1-click setup - Amazon Config
SettingsRulesReview
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

1-click setup

Amazon Config 1-click setup helps simplify the getting started process for Amazon Config console customers by reducing the number of manual selections.

Note

For more information about the Get started process, see Manual setup.

To set up Amazon Config with the console using 1-click setup

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

    The Amazon Config getting started page provides an overview of the service.

  2. Choose 1-click setup.

The set up page includes three steps, but through the 1-click setup workflow, you are automatically directed to Step 3 (Review). The following provides a breakdown of that procedure.

  • Settings: To select the manner by which the Amazon Config console records resources and roles, and choose where configuration history and configuration snapshot files are sent.

  • Rules: For Regions that support rules, this subsection is available for you to configure initial Amazon managed rules that you can add to your account.

    Note

    After setting up, Amazon Config will evaluate your Amazon resources against the rules that you chose. Additional rules can be created and existing ones can be updated in your account after setup. For more information about rules, see Managing your Amazon Config Rules.

  • Review: To verify your setup details.

Settings

Recording strategy

The option to record All resource types with customizable overrides is selected for you. If you select this option, Amazon Config will record all current and future supported resource types in this Region. For more information, see Supported Resource Types.

Note

Global resource types | Aurora global clusters are initially included in recording

The AWS::RDS::GlobalCluster resource type will be recorded in all supported Amazon Config Regions where the configuration recorder is enabled.

If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, you can exclude this resource type from recording after setup. Choose Settings in the left navigation bar, and then choosing Edit. From Edit, go to Override settings in the Recording method section, choose AWS::RDS::GlobalCluster, and choose the override "Exclude from recording".

Note

Global resource types | IAM resource types are initially excluded from recording

"All globally recorded IAM resource types" are initially excluded from recording to help you reduce costs. This bundle includes IAM users, groups, roles, and customer managed policies. Choose Remove to remove the override and include these resources in your recording.

The exception to this note is for US East (N. Virginia). The global IAM resource types are initially included in the US East (N. Virginia) Region as this Region functions as the home Region for the global IAM resource types.

Additionally, the global IAM resource types (AWS::IAM::User, AWS::IAM::Group, AWS::IAM::Role, and AWS::IAM::Policy) cannot be recorded in Regions supported by Amazon Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

  • Asia Pacific (Hyderabad)

  • Asia Pacific (Melbourne)

  • Canada West (Calgary)

  • Europe (Spain)

  • Europe (Zurich)

  • Israel (Tel Aviv)

  • Middle East (UAE)

  • Default settings

    The default recording frequency is set to Continuous for you. This means Amazon Config records configuration changes continuously whenever a change occurs.

    Amazon Config also supports the option to set the recording frequency to Daily. If you select this option after setup, you will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. For more information see, Recording Frequency.

    Note

    Amazon Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

  • Override settings – optional

    Optionally, after setup you can override the record frequency for specific resource types, or exclude specific resource types from recording. To override the default settings, choose Settings in the left navigation of the Amazon Config console, and then choose Edit.

Note

High Number of Amazon Config Evaluations

You may notice increased activity in your account during your initial month recording with Amazon Config when compared to subsequent months. During the initial bootstrapping process, Amazon Config runs evaluations on all the resources in your account that you have selected for Amazon Config to record.

If you are running ephemeral workloads, you may see increased activity from Amazon Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and Amazon Auto Scaling. If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with Amazon Config turned off to avoid increased configuration recording and rule evaluations.

Data governance

The default data retention period to retain Amazon Config data for 7 years (2557 days) is selected for you in this section.

The option to Use an existing Amazon Config service-linked role is selected for you and set to the Amazon Config role. Service-linked roles are predefined by Amazon Config and include all the permissions that the service requires to call other Amazon services.

Delivery method

The option to Choose a bucket from your account is selected for you in this section. This selection will default to the bucket in your account that is named in the format config-bucket-accountid (for example, config-bucket-012345678901). If you don't have a bucket created in that format, one will be created for you. If you want to create your own bucket, see Creating a bucket in the Amazon Simple Storage Service User Guide.

For more information about S3 buckets, see Buckets overview in the Amazon Simple Storage Service User Guide.

Rules

Under Amazon Managed Rules, no rules are selected for you at this step. Instead, you are encouraged to create and update rules after you have finished setting up your account.

Review

Review your Amazon Config setup details. You can go back to edit changes for each section. Choose Confirm to finish setting up Amazon Config.