Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

SALE! Extra $2 OFF our Practice Test + eBook Bundles. Valid until May 12, 2021 6PM UTC+8

Specifying Triggers for AWS Config Rules

AWS Config allows you to set “rules” to evaluate configuration settings on your AWS resources. The result of these rule evaluations are then displayed on the AWS Config web console. You can control the frequency of rule evaluations by AWS Config by specifying a trigger. A trigger refers to the method of evaluation for your config rules. There are two types of triggers to select from when creating a rule.

1. Configuration Changes

When “configuration changes” is enabled, AWS Config will evaluate the config rule when specific resources are created, changed, or deleted. In simple terms, as the name implies, AWS Config will start evaluating the rule whenever it detects a change in configuration to the resources you are checking compliance to, whether it’s an EC2 or ALB, or any resource that you defined.

You can set the rule’s scope to identify which resources trigger the evaluation. The rule scope can include the following:

  • One or more resource types
  • A combination of a resource type and a resource ID
  • A combination of a tag key and value
  • When any recorded resource is created, updated, or deleted
IT Certification Category (English)728x90

Use Case

Enable configuration changes when you want a sense of urgency on your compliance to the internal guidelines of your company.

For example, your development team should use only t2.micro instance type for their activities. There’s a strict rule in your company to reprimand anyone who launches a different instance type. As the Systems Administrator, you want to get notified right away whenever a violation happens. This type of situation is a good use case for configuration changes.

2. Periodic

When “periodic” is enabled, AWS Config will evaluate the config rule at a frequency that you choose (e.g. 1 hour, 12 hours, 24 hours). So as opposed to configuration changes, this type of trigger is not event-driven.

Use Case

Enable Periodic when you’re okay with less strict compliance in terms of urgency. Use this if you want to schedule the evaluation of config rule at a certain interval.

For example, as the Systems Administrator, you want to ensure that multi-factor authentication (MFA) is enabled for new and current IAM users. To check for compliance, you added the AWS Config managed rule, iam-user-mfa-enabled, on your AWS Organization. You don’t want to get notified right away whenever there’s a violation of compliance. Instead, you would rather deal with it at a 24-hour interval. So you enabled periodic and set the frequency to 24 hours.

With AWS Config, you pay $0.003 per configuration item recorded in your AWS account per AWS Region. It also charges you with $0.001 per rule evaluation per region (for the first 100,000 rule evaluations). So if you know that your AWS account will have a lot of changes throughout the day, it will be cheaper to have a Periodic trigger (since it will run just once a day) instead of an “event-driven” configuration changes trigger (which will run on every event). 

Getting Started On Trigger types:

1. Go to AWS Config Dashboard

2. On the left-most pane, click “Rules” then click “Add rule”

specifying_triggers_for_aws_config_rules1

We’ll look into a managed config rule “desired-instance-type”.

3. Type “desired-instance-type” on the space provided. Click the card to proceed.

specifying_triggers_for_aws_config_rules2

4. Scroll down until you find “Trigger”.

5. Choose a trigger type. Note that in a managed config rule, the trigger type is automatically defined for you and you cannot modify it. However, you’re free to change it however you want when you add a custom rule.

specifying_triggers_for_aws_config_rules3

Source:
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html

SALE! EXTRA HUGE Discounts on our Practice Test + eBook Bundles

Pass your AWS, Azure, and Google Cloud Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

error: Content is protected !!