Why can't I delete an AWS Config rule?

3 minute read
0

I can't delete my AWS Config rule, or I receive an error similar to the following: "An error has occurred with AWS Config."

Resolution

To troubleshoot this issue, check the following:

The AWS Identity and Access Management (IAM) entity has permissions for the DeleteConfigRule API action

  1. Open the IAM console, and then in the navigation pane choose Users or Roles.
  2. Choose the user or role that you used to delete the AWS Config rule, and expand Permissions policies.
  3. In the Permissions tab, choose JSON.
  4. In the JSON preview pane, confirm that the IAM policy allows permissions for the DeleteConfigRule API action.

The IAM entity permission boundary allows the DeleteConfigRule API action

If the IAM entity has a permissions boundary, be sure that it allows the DeleteConfigRule API action.

  1. Open the IAM console, and then in the navigation pane choose Users or Roles.
  2. Choose the user or role that you used to delete the AWS Config rule, expand Permissions boundary, and then choose JSON.
  3. In the JSON preview pane, confirm that the IAM policy allows permissions for the DeleteConfigRule API action.

The service control policy (SCP) allows the DeleteConfigRule API action

  1. Open the AWS Organizations console using the management account for the organization.
  2. In Account name, choose the AWS account.
  3. In Policies, expand Service control policies and note the SCP policies that are attached.
  4. At the top of the page, choose Policies.
  5. Select the policy, and then choose View details.
  6. In the JSON preview pane, confirm that the policy allows the DeleteConfigRule API action.

The rule isn't a service-linked rule

When you enable a security standard, AWS Security Hub creates AWS Config service-linked rules for you. You can't delete these service-linked rules using AWS Config, so the delete button is grayed out. To remove the AWS Config service-linked rules, see Disabling a security standard.

No remediation actions are in progress

You can't delete AWS Config rules that have remediation actions in progress. Follow the instructions to delete the remediation action that is associated with that rule. Then, try deleting the AWS Config rule again.

Important: Delete only remediation actions that are in failed or successful states.

If the remediation action fails to delete, see How can I resolve the error "NoSuchRemediationConfigurationException" or "unexpected internal error" when trying to delete a remediation action in AWS Config?


Related information

Permissions boundaries for IAM entities

What's the difference between an AWS Organizations service control policy and an IAM policy?

Service-linked AWS Config rules

Managing your AWS Config rules

AWS OFFICIAL
AWS OFFICIALUpdated 3 years ago