My AWS Config rule isn't working. How can I troubleshoot this issue?
Various issues can cause managed AWS Config rules to not work, including permissions, resource scope, or configuration change items. To resolve AWS Config rules that don't work, try the following troubleshooting steps.
If an evaluation time isn't reported and indicates Evaluations failed, review the PutEvaluations API call in AWS CloudTrail Logs for reported errors.
Open the AWS CloudTrail console , and then choose Event history from the navigation pane. To filter the logs, choose Event source from the dropdown, and enter config.amazonaws.com in the search field. Review the filtered log results for Access Denied errors.
For periodic trigger AWS Config rules, access the CloudTrail console Event history dashboard to verify the relevant service APIs on the resource.
For custom AWS Config rules, in addition to the preceding general troubleshooting steps, verify the following:
An "Unable to execute lambda function" error message indicates that the AWS Config service doesn't have permission to invoke the AWS Lambda function. To resolve this error, run the following command to grant the required permissions. Replace function_name with your Lambda function name, RegionID with your AWS Region, and AWS-accountID with your AWS account ID:
Identify the PutEvaluations event that has a User name value matching the Lambda function name. Review the errorMessage for details.
If the role that the Lambda function uses to run the code isn't authorized to perform config:PutEvaluations, then add the permissions to the specified role.
If the permissions are correct, review the Lambda function code for any raised exceptions. For more details, review the logs in the Amazon CloudWatch log group (/aws/lambda/FunctionName) associated with the Lambda function. Add a print statement in the code to generate more debugging logs.