Config
-
Login AWS Management Console and open the following URL AWS Lambda console: https://console.aws.amazon.com/lambda/ .
-
On the AWS Management Console menu, select the area to verify whether the rules set up to support AWS Config area. For a list of supported regions, please refer to the Amazon Web Services general reference in the AWS Config area and terminal nodes .
-
In the AWS Lambda console, select Create a Lambda function (create Lambda function) .
-
In the Select blueprint page, for the filter , type config-rule-Change-triggered . Select the blueprint screening results.
-
In the Configure triggers on the page, select the Next .
-
In the Configure function page, complete the following steps:
-
For Name (name) , type
InstanceTypeCheck
. -
For Runtime , please keep Node.js .
-
For Code entry of the type , please keep the Edit code inline . Code editor with Node.js code to your function. In this program, you do not need to change the code.
-
For Handler (Handler) , reserved
index.handler
. -
For Role , select the Create new new Role Template from (S) .
-
For Role name , please enter a name.
-
For Policy templates (policy template) , select the AWS Config Rules permission (AWS Config rule authority) .
-
In the Configure function page, select the Next .
-
In the Review page, verify the details of your function, and then select the Create function . AWS Lambda console displays your function.
-
-
To verify that your function is set correctly, make a test by following these steps:
-
Select Actions , and then select the Configure the Test Event .
-
In the Input test event window, for the Sample Event Template , select the AWS Config Change Triggered Rule .
-
Select Save and test (Save and test) . AWS Lambda will use the example of an event to test your function. If your function as expected, Execution the Result under an error message similar to the following appears:
{ "errorMessage": "Result Token provided is invalid", "errorType": "InvalidResultTokenException", . . .
Here it is expected to be
InvalidResultTokenException
, because only when you receive from AWS Config function of the result of the token , it can be run successfully. Results token may identify AWS Config rule and event caused assessment and evaluation associated with the rule. This exception indicates that your function will send the results to have the required permissions AWS Config. Otherwise, this error message appears:not authorized to perform: config:PutEvaluations
. If this error occurs, please update your role assigned to the function to support theconfig:PutEvaluations
operation, and then test your function once again.
-
Create a custom rule
-
From https://console.aws.amazon.com/config/ open AWS Config console.
-
In the AWS Management Console menu, select an area in the region to verify whether your custom rules create the same area used when AWS Lambda function.
-
In Rules page, select the Add rule .
-
In the Add rule page, select the Add Custom rule .
-
In the Configure rule page, complete the following steps:
-
For Name (name) , type
InstanceTypesAreT2micro
. -
For the description , type
Evaluates whether EC2 instances are the t2.micro type
. -
For AWS Lambda function ARN (AWS Lambda function ARN) , please specify the AWS Lambda ARN assigned to your function.
note
You specify in this step can not contain ARN
$LATEST
qualifier. You can not specify ARN with a version qualifier, can also carry in addition to$LATEST
any qualifiers outside. AWS Lambda supports version control function, and assigned ARN with a qualifier for each version. AWS Lambda latest version$LATEST
qualifier. -
For the Trigger of the type , select the Configuration Changes .
-
For the Scope of Changes , select Resources .
-
For Resources , select Instance .
-
In the Rule parameters (rule parameters) section, you must specify the rule parameters and desired values Lambda function evaluation of AWS. Function will evaluate this program
desiredInstanceType
parameters.For Key (key) , type
desiredInstanceType
. For Value , typet2.micro
.
-
-
Select the Save . Your new rule appears in the Rules page.
Before AWS Config receipt of the evaluation results from the AWS Lambda functions, the Compliance (compliance) will be displayed Evaluating ... (is evaluating ...) . If the rules and functions work as expected, a summary of the results will appear in a few minutes. For example, 2 noncompliant Resource (S) result means that you have two instances are not t2.micro instance, Compliant results indicate all instances are t2.micro instance. You can use the refresh button to update the results.
If a rule or function does not, you might as expected Compliance see one of the following contents:
-
No results reported (did not report any results) - AWS Config rules for the assessment of your resources. Rules do not apply to AWS resources within its scope, specified resource has been deleted, or evaluation rule has been deleted. To get assessment results, update the rules, change the range or select Re-the evaluate .
Verify that the scope included in the Resources of Instance , and then try again.
-
No resources in scope (range without resources) - AWS Config can not control rules to assess the AWS resources you record, because any of your resources are not within the rules. To get assessment results, edit the rule and change its range, or use the Settings (Settings) page add resources AWS Config to be recorded.
Check to see whether the record AWS Config EC2 instance.
-
Evaluations failed (evaluation failed) - related information can help you determine the problem, select the rule name to open its details page and see an error message.
-
If your regular running and AWS Config provides an assessment of results, you can see which conditions affect the compliance status rules. You can learn what resources are non-compliant (if any) and why.