# Track configuration changes with Amazon Config
To record and evaluate configurations of your Amazon resources, you can use Amazon Config, which provides you with a detailed view of the configuration of your distributions. This includes how the resources are related to one another and how they were configured in the past, so you can review changes over time.
You can also use Amazon Config to record configuration changes to your CloudFront distribution settings. You can capture changes to distribution states, price classes, origins, geographic restriction settings, and Lambda@Edge configurations.
**Note**
Amazon Config does not record key–value tags for CloudFront streaming distributions.
**Contents**
+ [Set up Amazon Config with CloudFront](#TrackingChangesSettings)
+ [View CloudFront configuration history](#TrackingChangesGetHistory)
+ [Evaluate CloudFront configurations with Amazon Config Rules](#cloudfront-config-rules)
## Set up Amazon Config with CloudFront
When you set up Amazon Config, you can choose to record all supported Amazon resources or record only some specified resources, such as recording changes for CloudFront only. For a list of supported CloudFront resources, see the [Amazon CloudFront](https://docs.amazonaws.cn/config/latest/developerguide/resource-config-reference.html#amazoncloudfront) section of the Supported Resource Types topic in the *Amazon Config Developer Guide*.
**Notes**
To track configuration changes to your CloudFront distribution, you must sign in to the CloudFront console in the US East (N. Virginia) Amazon Web Services Region.
There might be a delay in recording resources with Amazon Config. Amazon Config records resources only after it discovers the resources.
------
#### [ Console ]
**To set up Amazon Config with CloudFront**
1. Sign in to the Amazon Web Services Management Console and open the [Amazon Config console](https://console.amazonaws.cn/config/home).
1. Choose **Get Started Now**.
1. On the **Settings** page, for **Resource types to record**, specify the Amazon resource types that you want Amazon Config to record. If you want to record only CloudFront changes, choose **Specific types**, and then, under **CloudFront**, choose the distribution or streaming distribution that you want to track changes for.
To add or change which distributions to track, choose **Settings** on the left, after completing your initial setup.
1. Specify additional required options for Amazon Config: set up a notification, specify a location for the configuration information, and add rules for evaluating resource types.
For more information, see [Setting up Amazon Config with the Console](https://docs.amazonaws.cn/config/latest/developerguide/gs-console.html) in the *Amazon Config Developer Guide*.
------
#### [ Amazon CLI ]
To set up Amazon Config with CloudFront using the Amazon CLI, see [Setting up Amazon Config with the Amazon CLI](https://docs.amazonaws.cn/config/latest/developerguide/gs-cli.html) in the *Amazon Config Developer Guide*.
------
#### [ Amazon Config API ]
To set up Amazon Config with CloudFront using the Amazon Config API, see the [ StartConfigurationRecorder](https://docs.amazonaws.cn/config/latest/APIReference/API_StartConfigurationRecorder.html) API operation in the *Amazon Config API Reference*.
------
## View CloudFront configuration history
After Amazon Config starts recording configuration changes to your distributions, you can get the configuration history of any distribution that you have configured for CloudFront.
You can view configuration histories in the following ways.
------
#### [ Console ]
For each recorded resource, you can view a timeline page that provides a history of configuration details. To view this page, choose the gray icon in the **Config Timeline** column of the **Dedicated Hosts** page.
For more information, see [Viewing Configuration Details in the Amazon Config Console](https://docs.amazonaws.cn/config/latest/developerguide/view-manage-resource-console.html) in the *Amazon Config Developer Guide*.
------
#### [ Amazon CLI ]
To get a list of all your distributions, run the [ list-discovered-resources](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/list-discovered-resources.html) command, as shown in the following example.
```
aws configservice list-discovered-resources --resource-type AWS::CloudFront::Distribution
```
To get the configuration details of a distribution for a specific time interval, run the [ get-resource-config-history](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-resource-config-history.html) command.
For more information, see [View Configuration Details Using the CLI](https://docs.amazonaws.cn/config/latest/developerguide/resource-config-reference.html) in the *Amazon Config Developer Guide*.
------
#### [ Amazon Config API ]
To get a list of all your distributions, use the [ListDiscoveredResources](https://docs.amazonaws.cn/config/latest/APIReference/API_ListDiscoveredResources.html) API operation.
To get the configuration details of a distribution for a specific time interval, use the [GetResourceConfigHistory](https://docs.amazonaws.cn/config/latest/APIReference/API_GetResourceConfigHistory.html) API operation. For more information, see the [Amazon Config API Reference](https://docs.amazonaws.cn/config/latest/APIReference/).
------
## Evaluate CloudFront configurations with Amazon Config Rules
You can evaluate configurations against desired configurations with Amazon Config Rules. For example, Amazon Config Rules helps you to evaluate whether your CloudFront resources comply with common security best practices. You can choose managed rules like viewer policy HTTPS, SNI enabled, OAC enabled, origin failover enabled, Amazon WAF WebACL, or Amazon Shield Advanced resource policies to be triggered when the configuration changes.
Managed rules can run evaluations periodically, at a frequency that you choose. Amazon Firewall Manager relies on Amazon Config for automatic alerts and remediations. For more information, see [Evaluating Resources with Amazon Config Rules](https://docs.amazonaws.cn/config/latest/developerguide/evaluate-config.html) and [List of Amazon Config Managed Rules](https://docs.amazonaws.cn/config/latest/developerguide/managed-rules-by-aws-config.html) in the *Amazon Config Developer Guide*.