Why doesn't my AWS Config rule work?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

You managed AWS Config rule might not work because of permissions issues, resource scope, or configuration change items. Use the following troubleshooting to resolve these issues.

Review your configuration recorder

Verify that your configuration recorder records all of the resource types that your rule requires, for example AWS::EC2::Instance.

Update the Compliance option for your rule

On the AWS Config console, the Compliance option for your rule might display No results reported or No resources in scope. To get evaluation results, you might need to update the rule, change its scope, or add resources. For information about how to resolve this issue, see Adding rules (console).

Review your evaluations

If AWS Config doesn't report an evaluation time and shows Evaluations failed, then review the PutEvaluations API call in the AWS CloudTrail logs for errors.

Review your Event history

In CloudTrail, you can review your Event history for AWS Config events. Filter the Event source for config.amazonaws.com, and search the filtered log results for "Access denied" errors. Then, review the errors for details about the issue.

You can also review the Event history for periodic evaluation triggers. To resolve these issues, make sure that the resource can access the relevant service APIs.

Review your configuration items

Review your resource configuration and compliance timelines. Make sure that the configuration item for your resource correctly reflects changes to AWS Config rules with a configuration change-based trigger.

Update your recorder role permissions

Make sure that the recorder role has the correct AWS Identity and Access Management (IAM) permissions. These permissions use the PutEvaluations API to describe the resource configuration and publishing compliance.

Review your rule evaluation status

To view the status of your rule, run the following describe-config-rule-evaluation-status command, and review the LastErrorMessage value:

aws configservice describe-config-rule-evaluation-status --config-rule-names ConfigRuleName --region RegionID

Note: Replace ConfigRuleName with your AWS Config rule name and RegionID with your AWS Region.

Troubleshoot custom AWS Config rules

For custom AWS Config rules, AWS Config must have the correct permissions to invoke the AWS Lambda function. If you don't have the correct permissions, then you get the following error message:

"Unable to execute lambda function"

The following is an example resource policy of the Lambda function:

{
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "allow_config",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "lambda:InvokeFunction",
            "Resource": "lambda-function-arn",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "AWS-accountID"
                }
            }
        }
    ]
}

To find more information about the error, review PutEvaluations events in your logs that have a User name value that matches the Lambda function name. Then, review the errorMessage for details.

If you didn't authorize the Lambda function service role to perform config:PutEvaluations, then run the following add-permission command:

aws lambda add-permission --function-name function_name --region RegionID --statement-id allow_config --action lambda:InvokeFunction --principal config.amazonaws.com --source-account AWS-accountID

Note: Replace function_name with your Lambda function name, RegionID with your Region, and AWS-accountID with your AWS Account ID.

If the permissions for the role are correct, then review the Lambda function code for raised exceptions. For more details, review the logs in the /aws/lambda/FunctionName Amazon CloudWatch log group that's associated with the Lambda function.

Note: To generate more debugging logs, add a print statement to the Lambda code.

Related information

Why can't I create or delete config rules for AWS Organizations in AWS Config?