Exclude resources from AWS Config Managed rules?

1

I've been searching for a way to exclude resources from AWS Config managed rules for backup plans but so far to no avail. I'm governing multiple accounts and to see if they have backup plan on resources i have attached the "resources protected by backup plan" rules that do exist (e.g., https://docs.aws.amazon.com/config/latest/developerguide/aurora-resources-protected-by-backup-plan.html).

The rules will be in NON-COMPLIANT state if they have no backup plan attached, but some resources we do not want to backup. The rule is good to have if we add resources but accidently forget to attach a backup plan- but I would also like the account owners to have the possibility to actively "allow-list" a resource so the rule can be COMPLIANT.

There is two parameters for these rules: "resourceTags" and "resourceId", but with these it's only possible to include resources for the rule. What I would like is the opposite, something like "excludeResourceTags" and "excludeResourceId". That would make it possible to give the account owners the possibility to keep the rule in COMPLIANT state, but we wouldn't miss backups for resources where we need it.

Any suggestions are welcomed!

2 Answers
0

We are really sorry but excluding resources is currently not possible. I suggest that you reach out to your AWS contact person and raise this demand so that it gets properly tracked.

Depending on your development appetite you may want to have a look at the AWS Rules Development Kit for creating a custom config rule based on the examples in the awslabs github repository: https://github.com/awslabs/aws-config-rules

As you can pass own parameters to your custom config rule you could specify a specific tag name. You can protect this tag via Service Control Policies in AWS Organizations to make sure that not everyone can put their resources on the exclude list.

EXPERT
answered 3 years ago
  • Duplicating a managed rule and having to maintain and keep it in sync with upstream changes/improvements is not a workable solution. Is AWS Config another AWS product that's going to be on the chopping block, because I can't see how anyone can seriously use this without being able to selectively exclude individual resources by ARN in AWS managed rules and rules from conformance packs.

-1
  • This is not what the OP is asking for. The desire is to be able to exclude individual resources, not entire resource types.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions