Exclude resources from AWS Config Managed rules?

Question

I've been searching for a way to exclude resources from AWS Config managed rules for backup plans but so far to no avail.
I'm governing multiple accounts and to see if they have backup plan on resources i have attached the "resources protected by backup plan" rules that do exist (e.g., https://docs.aws.amazon.com/config/latest/developerguide/aurora-resources-protected-by-backup-plan.html).

The rules will be in NON-COMPLIANT state if they have no backup plan attached, but some resources we do not want to backup. The rule is good to have if we add resources but accidently forget to attach a backup plan- but I would also like the account owners to have the possibility to actively "allow-list" a resource so the rule can be COMPLIANT.

There is two parameters for these rules: "resourceTags" and "resourceId", but with these it's only possible to include resources for the rule. What I would like is the opposite, something like "excludeResourceTags" and "excludeResourceId". That would make it possible to give the account owners the possibility to keep the rule in COMPLIANT state, but we wouldn't miss backups for resources where we need it.

Any suggestions are welcomed!

Answer

We are really sorry but excluding resources is currently not possible. I suggest that you reach out to your AWS contact person and raise this demand so that it gets properly tracked.

Depending on your development appetite you may want to have a look at the AWS Rules Development Kit for creating a custom config rule based on the examples in the awslabs github repository: https://github.com/awslabs/aws-config-rules

As you can pass own parameters to your custom config rule you could specify a specific tag name. You can protect this tag via Service Control Policies in AWS Organizations to make sure that not everyone can put their resources on the exclude list.

Exclude resources from AWS Config Managed rules?

Relevant content