diff --git a/aws/resource_aws_config_config_rule.go b/aws/resource_aws_config_config_rule.go
index f957a7d430c..c3ee13d1b49 100644
--- a/aws/resource_aws_config_config_rule.go
+++ b/aws/resource_aws_config_config_rule.go
@@ -146,14 +146,10 @@ func resourceAwsConfigConfigRulePut(d *schema.ResourceData, meta interface{}) er
 	name := d.Get("name").(string)
 	ruleInput := configservice.ConfigRule{
 		ConfigRuleName: aws.String(name),
+		Scope:          expandConfigRuleScope(d.Get("scope").([]interface{})),
 		Source:         expandConfigRuleSource(d.Get("source").([]interface{})),
 	}
 
-	scopes := d.Get("scope").([]interface{})
-	if len(scopes) > 0 {
-		ruleInput.Scope = expandConfigRuleScope(scopes[0].(map[string]interface{}))
-	}
-
 	if v, ok := d.GetOk("description"); ok {
 		ruleInput.Description = aws.String(v.(string))
 	}
diff --git a/aws/resource_aws_config_config_rule_test.go b/aws/resource_aws_config_config_rule_test.go
index d8db29ba197..52e0802c195 100644
--- a/aws/resource_aws_config_config_rule_test.go
+++ b/aws/resource_aws_config_config_rule_test.go
@@ -159,6 +159,86 @@ func testAccConfigConfigRule_importLambda(t *testing.T) {
 	})
 }
 
+func testAccConfigConfigRule_Scope_TagKey(t *testing.T) {
+	var configRule configservice.ConfigRule
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_config_config_rule.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckConfigConfigRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfigConfigRuleConfig_Scope_TagKey(rName, "key1"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckConfigConfigRuleExists(resourceName, &configRule),
+					resource.TestCheckResourceAttr(resourceName, "scope.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "scope.0.tag_key", "key1"),
+				),
+			},
+			{
+				Config: testAccConfigConfigRuleConfig_Scope_TagKey(rName, "key2"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckConfigConfigRuleExists(resourceName, &configRule),
+					resource.TestCheckResourceAttr(resourceName, "scope.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "scope.0.tag_key", "key2"),
+				),
+			},
+		},
+	})
+}
+
+func testAccConfigConfigRule_Scope_TagKey_Empty(t *testing.T) {
+	var configRule configservice.ConfigRule
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_config_config_rule.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckConfigConfigRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfigConfigRuleConfig_Scope_TagKey(rName, ""),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckConfigConfigRuleExists(resourceName, &configRule),
+				),
+			},
+		},
+	})
+}
+
+func testAccConfigConfigRule_Scope_TagValue(t *testing.T) {
+	var configRule configservice.ConfigRule
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_config_config_rule.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckConfigConfigRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfigConfigRuleConfig_Scope_TagValue(rName, "value1"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckConfigConfigRuleExists(resourceName, &configRule),
+					resource.TestCheckResourceAttr(resourceName, "scope.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "scope.0.tag_value", "value1"),
+				),
+			},
+			{
+				Config: testAccConfigConfigRuleConfig_Scope_TagValue(rName, "value2"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckConfigConfigRuleExists(resourceName, &configRule),
+					resource.TestCheckResourceAttr(resourceName, "scope.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "scope.0.tag_value", "value2"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckConfigConfigRuleName(n, desired string, obj *configservice.ConfigRule) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -224,6 +304,42 @@ func testAccCheckConfigConfigRuleDestroy(s *terraform.State) error {
 	return nil
 }
 
+func testAccConfigConfigRuleConfig_base(rName string) string {
+	return fmt.Sprintf(`
+data "aws_partition" "current" {}
+
+resource "aws_config_configuration_recorder" "test" {
+  name     = %q
+  role_arn = "${aws_iam_role.test.arn}"
+}
+
+resource "aws_iam_role" "test" {
+  name = %q
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "config.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "test" {
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSConfigRole"
+  role       = "${aws_iam_role.test.name}"
+}
+`, rName, rName)
+}
+
 func testAccConfigConfigRuleConfig_basic(randInt int) string {
 	return fmt.Sprintf(`
 resource "aws_config_config_rule" "foo" {
@@ -471,3 +587,42 @@ resource "aws_iam_role_policy" "p" {
 POLICY
 }`, randInt, path, randInt, randInt, randInt, randInt, randInt, randInt, randInt)
 }
+
+func testAccConfigConfigRuleConfig_Scope_TagKey(rName, tagKey string) string {
+	return testAccConfigConfigRuleConfig_base(rName) + fmt.Sprintf(`
+resource "aws_config_config_rule" "test" {
+  name = %q
+
+  scope {
+    tag_key = %q
+  }
+
+  source {
+    owner = "AWS"
+    source_identifier = "S3_BUCKET_VERSIONING_ENABLED"
+  }
+
+  depends_on = ["aws_config_configuration_recorder.test"]
+}
+`, rName, tagKey)
+}
+
+func testAccConfigConfigRuleConfig_Scope_TagValue(rName, tagValue string) string {
+	return testAccConfigConfigRuleConfig_base(rName) + fmt.Sprintf(`
+resource "aws_config_config_rule" "test" {
+  name = %q
+
+  scope {
+    tag_key   = "key"
+    tag_value = %q
+  }
+
+  source {
+    owner = "AWS"
+    source_identifier = "S3_BUCKET_VERSIONING_ENABLED"
+  }
+
+  depends_on = ["aws_config_configuration_recorder.test"]
+}
+`, rName, tagValue)
+}
diff --git a/aws/resource_aws_config_test.go b/aws/resource_aws_config_test.go
index f24424624cb..a345f5f33b2 100644
--- a/aws/resource_aws_config_test.go
+++ b/aws/resource_aws_config_test.go
@@ -7,11 +7,14 @@ import (
 func TestAccAWSConfig(t *testing.T) {
 	testCases := map[string]map[string]func(t *testing.T){
 		"Config": {
-			"basic":        testAccConfigConfigRule_basic,
-			"ownerAws":     testAccConfigConfigRule_ownerAws,
-			"customlambda": testAccConfigConfigRule_customlambda,
-			"importAws":    testAccConfigConfigRule_importAws,
-			"importLambda": testAccConfigConfigRule_importLambda,
+			"basic":            testAccConfigConfigRule_basic,
+			"ownerAws":         testAccConfigConfigRule_ownerAws,
+			"customlambda":     testAccConfigConfigRule_customlambda,
+			"importAws":        testAccConfigConfigRule_importAws,
+			"importLambda":     testAccConfigConfigRule_importLambda,
+			"scopeTagKey":      testAccConfigConfigRule_Scope_TagKey,
+			"scopeTagKeyEmpty": testAccConfigConfigRule_Scope_TagKey_Empty,
+			"scopeTagValue":    testAccConfigConfigRule_Scope_TagValue,
 		},
 		"ConfigurationRecorderStatus": {
 			"basic":        testAccConfigConfigurationRecorderStatus_basic,
diff --git a/aws/structure.go b/aws/structure.go
index ed347110959..4bd9b10b8ef 100644
--- a/aws/structure.go
+++ b/aws/structure.go
@@ -2259,7 +2259,11 @@ func flattenConfigRuleScope(scope *configservice.Scope) []interface{} {
 	return items
 }
 
-func expandConfigRuleScope(configured map[string]interface{}) *configservice.Scope {
+func expandConfigRuleScope(l []interface{}) *configservice.Scope {
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+	configured := l[0].(map[string]interface{})
 	scope := &configservice.Scope{}
 
 	if v, ok := configured["compliance_resource_id"].(string); ok && v != "" {