Why can’t I create or delete organization config rules?

Last updated: 2021-05-28

When I try to create or delete an AWS Config rule for AWS Organizations, I receive a CREATE_FAILED or DELETE_FAILED error. How can I troubleshoot issues with organization config rules?

Resolution

Various issues can cause organization config rules to not work, including permissions, a member account in an inactive state, or missing configuration recorders.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent version of the AWS CLI.

To resolve organization config rule errors, first run the following command to get member account rule failure and success status details. Replace your-rule-name with your organization config rule name. The command identifies the specific member accounts in which the rule failed.

aws configservice get-organization-config-rule-detailed-status --organization-config-rule-name your-rule-name

Review the output ErrorCode and ErrorMessage, and then follow these troubleshooting steps:

  • Run the following AWS CLI command or use the Organizations console to verify that the status of all member accounts is Active.
aws organizations list-accounts --query 'Accounts[*].[Id, Status]' --output table
  • Confirm that AWS Config is set up for each member account. You can set up AWS Config manually for a specific member account using either the console, the AWS CLI, or AWS CloudFormation. When AWS Config is set up for all member accounts, deploy the rule again.
  • Open the CloudTrail console, and then choose Event history from the navigation pane. To filter the logs, choose Event name from the dropdown, and enter PutOrganizationConfigRule or DeleteOrganizationConfigRule in the search field. Review the filtered log results for OrganizationAccessDeniedException errors.
  • Verify that you are calling the PutOrganizationConfigRule API or DeleteOrganizationConfigRule API from the Organizations primary account or from a delegated administrator member account. Run the following command from the primary account to identify the delegated administrator member account.
aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
  • If you receive OrganizationAccessDeniedException errors, verify that you have the required permissions. The AWS Identity and Access Management (IAM) role for AWS Config must include PutConfigRule, PutOrganizationConfigRule, and DeleteOrganizationConfigRule permissions to create and delete organization config rules.
  • If you receive ResourceInUseException errors, review the error message to identify the cause. If the error message indicates that a remediation action is associated with the rule, then resolve the remediation action. If the error message indicates that the rule status isn’t CREATE_SUCCESSFUL, then verify that the AWS Config member account IAM role includes DeleteConfigRule permissions.

Custom organization config rule creation

To create custom organization config rules, the AWS Config IAM role must include permissions to invoke the Lambda function. If the required permissions are missing, run the following add-permission command:

Note: Replace function-name with the Lambda function name, Region with your AWS Region, and source-account with the primary member account ID.

aws lambda add-permission --function-name --region --action "lambda:InvokeFunction" --principal config.amazonaws.com --source-account --statement-id Allow