Write a Lambda function handler that receives a `configurationItem` or `oversizedConfigurationItem` event and returns a compliance evaluation using the `config.put_evaluations` API call with `ComplianceType` set to `COMPLIANT` or `NON_COMPLIANT`.
Ensure the Lambda execution role includes `config:PutEvaluations` and the `AWSLambdaBasicExecutionRole` managed policy.
Create the Config rule via the AWS console or CLI: `aws configservice put-config-rule --config-rule file://rule.json` where `rule.json` specifies `Source.Owner: CUSTOM_LAMBDA` and the Lambda ARN.
Set `Source.SourceDetails[].MessageType` to `ConfigurationItemChangeNotification` for change-triggered rules or `ScheduledNotification` for periodic evaluation.
Grant AWS Config permission to invoke the Lambda: `aws lambda add-permission --function-name <NAME> --statement-id config-invoke --action lambda:InvokeFunction --principal config.amazonaws.com`.
Deploy Config rules across an organization using a Conformance Pack: author a YAML template and deploy with `aws configservice put-organization-conformance-pack`.
Known gotchas
Custom Config rules are evaluated per resource configuration change; the Lambda must handle `oversizedConfigurationItem` events when resource configurations exceed the SNS message size limit.
AWS Config launched 75 new managed rules in early 2026; before writing a custom rule, check the managed rules list to avoid duplicating an existing rule.
Lambda timeout for Config rule evaluation defaults to 3 seconds in many setups; increase it to at least 30 seconds for rules that call external APIs or query other AWS services.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp