Config-Check not returning correct results

[ascott58]

Hi,

I'm running the policy below to check if an account's Config is enabled. My understanding is that this policy matches an account which has Config enabled and with the specified settings (global resources, running, etc.)

policies:

• name: check-config-status
  resource: account
  description: "Checks if Config is enabled for the account"
  region: ap-southeast-2
  filters:
  • type: check-config
    all-resources: true
    global-resources: true
    running: true

However:

• If I run it on an account with recording turned off, it returns a count of 1
• If I run it on an account with recording turned on, it returns a count of 0

In other words, it is matching an account which has Config disabled.

Any ideas on why it's doing this?

Thanks in advance :)

[kapilt]

its designed to run continuously against an account and if its not setup with aws config per the filter parameters, to invoke some actions (notify, put config back into the account). if the account is already setup with config correctly theres effectively there's nothing to do.

[ascott58]

All of our custodian scripts like the one above are run using cron jobs. We want to run a weekly scan on an account to check that Config is enabled and is running with the specified parameters. Am I correct that if it returns the count of 0 then Config is configured correctly and if it returns a count of 1 then Config is not configured correctly?

Sorry, I'm just not sure what you mean by 'run continuously against an account'... since the policy needs to be run with 'custodian run' whenever you want to perform the check. Right?

Cheers