I created an AWS Config managed rule with required-tags to check for specific resources. However, the required-tags rule is still "Evaluating" resources or reporting unexpected results.
Resolution
When you create, edit, or troubleshoot AWS Config rules, such as required-tags, take the following actions:
- Set up the AWS Config configuration recorder in the same AWS Region as the AWS Config rule and the resources that you're evaluating.
- AWS Config rules, such as required-tags, typically return results in 20 minutes or less. Because of downstream dependencies, results vary depending on the service or resource type.
- If you set the AWS Config rule's Scope of changes to Resources, then verify that the resource type is specified for the scope.
- If you set the AWS Config rule's Scope of changes to Tags, then you must tag a supported resource with the relevant tag key.
- Verify that the AWS_ConfigRole managed policy is attached to the AWS Identity and Access Management (IAM) role that's assigned to AWS Config. For more information, see IAM role policy for getting configuration details.
- When you set up AWS Config to record a resource with its own access policy, verify that the policy allows configuration recording. For more information specific to Amazon Simple Storage Service (Amazon S3), see Managing permissions for S3 bucket recording.
Related information
How can I troubleshoot AWS Config console error messages?
How can I be notified when an AWS resource is non-compliant using AWS Config?