What is the difference between change-triggered and periodic rules?

Change-triggered rules evaluate whenever a matching resource's configuration changes — for example, when a security group's inbound rules are modified. Periodic rules run on a schedule (every 1, 3, 6, 12, or 24 hours) and evaluate all applicable resources regardless of whether they changed. Use change-triggered rules for real-time compliance detection (e.g., open security groups). Use periodic rules for checks that need to verify external state or aggregate conditions that might not produce a Config change event.

How do remediation actions work with Config rules?

You can attach an automatic or manual remediation action to any Config rule. When a resource is evaluated as NON_COMPLIANT, Config can invoke an SSM Automation document to fix the issue — for example, removing a public access block from an S3 bucket or adding encryption to an unencrypted EBS volume. Automatic remediation triggers immediately on non-compliance. Manual remediation queues the action for human approval. You can configure retry attempts and the concurrency of remediation executions to control the blast radius.

AWS Config Custom Rule Builder

MonitoringAWS

Build AWS Config custom Lambda rules with remediation actions.

Last verified: May 2026

AWS Config Configuration

Build AWS Config custom rule configs with Lambda evaluation, scope, and auto-remediation.

Required Fields

ConfigRuleNameSource.OwnerSource.SourceIdentifierSource.SourceDetails

{
  "ConfigRuleName": "require-encrypted-volumes",
  "Description": "Checks that all EBS volumes are encrypted at rest",
  "Source": {
    "Owner": "CUSTOM_LAMBDA",
    "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:config-rule-encrypted-volumes",
    "SourceDetails": [
      {
        "EventSource": "aws.config",
        "MessageType": "ConfigurationItemChangeNotification"
      },
      {
        "EventSource": "aws.config",
        "MessageType": "ScheduledNotification",
        "MaximumExecutionFrequency": "TwelveHours"
      }
    ]
  },
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Volume"
    ]
  },
  "InputParameters": "{\"desiredEncryptionState\": \"true\", \"kmsKeyId\": \"alias/ebs-key\"}",
  "MaximumExecutionFrequency": "TwelveHours",
  "EvaluationModes": [
    {
      "Mode": "DETECTIVE"
    },
    {
      "Mode": "PROACTIVE"
    }
  ],
  "Remediation": {
    "TargetType": "SSM_DOCUMENT",
    "TargetId": "AWS-EnableEbsEncryptionByDefault",
    "Automatic": false,
    "MaximumAutomaticAttempts": 3,
    "RetryAttemptSeconds": 60,
    "Parameters": {
      "AutomationAssumeRole": {
        "StaticValue": {
          "Values": ["arn:aws:iam::123456789012:role/ConfigRemediationRole"]
        }
      }
    }
  },
  "Tags": [
    {
      "Key": "Compliance",
      "Value": "SOC2"
    }
  ]
}

Generated Output

Output will appear here...

See It in Action

Your team's compliance officer mandates: every production resource must have a `cost-center` tag matching the central allow-list. No managed rule covers this exact requirement. The builder helps generate a custom rule: change-triggered on EC2/RDS/S3/Lambda resources, Lambda function checks the resource's tags against an allow-list stored in SSM Parameter Store, returns NON_COMPLIANT if missing or wrong. Auto-remediation: SSM Automation document that emails the resource owner. Within a week of deploy, 30 non-compliant resources are surfaced and tagged correctly.

What This Tool Does

AWS Config tracks resource configurations and evaluates them against rules for compliance. While AWS provides over 300 managed rules, custom rules let you implement organization-specific compliance checks using Lambda functions. A custom rule triggers on configuration changes or on a schedule, invokes your Lambda function with the configuration item, and expects a compliance evaluation response. The Config Custom Rule Builder helps you define the rule metadata, trigger types, input parameters, and remediation action configurations so you can deploy custom compliance checks consistently.

Technical Details

The builder generates Config custom rule definitions: rule name, description, source (Lambda function ARN), trigger (configuration changes with resource type filters, OR periodic with interval), input parameters (passed to Lambda as the rule's evaluation context), maximum execution frequency, and optional remediation configuration (SSM Automation document + parameters). Output is generated as aws configservice put-config-rule commands and Terraform aws_config_config_rule resources.

Common Use Cases

1Building custom rules that check for organization-specific tagging requirements not covered by managed rules
2Creating rules that validate resource configurations against internal security baselines, such as ensuring all RDS instances use specific parameter groups
3Defining compliance rules with automatic remediation using SSM Automation documents to fix non-compliant resources

Common Questions

What is the difference between change-triggered and periodic rules?: Change-triggered rules evaluate whenever a matching resource's configuration changes — for example, when a security group's inbound rules are modified. Periodic rules run on a schedule (every 1, 3, 6, 12, or 24 hours) and evaluate all applicable resources regardless of whether they changed. Use change-triggered rules for real-time compliance detection (e.g., open security groups). Use periodic rules for checks that need to verify external state or aggregate conditions that might not produce a Config change event.
How do remediation actions work with Config rules?: You can attach an automatic or manual remediation action to any Config rule. When a resource is evaluated as NON_COMPLIANT, Config can invoke an SSM Automation document to fix the issue — for example, removing a public access block from an S3 bucket or adding encryption to an unencrypted EBS volume. Automatic remediation triggers immediately on non-compliance. Manual remediation queues the action for human approval. You can configure retry attempts and the concurrency of remediation executions to control the blast radius.

Expert Tips

TIP

Always exhaust managed Config rules before writing custom ones. AWS has 300+ managed rules covering most compliance scenarios. Custom rules add maintenance burden (Lambda code, deployment, monitoring). Search the managed catalog first using the Config console's rule library.

TIP

Periodic rules consume invocations every 1-24 hours regardless of resource count. For organizations with 100+ accounts and 50+ rules, periodic invocations add up. Prefer change-triggered rules where possible — they only run when relevant resources actually change.

TIP

Auto-remediation should only be enabled for low-blast-radius actions (removing public access from S3, encrypting unencrypted EBS). Never auto-remediate things like 'fix VPC security group' — automatic changes to networking can cause production incidents. Use manual approval mode for those.

Related Learning Guides

CloudWatch & Observability Guide24 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.