My AWS Config rule isn't working. How can I troubleshoot this issue?
Resolution
Various issues can cause managed AWS Config rules to not work, including permissions, resource scope, or configuration change items. To resolve AWS Config rules that don't work, try the following troubleshooting steps.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent version of the AWS CLI.
General AWS Config rule troubleshooting
- Verify that your configuration recorder is recording all of the resource types that your rule requires (for example, AWS::EC2::Instance).
- Open the AWS Config console , and then choose Rules from the navigation pane. If the Compliance field indicates No results reported or No resources in scope, see step 8 of Setting up and activating an AWS managed rule.
- If an evaluation time isn't reported and indicates Evaluations failed, review the PutEvaluations API call in AWS CloudTrail Logs for reported errors.
- Open the AWS CloudTrail console , and then choose Event history from the navigation pane. To filter the logs, choose Event source from the dropdown, and enter config.amazonaws.com in the search field. Review the filtered log results for Access Denied errors.
- For periodic trigger AWS Config rules, access the CloudTrail console Event history dashboard to verify the relevant service APIs on the resource.
- Review specific resource configuration and compliance timelines. Confirm that a configuration item generated to reflect the change to the AWS Config rules with a configuration change-based trigger.
- Confirm that the recorder role permissions requirements are met. These credentials are used to describe the resource configuration and publishing compliance using the PutEvaluations API.
- Run the following AWS CLI command. Replace ConfigRuleName with your AWS Config rule name, and replace RegionID with your AWS Region. From the output, review the LastErrorMessage value.
aws configservice describe-config-rule-evaluation-status --config-rule-names ConfigRuleName --region RegionID
Custom AWS Config rule troubleshooting
For custom AWS Config rules, in addition to the preceding general troubleshooting steps, verify the following:
An "Unable to execute lambda function" error message indicates that the AWS Config service doesn't have permission to invoke the AWS Lambda function. To resolve this error, run the following command to grant the required permissions. Replace function_name with your Lambda function name, RegionID with your AWS Region, and AWS-accountID with your AWS account ID:
aws lambda add-permission --function-name function_name --region RegionID --statement-id allow_config --action lambda:InvokeFunction --principal config.amazonaws.com --source-account AWS-accountID
The following is an example resource policy of the Lambda function:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "allow_config",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "lambda-function-arn",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "AWS-accountID"
}
}
}
]
}
Identify the PutEvaluations event that has a User name value matching the Lambda function name. Review the errorMessage for details.
- If the role that the Lambda function uses to run the code isn't authorized to perform config:PutEvaluations, then add the permissions to the specified role.
- If the permissions are correct, review the Lambda function code for any raised exceptions. For more details, review the logs in the Amazon CloudWatch log group (/aws/lambda/FunctionName) associated with the Lambda function. Add a print statement in the code to generate more debugging logs.
Related information
Why can't I create or delete organization config rules?