Record resource types in Amazon Config - Amazon CloudFormation
Preventing sensitive properties being recorded in a configuration item
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Record resource types in Amazon Config

You can specify that Amazon Config automatically track your private resource types and record changes to those resources as configuration items. This enables you to view configuration history for these private resource types, in addition to write Amazon Config Rules rules to verify configuration best practices. Amazon Config is required for the Hook extension.

To have Amazon Config automatically track your private resource types:

  • Manage the resources through CloudFormation. This includes performing all resource create, updated, and delete operations through CloudFormation.

    Note

    If you use an IAM role to perform your stack operations, that IAM role must have permission to call the following Amazon Config actions:

  • Configure Amazon Config to record all resource types. For more information, see Recording Configurations for Third-Party Resources using the Amazon CLI in the Amazon Config Developer Guide.

    Note

    Amazon Config doesn't support recording of private resources containing properties defined as both required and write-only.

    By design, resource properties defined as write-only aren't returned in the schema used to create Amazon Config configuration item. Because of this, including a property that's defined as both write-only and required will cause the configuration item creation to fail, as a required property will not be present. To view the schema that will be used to create the configuration item, you can review the schema property of the DescribeType action.

For more information about configuration items, see Configuration items in the Amazon Config Developer Guide.

Preventing sensitive properties being recorded in a configuration item

Your resource type may contain properties that you consider sensitive information, such as passwords, secrets, or other sensitive data, that you don't want recorded as part of the configuration item. To prevent a property from being recorded in the configuration item, you can include that property in the writeOnlyproperties list in your resource type schema. Resource properties listed as writeOnlyproperties can be specified by the user, but won't be returned by a read or list request.

For more information, see writeOnlyProperties in the CloudFormation CLI User Guide.