What is the difference between change-triggered and periodic rules?

Change-triggered rules evaluate whenever a matching resource's configuration changes — for example, when a security group's inbound rules are modified. Periodic rules run on a schedule (every 1, 3, 6, 12, or 24 hours) and evaluate all applicable resources regardless of whether they changed. Use change-triggered rules for real-time compliance detection (e.g., open security groups). Use periodic rules for checks that need to verify external state or aggregate conditions that might not produce a Config change event.

How do remediation actions work with Config rules?

You can attach an automatic or manual remediation action to any Config rule. When a resource is evaluated as NON_COMPLIANT, Config can invoke an SSM Automation document to fix the issue — for example, removing a public access block from an S3 bucket or adding encryption to an unencrypted EBS volume. Automatic remediation triggers immediately on non-compliance. Manual remediation queues the action for human approval. You can configure retry attempts and the concurrency of remediation executions to control the blast radius.

AWS Config Custom Rule Builder

MonitoringAWS

Build AWS Config custom Lambda rules with remediation actions.

AWS Config Configuration

Build AWS Config custom rule configs with Lambda evaluation, scope, and auto-remediation.

Required Fields

ConfigRuleNameSource.OwnerSource.SourceIdentifierSource.SourceDetails

{
  "ConfigRuleName": "require-encrypted-volumes",
  "Description": "Checks that all EBS volumes are encrypted at rest",
  "Source": {
    "Owner": "CUSTOM_LAMBDA",
    "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:config-rule-encrypted-volumes",
    "SourceDetails": [
      {
        "EventSource": "aws.config",
        "MessageType": "ConfigurationItemChangeNotification"
      },
      {
        "EventSource": "aws.config",
        "MessageType": "ScheduledNotification",
        "MaximumExecutionFrequency": "TwelveHours"
      }
    ]
  },
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Volume"
    ]
  },
  "InputParameters": "{\"desiredEncryptionState\": \"true\", \"kmsKeyId\": \"alias/ebs-key\"}",
  "MaximumExecutionFrequency": "TwelveHours",
  "EvaluationModes": [
    {
      "Mode": "DETECTIVE"
    },
    {
      "Mode": "PROACTIVE"
    }
  ],
  "Remediation": {
    "TargetType": "SSM_DOCUMENT",
    "TargetId": "AWS-EnableEbsEncryptionByDefault",
    "Automatic": false,
    "MaximumAutomaticAttempts": 3,
    "RetryAttemptSeconds": 60,
    "Parameters": {
      "AutomationAssumeRole": {
        "StaticValue": {
          "Values": ["arn:aws:iam::123456789012:role/ConfigRemediationRole"]
        }
      }
    }
  },
  "Tags": [
    {
      "Key": "Compliance",
      "Value": "SOC2"
    }
  ]
}

Generated Output

Output will appear here...

About This Tool

AWS Config tracks resource configurations and evaluates them against rules for compliance. While AWS provides over 300 managed rules, custom rules let you implement organization-specific compliance checks using Lambda functions. A custom rule triggers on configuration changes or on a schedule, invokes your Lambda function with the configuration item, and expects a compliance evaluation response. The Config Custom Rule Builder helps you define the rule metadata, trigger types, input parameters, and remediation action configurations so you can deploy custom compliance checks consistently.

When to Use This Tool

•Building custom rules that check for organization-specific tagging requirements not covered by managed rules
•Creating rules that validate resource configurations against internal security baselines, such as ensuring all RDS instances use specific parameter groups
•Defining compliance rules with automatic remediation using SSM Automation documents to fix non-compliant resources

Frequently Asked Questions

What is the difference between change-triggered and periodic rules?: Change-triggered rules evaluate whenever a matching resource's configuration changes — for example, when a security group's inbound rules are modified. Periodic rules run on a schedule (every 1, 3, 6, 12, or 24 hours) and evaluate all applicable resources regardless of whether they changed. Use change-triggered rules for real-time compliance detection (e.g., open security groups). Use periodic rules for checks that need to verify external state or aggregate conditions that might not produce a Config change event.
How do remediation actions work with Config rules?: You can attach an automatic or manual remediation action to any Config rule. When a resource is evaluated as NON_COMPLIANT, Config can invoke an SSM Automation document to fix the issue — for example, removing a public access block from an S3 bucket or adding encryption to an unencrypted EBS volume. Automatic remediation triggers immediately on non-compliance. Manual remediation queues the action for human approval. You can configure retry attempts and the concurrency of remediation executions to control the blast radius.

Related Learning Guides

CloudWatch & Observability Guide24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.