---
title: "Using AWS config rules to manage resource tag compliance"
page_name: "Using AWS Config Rules to Manage Resource Tag Compliance"
type: "blog"
slug: "aws-config-rules"
published_at: "2018-03-27"
modified_at: "2025-05-09"
url: "https://www.sumologic.com/blog/aws-config-rules"
canonical: "https://www.sumologic.com/blog/aws-config-rules"
markdown_url: "https://www.sumologic.com/blog/aws-config-rules.md"
lang: "en"
excerpt: "Learn about AWS Config and AWS Config Rules, and how to implement them."
taxonomy_blog_category:
  - "AWS"
  - "Compliance"
  - "DevOps &amp; IT Operations"
  - "SecOps &amp; Security"
---

[ All blogs ](https://www.sumologic.com/blog "blog")[AWS](https://www.sumologic.com/blog/aws), [Compliance](https://www.sumologic.com/blog/compliance), [DevOps &amp; IT Operations](https://www.sumologic.com/blog/devops-it-operations), [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

# Using AWS Config Rules to Manage Resource Tag Compliance

[Mike Mackrory](#blog-author-block-227)

March 27, 2018

4 min read 

[AWS](https://www.sumologic.com/blog/aws), [Compliance](https://www.sumologic.com/blog/compliance), [DevOps &amp; IT Operations](https://www.sumologic.com/blog/devops-it-operations), [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

##### Table of contents

 

 

 

Amazon Web Services (AWS) introduced AWS Config in 2014 to help users of their services track changes to the configuration of EC2 instances and other AWS resources. This offering was further enhanced in following years with the introduction of AWS Config Rules. AWS Config Rules allow the user to configure and respond to configuration changes in an automated manner.

In this article, we’re going to take a quick look at both AWS Config and AWS Config Rules, and how to implement them. As a case study, we’re going to look at setting up a rule to manage compliance with required tagging standards. The ease with which an engineer can create, provision and update resources within the AWS environment is hugely beneficial, but can become a compliance management nightmare for those who are responsible for the AWS configuration management. Tagging standards compliance is just one example of how AWS Config Rules can be leveraged to support those responsible for governance.

## **What is AWS Config and How Do I Enable It?**

AWS Config is a service which provides the user with an inventory of AWS Resources in their account and a history of configuration changes to those resources. To enable AWS Config for your account, log in to your AWS Console and navigate to the [Config Dashboard](https://console.aws.amazon.com/config/home).

1\. AWS Config Dashboard

You configure the settings for AWS Config at the region level. The easiest way to set this up is to click on the Get started button. The initial configuration steps require you to select:

- The resources you would like to monitor
- An S3 bucket in which to store configuration history and snapshot files
- The checkbox if you would like to stream configuration changes to an SNS topic
- IAM Role to grant AWS Config read-only access to your resources.

2\. AWS Config Settings

I used the default settings for AWS Config in my account and then clicked **Next** to move on to the rules. Let’s look at what AWS Config Rules are and how they work before we look at configuring the rules.

**How Do AWS Config Rules Work?**

AWS Config Rules can be created or added to AWS Config to evaluate the configuration of your AWS resources. There are currently 25 rules which can be added to your AWS Config, ranging from validations that your ELB-enabled ASGs are using ELB health checks to validating whether you have activated Auto Scaling on your DynamoDB tables. We’ll be implementing a rule call **required-tags**. This rule allows the user to specify required tags for particular resource types. For our example, we’ll be looking for CostCenter, Team, and Application.

3\. Selecting from Preconfigured AWS Config Rules

If the rule you would like to implement is not included in the collection of preconfigured rules, click on **Skip** to jump to the **Review** step. You can learn more about creating a custom AWS Config Rule in the AWS Documentation for [Developing Custom Rules for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html). The rule we’ll be implementing is ***required-tags***, so type *required-tags* into the filter and hit Enter.

The required-tags rule allows you to specify:

- Which resources you would like to run the rule against
- Whether you want to execute the rule periodically, or each time a change is introduced.
- Rule parameters, which in this case are a list of required tags, and optional values.

I selected **Configuration changes** as my trigger, left the default list of **Resources**, and added *Team* and *Application* to the list of required tags. Click **Save** to add another rule, or to save the configuration and review your specifications before saving them.

Once you have reviewed your configuration and saved it, AWS will begin to index your resources. After a few minutes, your dashboard should look similar to the one shown below.

4\. AWS Config Dashboard with Indexed Resources

**Responding to the Rule Violations and Staying Current On Changes**

When you add a new AWS Config Rule and save the configuration, AWS automatically evaluates your environment based on the rule. From the list of **Noncompliant rules**, you can click on the rule and view a list of resources for which the rule failed. In our case, we’ll want to ensure that each of those resources has the required tags, and then click on **Re-evaluate** to recheck our environment.

5\. Resources Out of Compliance with the Required Tag Rule

Once you have everything compliant, you’ll want to ensure that resources remain in compliance. You may recall that we configured an SNS queue during the configuration of our Rules. Let’s set up an email subscription to the queue so we can be notified about configuration changes as they are introduced. Depending on the size of your environment, you may want to investigate different ways of consuming and responding to the queue so that you inundate your inbox with compliance-related emails.

Navigate to the [SNS Dashboard](https://console.aws.amazon.com/sns) in your account. If you click on the **Topics** section, you should see ***config-topic*** in the list of topics. Check the box next to ***config-topic*** and then click on the **Actions** drop-down and choose **Subscribe to topic**.

In the protocol input field, select **Email** and then enter your email address in the **Endpoint** field. You’ll receive an email to confirm the subscription, and then subsequent emails each time changes are introduced to the environment, and the rules are executed.

AWS Config Rules make it easier for you to manage compliance within your environment and stay up-to-date with configuration changes as they are introduced for [AWS monitoring](https://www.sumologic.com/solutions/aws-monitoring).

### Article Tags

- [AWS](https://www.sumologic.com/blog/aws)
- [Compliance](https://www.sumologic.com/blog/compliance)
- [DevOps &amp; IT Operations](https://www.sumologic.com/blog/devops-it-operations)
- [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

Mike Mackrory

Mike Mackrory is a Global citizen who has settled down in the Pacific Northwest — for now. By day he works as a Lead Engineer on a DevOps team, and by night, he writes and tinkers with other technology projects. When he’s not tapping on the keys, he can be found hiking, fishing and exploring both the urban and rural landscape with his kids. Always happy to help out another developer, he has a definite preference for helping those who bring gifts of gourmet donuts, craft beer and/or single-malt Scotch.

[](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=Using%20AWS%20Config%20Rules%20to%20Manage%20Resource%20Tag%20Compliance&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Faws-config-rules "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Faws-config-rules "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Faws-config-rules "Linkedin")

[Previous blog

Sumo Logic Gives Customers 171 Percent ROI: Forrester TEI Study](https://www.sumologic.com/blog/forrester-tei)[Next blog

Configuring Your ELB Health Check For Better Health Monitoring](https://www.sumologic.com/blog/aws-elb-health-check)

People who read this also enjoyed

[  

Eight best practices for a successful cloud migration strategy

June 16, 2026

 

 ](https://www.sumologic.com/blog/best-practices-for-cloud-migration-strategy)[  

OCSF for Security Hub: Sumo Logic and AWS speaking the same language

September 30, 2025

 

 ](https://www.sumologic.com/blog/sumo-logic-aws-ocsf-security-hub)[  

Enhance your cloud security visibility with the updated AWS CloudTrail app

July 16, 2025

 

 ](https://www.sumologic.com/blog/enhance-your-cloud-security-visibility-with-updated-aws-cloudtrail-app)[  

How to create and monitor an AWS Lambda function in Java 11

April 15, 2025

 ](https://www.sumologic.com/blog/how-to-write-aws-lambda-function-in-java8)

[AI Instructions](https://www.sumologic.com/ai-instructions.md)