Exclude resources from AWS Config Managed rules?
I've been searching for a way to exclude resources from AWS Config managed rules for backup plans but so far to no avail. I'm governing multiple accounts and to see if they have backup plan on resources i have attached the "resources protected by backup plan" rules that do exist (e.g., https://docs.aws.amazon.com/config/latest/developerguide/aurora-resources-protected-by-backup-plan.html).
The rules will be in NON-COMPLIANT state if they have no backup plan attached, but some resources we do not want to backup. The rule is good to have if we add resources but accidently forget to attach a backup plan- but I would also like the account owners to have the possibility to actively "allow-list" a resource so the rule can be COMPLIANT.
There is two parameters for these rules: "resourceTags" and "resourceId", but with these it's only possible to include resources for the rule. What I would like is the opposite, something like "excludeResourceTags" and "excludeResourceId". That would make it possible to give the account owners the possibility to keep the rule in COMPLIANT state, but we wouldn't miss backups for resources where we need it.
Any suggestions are welcomed!
We are really sorry but excluding resources is currently not possible. I suggest that you reach out to your AWS contact person and raise this demand so that it gets properly tracked.
Depending on your development appetite you may want to have a look at the AWS Rules Development Kit for creating a custom config rule based on the examples in the awslabs github repository: https://github.com/awslabs/aws-config-rules
As you can pass own parameters to your custom config rule you could specify a specific tag name. You can protect this tag via Service Control Policies in AWS Organizations to make sure that not everyone can put their resources on the exclude list.
Relevant questions
AWS backups conformance reports are empty
asked 4 months agoAWS Config Rule 'iam-user-unused-credentials-check' Not Evaluating
asked 3 months agoHow to exclude the specific rules in AWS Managed Rule group with CloudFormation
Accepted Answerasked 3 months agoAWS Backup - AWS Organizations
Accepted Answerasked 3 months agoExclude resources from AWS Config Managed rules?
asked 5 months agoAWS Config : Accessing AWS Config NonComplaint rules and resources
Accepted Answerasked 3 months ago*-in-backup-plan vs *-resources-protected-by-backup plan managed config rules
asked 4 months agoAre the AWS Config Managed Rules open source?
Accepted Answerasked 5 months agoAlarm for resource created without tag
asked a month agoHow to turn off AWS Config and reduce cost?
Accepted Answerasked 4 months ago