Welcome
Amazon Config provides a way to keep track of the configurations of all the Amazon resources associated with your Amazon Web Services account. You can use Amazon Config to get the current and historical configurations of each Amazon resource and also to get information about the relationship between the resources. An Amazon resource can be an Amazon Compute Cloud (Amazon EC2) instance, an Elastic Block Store (EBS) volume, an elastic network Interface (ENI), or a security group. For a complete list of resources currently supported by Amazon Config, see Supported Amazon resources.
You can access and manage Amazon Config through the Amazon Management Console, the Amazon Command Line Interface (Amazon CLI), the Amazon Config API, or the Amazon SDKs for Amazon Config. This reference guide contains documentation for the Amazon Config API and the Amazon CLI commands that you can use to manage Amazon Config. The Amazon Config API uses the Signature Version 4 protocol for signing requests. For more information about how to sign a request with this protocol, see Signature Version 4 Signing Process. For detailed information about Amazon Config features and their associated actions or commands, as well as how to work with Amazon Web Services Management Console, see What Is Amazon Config in the Amazon Config Developer Guide.
Configuration Recorder
Use the following APIs for the Amazon Config configuration recorder:
-
DescribeConfigurationRecorders, returns the details for the specified configuration recorders.
-
DescribeConfigurationRecorderStatus, returns the current status of the specified configuration recorder.
-
DeleteConfigurationRecorder, deletes the configuration recorder.
-
PutConfigurationRecorder, creates a new configuration recorder to record configuration changes for specified resource types.
-
StartConfigurationRecorder, starts recording configurations of the Amazon resources you have selected to record in your Amazon Web Services account.
-
StopConfigurationRecorder, stops recording configurations of the Amazon resources you have selected to record in your Amazon Web Services account.
Delivery Channel
Use the following APIs for the Amazon Config delivery channel:
-
DeliverConfigSnapshot, schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel.
-
DescribeDeliveryChannels, returns details about the specified delivery channel.
-
DescribeDeliveryChannelStatus, returns the current status of the specified delivery channel.
-
DeleteDeliveryChannel, deletes the delivery channel.
-
PutDeliveryChannel, creates a delivery channel object to deliver configuration information and other compliance notifications to an Amazon S3 bucket and Amazon SNS topic.
Resource Management
Use the following APIs for Amazon Config resource management:
-
BatchGetResourceConfig, returns the
BaseConfigurationItem
for one or more requested resources. -
DeleteResourceConfig, records the configuration state for a custom resource that has been deleted.
-
DeleteRetentionConfiguration, deletes the retention configuration.
-
DeliverConfigSnapshot, schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel.
-
DescribeRetentionConfigurations, returns the details of one or more retention configurations.
-
GetDiscoveredResourceCounts, returns the resource types, the number of each resource type, and the total number of resources that Amazon Config is recording in this region for your Amazon Web Services account.
-
GetResourceConfigHistory, returns a list of
ConfigurationItems
for the specified resource. -
ListDiscoveredResources, accepts a resource type and returns a list of resource identifiers for the resources of that type.
-
ListTagsForResource, list the tags for Amazon Config resource.
-
PutResourceConfig, records the configuration state for the resource provided in the request.
-
PutRetentionConfiguration, creates and updates the retention configuration with details about retention period (number of days) that Amazon Config stores your historical information.
-
TagResource, associates the specified tags to a resource with the specified resourceArn.
-
UntagResource, deletes specified tags from a resource.
Amazon Config Rules
Use the following APIs for Amazon Config Rules:
-
DeleteConfigRule, deletes the specified Amazon Config rule and all of its evaluation results.
-
DeleteEvaluationResults, deletes the evaluation results for the specified Amazon Config rule.
-
DeleteOrganizationConfigRule, deletes the specified organization Amazon Config rule and all of its evaluation results from all member accounts in that organization.
-
DescribeComplianceByConfigRule, indicates whether the specified Amazon Config rules are compliant.
-
DescribeComplianceByResource, indicates whether the specified Amazon resources are compliant.
-
DescribeConfigRuleEvaluationStatus, returns status information for each of your Amazon Config managed rules.
-
DescribeConfigRules, returns details about your Amazon Config rules.
-
DescribeOrganizationConfigRules, returns a list of organization Amazon Config rules.
-
DescribeOrganizationConfigRuleStatuses, provides organization Amazon Config rule deployment status for an organization.
-
GetComplianceDetailsByConfigRule, returns the evaluation results for the specified Amazon Config rule.
-
GetComplianceDetailsByResource, returns the evaluation results for the specified Amazon resource.
-
GetComplianceSummaryByConfigRule, returns the number of Amazon Config rules that are compliant and noncompliant, up to a maximum of 25 for each.
-
GetComplianceSummaryByResourceType, returns the number of resources that are compliant and the number that are noncompliant.
-
GetCustomRulePolicy, returns the policy definition containing the logic for your Amazon Config Custom Policy rule.
-
GetOrganizationConfigRuleDetailedStatus, returns detailed status for each member account within an organization for a given organization Amazon Config rule.
-
GetOrganizationCustomRulePolicy, returns the metadata, the rule name, and the policy definition containing the logic for your organization Amazon Config Custom Policy rule.
-
GetResourceEvaluationSummary, returns a summary of resource evaluation for the specified resource evaluation ID from the proactive rules that were run.
-
ListResourceEvaluations, returns a list of proactive resource evaluations.
-
PutConfigRule, adds or updates an Amazon Config rule for evaluating whether your Amazon resources comply with your desired configurations.
-
PutEvaluations, used by an Amazon Lambda function to deliver evaluation results to Amazon Config.
-
PutOrganizationConfigRule, adds or updates organization Amazon Config rule for your entire organization evaluating whether your Amazon resources comply with your desired configurations.
-
StartConfigRulesEvaluation, runs an on-demand evaluation for the specified Amazon Config rules against the last known configuration state of the resources.
-
StartResourceEvaluation, runs an on-demand evaluation for the specified resource to determine whether the resource details will comply with configured Amazon Config rules.
Remediation
Use the following APIs for Amazon Config remediation actions:
-
DeleteRemediationConfiguration, deletes the remediation configuration.
-
DeleteRemediationExceptions, deletes one or more remediation exceptions mentioned in the resource keys.
-
DescribeRemediationConfigurations, returns the details of one or more remediation configurations.
-
DescribeRemediationExceptions, returns the details of one or more remediation exceptions.
-
DescribeRemediationExecutionStatus, provides a detailed view of a Remediation Execution for a set of resources including state, timestamps for when steps for the remediation execution occur, and any error messages for steps that have failed.
-
PutRemediationConfigurations, adds or updates the remediation configuration with a specific Amazon Config rule with the selected target or action.
-
PutRemediationExceptions, adds a new exception or updates an exisiting exception for a specific resource with a specific Amazon Config rule.
-
StartRemediationExecution, runs an on-demand remediation for the specified Amazon Config rules against the last known remediation configuration.
Conformance Packs
Use the following APIs for conformance packs:
-
DeleteConformancePack, deletes the specified conformance pack and all the Amazon Config rules and all evaluation results within that conformance pack.
-
DeleteOrganizationConformancePack, deletes the specified organization conformance pack and all of the Amazon Config rules and remediation actions from all member accounts in that organization.
-
DescribeConformancePackCompliance, returns compliance information for each rule in that conformance pack.
-
DescribeConformancePacks, returns a list of one or more conformance packs.
-
DescribeConformancePackStatus, provides one or more conformance packs deployment status.
-
DescribeOrganizationConformancePacks, returns a list of organization conformance packs.
-
DescribeOrganizationConformancePackStatuses, provides organization conformance pack deployment status for an organization.
-
GetConformancePackComplianceDetails, returns compliance details of a conformance pack for all Amazon resources that are monitered by conformance pack.
-
GetConformancePackComplianceSummary, returns compliance information for the conformance pack based on the cumulative compliance results of all the rules in that conformance pack.
-
GetOrganizationConformancePackDetailedStatus, returns detailed status for each member account within an organization for a given organization conformance pack.
-
ListConformancePackComplianceScores, returns a list of conformance pack compliance scores.
-
PutConformancePack, creates or updates a conformance pack.
-
PutOrganizationConformancePack, deploys conformance packs across member accounts in an Amazon Organization.
-
PutExternalEvaluation, add or updates the evaluations for process checks.
Aggregators
Use the following APIs for multi-account multi-Region data aggregation:
-
BatchGetAggregateResourceConfig, returns the current configuration items for resources that are present in your Amazon Config aggregator.
-
DeleteAggregationAuthorization, deletes the authorization granted to the specified configuration aggregator account in a specified region.
-
DeleteConfigurationAggregator, deletes the specified configuration aggregator and the aggregated data associated with the aggregator.
-
DeletePendingAggregationRequest, deletes pending authorization requests for a specified aggregator account in a specified region.
-
DescribeAggregateComplianceByConfigRules, returns a list of compliant and noncompliant rules with the number of resources for compliant and noncompliant rules.
-
DescribeAggregateComplianceByConformancePacks, returns a list of existing and deleted conformance packs and their associated compliance status with the count of compliant and noncompliant Amazon Config rules within each conformance pack.
-
DescribeAggregationAuthorizations, returns a list of authorizations granted to various aggregator accounts and regions.
-
DescribeConfigurationAggregators, returns the details of one or more configuration aggregators. If the configuration aggregator is not specified, this action returns the details for all the configuration aggregators associated with the account.
-
DescribeConfigurationAggregatorSourcesStatus, returns status information for sources within an aggregator. The status includes information about the last time Amazon Config verified authorization between the source account and an aggregator account.
-
DescribePendingAggregationRequests, returns a list of all pending aggregation requests.
-
GetAggregateConformancePackComplianceSummary, returns the count of compliant and noncompliant conformance packs across all Amazon Web Services accounts and Amazon Web Services Regions in an aggregator.
-
GetAggregateComplianceDetailsByConfigRule, returns the evaluation results for the specified Amazon Config rule for a specific resource in a rule. The results indicate which Amazon resources were evaluated by the rule, when each resource was last evaluated, and whether each resource complies with the rule.
-
GetAggregateConfigRuleComplianceSummary, returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator.
-
GetAggregateDiscoveredResourceCounts, returns the resource counts across accounts and regions that are present in your Amazon Config aggregator.
-
GetAggregateResourceConfig, returns configuration item that is aggregated for your specific resource in a specific source account and region.
-
ListAggregateDiscoveredResources, accepts a resource type and returns a list of resource identifiers that are aggregated for a specific resource type across accounts and regions.
-
PutAggregationAuthorization, authorizes the aggregator account and region to collect data from the source account and region.
-
PutConfigurationAggregator, creates and updates the configuration aggregator with the selected source accounts and regions.
Advanced Queries
Use the following APIs for Amazon Config:
-
SelectAggregateResourceConfig, accepts a structured query language (SQL) SELECT command and an aggregator to query configuration state of Amazon resources across multiple accounts and regions.
-
SelectResourceConfig, accepts a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties.
-
PutStoredQuery, saves a new query or updates an existing saved query.
-
GetStoredQuery, returns the details of a specific stored query.
-
ListStoredQueries, lists the stored queries for a single Amazon Web Services account and a single Amazon Web Services Region.
-
DeleteStoredQuery, deletes the stored query for a single Amazon Web Services account and a single Amazon Web Services Region.
This document was last published on November 26, 2024.