Setting parameters for AWS Config service-linked rules

Question

I have deployed a conformance pack in AWS Config using the 'Operational Best Practices for PCI DSS' sample template. Some of the rules included in this template have parameters (eg. for setting port numbers or traffic types), but I cannot configure them as they are 'service-linked rules' and the 'Edit' button is greyed.

How can I go about adjusting the parameters for these? Do I need to create a clone of the sample template and deploy that instead? If so, how do I go about it, as I have not found a means to clone or download the JSON config for a sample template. Alternatively, can I clone and replace the individual rules within my deployed conformance pack? Naturally, I am aiming fora result of no non-compliances, so just adding new rules will not achieve this.

Answer

These service-linked AWS Config rules are owned by AWS service teams. The AWS service team creates these rules in your AWS account. You have read-only access to these rules. You cannot edit or delete these rules.

Create a custom AWS Config rule using AWS Lambda or Guard, and include the necessary parameter configurations in your custom rule. To create your own custom AWS Config rules, you can use the AWS Config console, the AWS Config rule APIs, or programming languages like Java or Python. The template yaml file for PCI-DSS operation best practices can be found at https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-PCI-DSS.yaml

Setting parameters for AWS Config service-linked rules

Relevant content