AWS Config Rules (Amazon Web Services Config Rules) is a service that allows an IT administrator to set desired guidelines for creating and configuring AWS resources. The administrator can govern and monitor AWS cloud resources through AWS Config Rules, which upgrades the functionality of AWS Config.
AWS Config Rules constantly monitors resources and supplies a dashboard to ensure compliance with designated rules. This monitoring tool enables an admin to pinpoint how and when a resource went out of compliance in order to assess overall risk.
AWS Config Rules allows an administrator to choose from sets of pre-built rules to apply common best practices, or they can apply custom rules. AWS managed rules require admins to supply a few basic configuration parameters, and the service handles the rest of the configuration. An admin can build and define custom rules and can invoke AWS Lambda functions. AWS Config Rules limits an admin to 25 rules per account.
Rules exist as either change-triggered or periodic rules. Change-triggered rules run when a configuration change is recorded to a specified resource. Periodic rules trigger at specified intervals, such as hourly or daily, and contain snapshots of the resources' Configuration Items -- metadata, attributes, relationships, configurations and events.
The AWS Config Rules service does not snap resources back into compliance; an administrator must handle that task. AWS Config Rules does not limit how an end user interacts with services, which means an admin must turn to an additional service to limit access to resources, such as defining roles through AWS Identity and Access Management.