My AWS managed AWS Config rules aren't compliant when I use the API to turn on multi-factor authentication (MFA). I turned on MFA for my AWS Identity and Access Management (IAM) users or rotated IAM access keys.
Short description
The following AWS managed AWS Config rules aren't compliant after you invoke the GenerateCredentialReport API:
Because the rules rely on the credential report generated by the API, the rules aren't compliant. When a GenerateCredentialReport call is invoked, IAM checks to verify that there is an existing report. If the report was generated within the past four hours, then the API call uses the most recent report. If the most recent report more than four hours old or there are no previous reports, then the GenerateCredentialReport API generates a new report. For more information, see Generate credential reports for your AWS account.
Resolution
Change the MaximumExecutionFrequency parameter to more than four hours. The MaximumExecutionFrequency parameter indicates the maximum frequency with which AWS Config runs evaluations for an AWS Managed Periodic rule.
Complete the following steps:
- Open the AWS Config console.
- In the navigation pane, choose Rules.
- Select your AWS Config rule, and then choose Edit.
- Under Evaluation mode, for Trigger type, select the Frequency dropdown list, and then choose 6, 12, or 24 hours.
- Choose Save.
To use the AWS Command Line Interface to update the rule trigger frequency, run the put-config-rule command.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Related information
ConfigRule
GetCredentialReport