Config
AWS Config — configuration recorder, real cross-service config-item recording, config rules with genuine managed-rule and custom-Lambda evaluation, compliance, conformance packs, and aggregators. JSON 1.1 protocol.
fakecloud implements AWS Config's full JSON 1.1 API: 97 operations covering the configuration recorder, configuration items, config rules with real evaluation, compliance, remediation, conformance packs, organization rules, aggregators, retention, stored queries, and resource evaluations. 100% Smithy conformance.
Status: 100% coverage with a real recording + rule-evaluation data plane.
Supported today
- Configuration recorder —
PutConfigurationRecorder,Describe*,Delete*,Start/StopConfigurationRecorder,ListConfigurationRecorders, recorder status, service-linked recorders (PutServiceLinkedConfigurationRecorder), andAssociate/DisassociateResourceTypes. When a recorder is running, Config snapshots the live state of other fakecloud services into genuine configuration-item history. - Real configuration items — with a running recorder, Config discovers and records real resources that exist in other fakecloud services (
AWS::S3::Bucket,AWS::EC2::Instance,AWS::EC2::SecurityGroup,AWS::EC2::VPC,AWS::IAM::User,AWS::IAM::Role,AWS::IAM::Policy) by reading their actual state — not fabricated placeholders. A newConfigurationItemis appended only when a resource is new or its configuration changed, soGetResourceConfigHistoryreturns true history.PutResourceConfigrecords external/custom resource types,DeleteResourceConfigmarks them deleted, andBatchGetResourceConfig,ListDiscoveredResources, andGetDiscoveredResourceCountsreturn the recorded items. - Config rules with real evaluation —
PutConfigRulecreates AWS-managed,CUSTOM_LAMBDA, orCUSTOM_POLICYrules. AWS managed rules run genuine evaluation logic against the recorded config items and produce realCOMPLIANT/NON_COMPLIANTresults:S3_BUCKET_VERSIONING_ENABLED,S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED,S3_BUCKET_PUBLIC_READ_PROHIBITED,S3_BUCKET_PUBLIC_WRITE_PROHIBITED,IAM_USER_NO_POLICIES_CHECK,EC2_INSTANCE_NO_PUBLIC_IP,VPC_DEFAULT_SECURITY_GROUP_CLOSED,INCOMING_SSH_DISABLED,RESTRICTED_INCOMING_TRAFFIC, andREQUIRED_TAGS. Custom (CUSTOM_LAMBDA) rules actually invoke the referenced Lambda function via fakecloud-lambda with a Config invoking event and record the returned evaluations.PutEvaluations/PutExternalEvaluationrecord results from a custom or external rule. Managed rules that are not implemented evaluate asINSUFFICIENT_DATArather than a fabricatedCOMPLIANT. - Compliance —
DescribeComplianceByConfigRule,DescribeComplianceByResource,GetComplianceDetailsByConfigRule,GetComplianceDetailsByResource,GetComplianceSummaryByConfigRule, andGetComplianceSummaryByResourceTypeall reflect the real evaluation results. - Advanced query —
SelectResourceConfigruns a real subset of the Config query language (SELECT <fields> [WHERE <conditions>], with=andIN, dottedconfiguration.*andtags.*paths) over the recorded configuration items.SelectAggregateResourceConfigruns the same over the aggregated items. - Remediation —
Put/Describe/DeleteRemediationConfiguration, remediation exceptions,StartRemediationExecution, and execution status. - Conformance packs —
PutConformancePack,Describe*,Delete*, status, and compliance (DescribeConformancePackCompliance,GetConformancePackComplianceSummary,GetConformancePackComplianceDetails,ListConformancePackComplianceScores) aggregated over the pack's rules. - Organization rules & packs — organization config rules and organization conformance packs with statuses and detailed status.
- Aggregators — configuration aggregators, aggregation authorizations, aggregate compliance queries, and aggregate discovered-resource listings/counts.
- Retention, stored queries, resource evaluations, tags — retention configurations, stored queries (
Put/Get/Delete/List),StartResourceEvaluation+ summary + list, andTag/Untag/ListTagsForResource.
Request members are validated against the Smithy model's
required/length/range/enumconstraints and rejected withValidationExceptionbefore any business logic runs, exactly as AWS does.
Smoke test
fakecloud &
E=http://localhost:4566
# Start recording and create a managed rule.
aws --endpoint-url $E configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config
aws --endpoint-url $E configservice start-configuration-recorder \
--configuration-recorder-name default
aws --endpoint-url $E configservice put-config-rule --config-rule '{
"ConfigRuleName": "s3-versioning",
"Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_VERSIONING_ENABLED" }
}'
# Create an S3 bucket with versioning off, then evaluate.
aws --endpoint-url $E s3api create-bucket --bucket demo-bucket
aws --endpoint-url $E configservice start-config-rules-evaluation \
--config-rule-names s3-versioning
aws --endpoint-url $E configservice describe-compliance-by-config-rule \
--config-rule-names s3-versioning
# -> NON_COMPLIANT (versioning is not enabled)CloudFormation
AWS::Config::ConfigurationRecorder, AWS::Config::DeliveryChannel, AWS::Config::ConfigRule, AWS::Config::ConfigurationAggregator, AWS::Config::AggregationAuthorization, AWS::Config::ConformancePack, and AWS::Config::OrganizationConfigRule are provisioned into real Config state (and persist across restarts).
Not implemented
- Managed rules outside the set listed above evaluate as
INSUFFICIENT_DATArather than returning a fabricated verdict. SelectResourceConfigimplements a tractable subset of the Config query language (equality /INfilters and field projection);GROUP BY, aggregate functions, andLIKEare not yet supported.- Multi-account / multi-region aggregation reflects the local account's recorded state (single-account deployment).