Document History - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Document History

The following table describes the important changes to the documentation for Amazon Config. For notification about updates to this documentation, you can subscribe to an RSS feed.

  • API version: 2014-11-12

  • Latest documentation update: December 9, 2024

ChangeDescriptionDate

Amazon Config supports service-linked configuration recorders

With this release, Amazon Config supports service-linked configuration recorders. You enable a service-linked configuration recorder in the supported service or using the Amazon CLI, and the recorder records the resource types needed for the linked service on your behalf. You can view details of a service-linked configuration recorder using the Amazon Config console or Amazon CLI. For more information, see Working with the configuration recorder.

November 27, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

November 12, 2024

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy policy now grant additional permissions for Amazon AppConfig, Amazon CloudTrail, Amazon Connect, Amazon DataZone, Amazon DevOps Guru, Amazon Glue, Identity Store, Amazon IoT, Amazon IoT FleetWise, Amazon IoT Wireless, Amazon Interactive Video Service (Amazon IVS), Amazon CloudWatch Logs, Amazon CloudWatch Observability Access Manager, Amazon Payment Cryptography, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon Simple Storage Service (Amazon S3), Amazon EventBridge Scheduler, Amazon Systems Manager, and Amazon VPC Lattice. For more information, see Amazon managed policies for Amazon Config.

November 8, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rule: cognito-user-pool-advanced-security-enabled

November 6, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

October 21, 2024

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon OpenSearch Service Severless, Amazon AppStream, Amazon Backup, Amazon CloudTrail, Amazon Glue, EC2 Image Builder, Amazon IoT, Amazon Interactive Video Service (Amazon IVS), AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon HealthOmics, and Amazon EventBridge Scheduler. For more information, see Amazon managed policies for Amazon Config.

September 16, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

September 3, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

July 22, 2024

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Elastic File System (Amazon EFS), Amazon Redshift and Amazon Systems Manager for SAP. For more information, see Amazon managed policies for Amazon Config.

June 17, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

May 8, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rule: iam-external-access-analyzer-enabled

May 2, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

April 26, 2024

Amazon Config simplifies usage analysis with Amazon CloudWatch

With this release, the Amazon CloudWatch metrics for monitoring Amazon Config data usage will display only billable usage. This means, non-billable usage will no longer be displayed in both the Amazon CloudWatch metrics emitted to Amazon Config and the Amazon Config console. This allows you to validate Amazon Config setup and usage using Amazon CloudWatch metrics and correlate billable usage with associated costs. For more information, see Amazon Config Usage and Success Metrics.

April 26, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rule: iam-server-certificate-expiration-check

April 23, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

April 17, 2024

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

April 16, 2024

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Managed Service for Prometheus, Amazon CloudWatch, Amazon Cognito, Amazon ElastiCache, Amazon FSx, Amazon Glue, Amazon Identity and Access Management (IAM), Amazon Lambda, Amazon RAM, Amazon Redshift Serverless, Amazon SageMaker AI, and Amazon Simple Notification Service (Amazon SNS). For more information, see Amazon managed policies for Amazon Config.

February 22, 2024

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon AppConfig, Amazon CloudWatch Evidently, Amazon Identity and Access Management (IAM), Amazon MemoryDB (MemoryDB), Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Redshift, and Amazon Transfer Family resource types. For more information, see Supported Resource Types.

February 6, 2024

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon AppStream, Amazon Key Management Service (Amazon KMS), Amazon Relational Database Service (Amazon RDS), Amazon Cognito, Amazon Elastic Compute Cloud (Amazon EC2), EC2 Image Builder, Amazon Ground Station, Amazon Mainframe Modernization, Amazon QuickSight, Amazon Redshift, and Amazon Systems Manager resource types. For more information, see Supported Resource Types.

January 3, 2024

Service limits increase for the maximum number of Amazon Config Rules per Region per account

With this release, Amazon Config supports 1000 Amazon Config rules per Amazon Region per account. This increase applies to the total of all deployed rules including Amazon Config managed rules, Amazon Config custom rules, Amazon Config conformance packs, Amazon Security Hub controls, Amazon Firewall Manager policies, and Amazon Backup backup plans per Region per account. For more information, see Service Limits.

December 19, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon AppConfig, Amazon Managed Service for Prometheus, Amazon Database Migration Service (Amazon DMS), (Amazon Identity and Access Management) IAM, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon CloudWatch Logs, Amazon Organizations, and Amazon Simple Storage Service (Amazon S3). For more information, see Amazon managed policies for Amazon Config.

December 5, 2023

Preview release: Natural language query processor for advanced queries

With this release, you can use the natural language query processor for advanced queries, which uses generative artificial intelligence (generative AI) capabilities that allow you to ask questions in plain English and convert them into a ready-to-use query format. With the natural language query processor, you can query your Amazon Web Services account or across an Amazon organization. For more information, see Natural language query processor for advanced queries.

November 26, 2023

Periodic recording

With this release, Amazon Config supports periodic recording. Periodic recording provides you with the ability to capture the latest configuration changes for your resources over a fixed period of time. You can now set the default frequency for the configuration recorder to Daily, allowing you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. The Amazon Config console also introduces a new recording strategy experience, where you can also override the recording frequency for specific resource types or exclude specific resource types from recording. This can help make your settings fit your granular requirements.

The following data types are added:

The following data types are updated:

The following pages in the developer guide are updated:

November 26, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Cognito, Amazon Connect, Amazon EMR, Amazon Ground Station, Amazon Mainframe Modernization, Amazon MemoryDB, Amazon Organizations, Amazon QuickSight, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Route 53, Amazon Service Catalog, and Amazon Transfer Family.

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy also now add security identifiers (SID) for AWSConfigServiceRolePolicyStatementID, AWSConfigSLRLogStatementID, AWSConfigSLRLogEventStatementID, AWSConfigSLRApiGatewayStatementID, and AWSConfigServiceRolePolicy policy.

For more information, see Amazon managed policies for Amazon Config.

November 17, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Identity and Access Management (IAM), Amazon Network Manager, Amazon Private Certificate Authority (Amazon Private CA), Amazon App Mesh, Amazon Connect, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), Amazon IoT, Amazon IoT TwinMaker, Amazon Managed Streaming for Apache Kafka Connect (Amazon MSK Connect), Amazon Lambda, and Amazon Resource Explorer resource types. For more information, see Supported Resource Types.

November 3, 2023

Compliance and Inventory Dashboards for Aggregators

With this release, Amazon Config adds a compliance dashboard page and an inventory dashboard page to the aggregated view in the Amazon Config console.

For the compliance dashboard page, you can view automated dashboards with widgets that summarize insights on resource compliance within your aggregator, such as Top 10 resource types by noncompliant resources, Top 10 account level conformance packs by noncompliant rules, and more.

For the inventory dashboard page, you can view automated dashboard with widgets that summarize insights on resource configuration data within your aggregator, such as Top 10 resource types by resource count, Top 10 accounts by resource count, and more.

For information on the graph and charts, see Compliance dashboard and Inventory dashboard.

October 23, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Private CA, Amazon App Mesh, Amazon Connect, Amazon Elastic Container Service (Amazon ECS), Amazon CloudWatch Evidently, Amazon Managed Grafana, Amazon GuardDuty, Amazon Inspector, Amazon IoT, Amazon IoT TwinMaker, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Lambda, Amazon Network Manager, Amazon Organizations, and Amazon SageMaker AI. For more information, see Amazon managed policies for Amazon Config.

October 4, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon IoT, Amazon IoT TwinMaker, Amazon IoT Wireless, Amazon Personalize Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon SageMaker AI, Amazon CodeBuild, Amazon AppStream, and Amazon Inspector resource types. For more information, see Supported Resource Types.

October 4, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy now removes permissions for Amazon Systems Manager (Systems Manager). For more information, see Amazon managed policies for Amazon Config.

September 6, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon CodeGuru Profiler, AWS Elemental MediaConnect, Amazon Transfer Family, Amazon Managed Service for Prometheus, Amazon Batch, Amazon Cloud Map, and Amazon Route 53 Resolver resource types. For more information, see Supported Resource Types.

September 6, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Amplify, Amazon AppIntegrations, Amazon App Mesh, Amazon Athena, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Forecast, Amazon IoT Greengrass Version 2, Amazon Ground Station, AWS Elemental MediaConvert, AWS Elemental MediaTailor, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Personalize, Amazon Pinpoint, and Amazon Resilience Hub resource types. For more information, see Supported Resource Types.

August 3, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Managed Workflows for Amazon App Mesh, Amazon AppStream 2.0, Amazon CloudFormation, Amazon CloudFront Amazon CodeArtifact, Amazon CodeBuild, Amazon Connect, Amazon Glue, Amazon GuardDuty, Amazon Identity and Access Management (IAM), Amazon Inspector, Amazon IoT, Amazon IoT TwinMaker, Amazon IoT Wireless, Amazon Managed Streaming for Apache Kafka, Amazon Macie, AWS Elemental MediaConnect, Amazon Network Manager, Amazon Organizations, Amazon Resource Explorer, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Simple Notification Service (Amazon SNS), and Amazon EC2 Systems Manager (SSM). For more information, see Amazon managed policies for Amazon Config.

July 28, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Kinesis, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, Amazon Simple Storage Service (Amazon S3), Amazon Virtual Private Cloud (Amazon VPC), Amazon Kendra, Amazon Connect, Amazon CloudFormation, Amazon AppConfig, Amazon App Mesh, Amazon App Runner, and Amazon Database Migration Service (Amazon DMS) resource types. For more information, see Supported Resource Types.

July 10, 2023

Service limits increase for organization conformance packs

With this release, Amazon Config supports 350 Amazon Config rules per region per account across all conformance packs and 350 organizational Amazon Config rules per organization. For more information, see Service Limits.

June 13, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Managed Workflows for Amazon Amplify, Amazon Connect, Amazon App Mesh, Amazon Managed Service for Prometheus, Amazon Athena, Amazon Batch, Amazon CloudFormation, Amazon CloudTrail, Amazon CodeArtifact, Amazon CodeGuru, Amazon Directory Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Forecast, Amazon Organizations, Amazon IoT Greengrass, Amazon Ground Station, Amazon Identity and Access Management (IAM), Amazon Managed Streaming for Apache Kafka(Amazon MSK), Amazon Lightsail, Amazon CloudWatch Logs, AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon Pinpoint, Amazon Virtual Private Cloud (Amazon VPC), Amazon Personalize, Amazon QuickSight, Amazon Migration Hub Refactor Spaces, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, and Amazon Transfer Family. For more information, see Amazon managed policies for Amazon Config.

June 13, 2023

Amazon Config Recording Exclusions by Resource Type

With this release, Amazon Config allows you to exclude specific types of Amazon resources from inventory tracking and compliance monitoring while still tracking all other supported resource types currently available in Amazon Config, including those that will be added in the future. You can use this feature to concentrate on critical resources that are subject to your compliance and governance standards.

The updates to the API for the configuration recorder and recording group are backward compatible, meaning that they work with previous versions of the PutConfigurationRecorder API. You can continue to manage which resource types are recorded in the exact same way as before without using the updated or new APIs.

The following data types are added:

The following data types are updated:

The following page in the developer guide is updated:

June 9, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Elastic Container Service (Amazon ECS), Amazon Keyspaces (for Apache Cassandra) (Amazon Keyspaces), Amazon Signer, Amazon Amplify, Amazon App Mesh, Amazon App Runner, Amazon AppStream 2.0, Amazon CodeArtifact, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Forecast, Amazon Identity and Access Management (IAM), Amazon Pinpoint, Amazon SageMaker AI, Amazon Transfer Family, Amazon Data Firehose resource types. For more information, see Supported Resource Types.

June 5, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Route 53 Resolver, Amazon Elastic Compute Cloud (Amazon EC2), Amazon IoT Wireless, Amazon Network Manager, Amazon Device Farm, Amazon Ground Station, Amazon AppFlow, Amazon Redshift, Amazon Pinpoint, Amazon IoT, Amazon AppConfig, EC2 Image Builder, Amazon CloudWatch, Amazon Panorama, Amazon SageMaker Runtime, Amazon ECR, and Amazon Audit Manager resource types. For more information, see Supported Resource Types.

May 5, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to AWS::NetworkFirewall::TLSInspectionConfiguration. For more information, see Supported Resource Types.

May 1, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Managed Workflows for Amazon Amplify, Amazon App Mesh, Amazon App Runner, Amazon CloudFront, Amazon CodeArtifact, Amazon Elastic Compute Cloud, Amazon Kendra, Amazon Macie, Amazon Route 53, Amazon SageMaker AI, Amazon Transfer Family, Amazon Pinpoint, Amazon Migration Hub, Amazon Resilience Hub, Amazon CloudWatch, Amazon Directory Service, and Amazon WAF. For more information, see Amazon managed policies for Amazon Config.

April 13, 2023

Service limits increase for organization conformance packs

With this release, Amazon Config supports 350 Amazon Config rules per account across all organization conformance packs. For more information, see Service Limits.

April 3, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon AppStream 2.0, Amazon Auto Scaling, Amazon Connect Amazon Elastic Compute Cloud, Amazon EventBridge, HealthLake, Kinesis video stream, Amazon IoT TwinMaker, Lookout for Vision, Network Manager, Amazon Pinpoint, Amazon Application Recovery Controller (ARC), and Amazon RoboMaker resource types. For more information, see Supported Resource Types.

April 3, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Managed Workflows for Amazon AppFlow, Amazon App Runner, Amazon AppStream 2.0, Amazon CloudFormation, Amazon CloudFront, Amazon CloudWatch, Amazon CodeArtifact, Amazon CodeCommit, Amazon Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Forecast, Amazon Ground Station, Amazon Identity and Access Management (IAM), Amazon IoT, Amazon MemoryDB, Amazon Pinpoint, Amazon Network Manager, Amazon Panorama, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, and Amazon SageMaker AI. For more information, see Amazon managed policies for Amazon Config.

March 30, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Audit Manager. For more information, see Amazon managed policies for Amazon Config.

March 3, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new AWS Elemental MediaPackage, Amazon EventBridge, Amazon IoT, (Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Lookout for Metrics, Amazon Lex, Amazon Budgets, Amazon Device Farm, Amazon CodeGuru Reviewer, Amazon Route 53 Resolver, and Amazon RoboMaker resource types. For more information, see Supported Resource Types.

March 2, 2023

Security IAM update

Amazon Config now tracks changes to the AWSConfigMultiAccountSetupPolicy policy. For more information, see Amazon managed policies for Amazon Config.

February 27, 2023

Amazon Config Resource Coverage by Region Availability

With this release, Amazon Config provides Region information for each supported resource type. For information on which resource types are supported in which Regions, see Resource Coverage by Region Availability.

February 20, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Interactive Video Service (Amazon IVS), Amazon Simple Storage Service (Amazon S3), Amazon Glue, Amazon Elastic Kubernetes Service (Amazon EKS), Amazon IoT, Amazon Relational Database Service (Amazon RDS), and Managed Service for Apache Flink resource types. For more information, see Supported Resource Types.

February 7, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Managed Workflows for Apache Airflow, Amazon IoT, Amazon AppStream 2.0, Amazon CodeGuru Reviewer, Amazon HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), Amazon Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, Amazon Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs. For more information, see Amazon managed policies for Amazon Config.

February 1, 2023

Security IAM update

As a security best practice, the ConfigConformsServiceRolePolicy policy now removes broad resource-level permission for config:DescribeConfigRules. For more information, see Amazon managed policies for Amazon Config.

January 12, 2023

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Managed Service for Prometheus, Amazon Audit Manager, Amazon Device Farm, Amazon Database Migration Service (Amazon DMS), Amazon Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Glue, Amazon IoT, Amazon Lightsail, AWS Elemental MediaPackage, Amazon Network Manager, Amazon QuickSight, Amazon Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream. For more information, see Amazon managed policies for Amazon Config.

January 10, 2023

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon MQ, Amazon AppConfig, Amazon Cloud9, Amazon EventBridge schemas, Amazon Fraud Detector, Amazon IoT, Amazon IoT Analytics, Amazon Lightsail, AWS Elemental MediaPackage (MediaPackage), Amazon Application Recovery Controller (ARC), Amazon Resilience Hub, and Amazon Transfer Family resource types. For more information, see Supported Resource Types.

January 5, 2023

Amazon Config rule resource coverage

With this release, Amazon Config displays the resource type coverage for an increased number of Amazon Config managed rules.

December 21, 2022

Amazon Config rule discoverability

With this release, Amazon Config supports pages for List of Amazon Config Managed Rules by Evaluation Mode, List of Amazon Config Managed Rules by Trigger Type, and List of Amazon Config Managed Rules by Region Availability.

December 21, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon CloudWatch RUM, Amazon EventBridge, Amazon GuardDuty, Amazon Simple Email Service (Amazon SES), Amazon Backup, Amazon DataSync, and Amazon Fault Injection Service (Amazon FIS) resource types. For more information, see Supported Resource Types.

December 9, 2022

Amazon Config Proactive Compliance

With this release, Amazon Config supports the ability to proactively check for compliance with Amazon Config rules before resource provisioning. This allows you to evaluate the configuration settings of your resources before they are created or updated. Use Amazon Config to track the configuration changes made to your resources, either pre-provisioning or post-provisioning, and check if your resources match your desired configurations.

The following data types are added:

The following data types are updated:

The following pages in the developer guide are updated:

November 28, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon IoT Events, Amazon Cloud Map, EC2 Image Builder, Amazon DataSync, Amazon Glue, Amazon Application Recovery Controller (ARC), and Amazon Elastic Container Registry (Amazon ECR) resource types. For more information, see Supported Resource Types.

November 8, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon CloudFormation. For more information, see Amazon managed policies for Amazon Config.

November 7, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Certificate Manager, Amazon Managed Workflows for Apache Airflow, Amazon Amplify, Amazon AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, Amazon Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, Amazon Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift, Amazon Location Service, Amazon IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, Amazon OpsWorks, Amazon Panorama, Amazon Resource Access Manager, Amazon QuickSight, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon RoboMaker, Amazon Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Cloud Map, and Amazon Security Token Service. For more information, see Amazon managed policies for Amazon Config.

October 19, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Email Service (Amazon SES), Amazon AppConfig, Amazon Cloud Map, and Amazon DataSync resource types. For more information, see Supported Resource Types.

October 6, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon GuardDuty, Amazon SageMaker AI, Amazon AppSync, Amazon Cloud Map, and Amazon DataSync resource types. For more information, see Supported Resource Types.

October 4, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Glue. For more information, see Amazon managed policies for Amazon Config.

September 14, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon QuickSight, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, Amazon AppConfig, Amazon AppSync, Amazon Auto Scaling, Amazon Backup, Amazon Budgets, Amazon Cost Explorer, Amazon Cloud9, Amazon Directory Service, Amazon DataSync, AWS Elemental MediaPackage, Amazon Glue, Amazon IoT, Amazon IoT Analytics, Amazon IoT Events, Amazon IoT SiteWise, Amazon IoT TwinMaker, Amazon Lake Formation, Amazon License Manager, Amazon Resilience Hub, Amazon Signer, and Amazon Transfer Family. For more information, see Amazon managed policies for Amazon Config.

September 7, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Simple Email Service (Amazon SES), Amazon DataSync, and Amazon Cloud Map. For more information, see Amazon managed policies for Amazon Config.

August 22, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Athena, Amazon Detective, Amazon SageMaker AI, Amazon Route 53, Amazon Database Migration Service (Amazon DMS), Amazon Glue, Amazon Key Management Service (Amazon KMS), and Amazon Simple Email Service (Amazon SES) resource types. For more information, see Supported Resource Types.

August 16, 2022

Security IAM update

The ConfigConformsServiceRolePolicy policy now grants permission to publish metric data points to Amazon CloudWatch. For more information, see Amazon managed policies for Amazon Config.

July 25, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Elastic Container Service (Amazon ECS), Amazon ElastiCache, Amazon EventBridge, Amazon FSx, Amazon Managed Service for Apache Flink, Amazon Location Service, Amazon Managed Streaming for Apache Kafka, Amazon QuickSight, Amazon Rekognition, Amazon RoboMaker, Amazon Simple Storage Service (Amazon S3), Amazon Simple Email Service (Amazon SES), Amazon Amplify, Amazon AppConfig, Amazon AppSync, Amazon Billing Conductor, Amazon DataSync, Amazon Firewall Manager, Amazon Glue, Amazon IAM Identity Center (IAM Identity Center), EC2 Image Builder, and Elastic Load Balancing. For more information, see Amazon managed policies for Amazon Config.

July 15, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Elastic Compute Cloud (Amazon EC2) resource types. For more information, see Supported Resource Types.

July 8, 2022

Amazon Config supports new resources type

With this release, you can use Amazon Config to record configuration changes to new Amazon Global Accelerator resource types. For more information, see Supported Resource Types.

July 5, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon SageMaker AI resource types. For more information, see Supported Resource Types.

June 29, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Route 53, Amazon WorkSpaces, Amazon Batch, Amazon Identity and Access Management Access Analyzer (IAM Access Analyzer), Amazon Database Migration Service (Amazon DMS), Amazon Step Functions, and Elastic Load Balancing resource types. For more information, see Supported Resource Types.

June 14, 2022

Amazon Config Integration with Amazon Security Hub

With this release, you can see the results of Amazon Config managed and custom rule evaluations as findings in Amazon Security Hub. Security Hub transforms rule evaluations into findings, which provide more information about the impacted resources, such as the Amazon Resource Name (ARN) and creation date. These findings can be viewed alongside other Security Hub findings, providing a comprehensive overview of your security posture. For more information, see Sending Rule Evaluations to Security Hub

June 7, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon Athena, Amazon Detective, Amazon GuardDuty, Amazon Macie, Amazon Simple Email Service (Amazon SES), Amazon Glue, Amazon Resource Access Manager (Amazon RAM), and Amazon IAM Identity Center. For more information, see Amazon managed policies for Amazon Config.

May 31, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon SageMaker AI and Amazon Step Functions resource types. For more information, see Supported Resource Types.

May 26, 2022

Components of an Amazon Config Rule

With this release, Amazon Config introduces a Components of an Amazon Config Rule page. The page discusses the structure of rule definitions, rule metadata, and best practices on how to write rules with Python using the Amazon Config Rules Development Kit (RDK) and Amazon Config Rules Development Kit Library (RDKlib).

May 9, 2022

Service limits increase for organization conformance packs

With this release, Amazon Config supports 180 Amazon Config rules per account across all organization conformance packs. For more information, see Service Limits.

May 6, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions to get information about all or a specified Amazon CloudTrail event data store (EDS), get information about all or a specified Amazon CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about Amazon Database Migration Service (Amazon DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an Amazon Organizations of a specified type. For more information, see Amazon managed policies for Amazon Config.

April 7, 2022

Amazon Config Custom Policy rules

With this release, Amazon Config allows you to create Amazon Config Custom Policy rules using Amazon CloudFormation Guard (guard). Guard is a policy-as-code language that allows you to write policies that are enforced by Amazon Config without the need to create Lambda functions to manage your custom rules. Rules written using Guard policy can be created from the Amazon Config console or by using the Amazon Config rule APIs.

The following pages in the developer guide are updated:

The following data types are updated:

April 4, 2022

Amazon Config supports new resources type

With this release, you can use Amazon Config to record configuration changes to the new Amazon EMR SecurityConfiguration resource type. For more information, see Supported Resource Types.

March 31, 2022

Amazon Config Integration with Amazon CloudWatch Metrics

With this release, Amazon Config now supports tracking of your Amazon Config usage and success metrics with Amazon CloudWatch in the Amazon Config Dashboard page. CloudWatch metrics is a monitoring service which provides data about the performance of your systems, including the ability to search, graph, and build alarms on metrics about Amazon resources. From the Amazon Config Dashboard, you can see what traffic is driving your Amazon Config usage and key metrics for failures that have occured in your workflow.

The following page is updated:

March 29, 2022

Amazon Config supports new resources type

With this release, you can use Amazon Config to record configuration changes to new Amazon GuardDuty Detector resource type. For more information, see Supported Resource Types.

March 24, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant additional permissions for Amazon CloudFormation. For more information, see Amazon managed policies for Amazon Config.

March 14, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Elastic Container Registry Public resource types. For more information, see Supported Resource Types.

March 4, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Elastic Compute Cloud resource types. For more information, see Supported Resource Types.

February 28, 2022

Logging and Monitoring in Amazon Config Update

With this release, Amazon Config updates the Monitoring Amazon Config with Amazon EventBridge Events page to replace references to Amazon CloudWatch Events. Amazon EventBridge is the preferred way to manage your events. CloudWatch Events and EventBridge are the same underlying service and API, but EventBridge provides more features. Changes you make in either CloudWatch or EventBridge will appear in each console. For more informance, see Amazon EventBridge.

February 24, 2022

Amazon SDK Page for Amazon Config

With this release, Amazon Config introduces a Using Amazon Config with an Amazon SDK page. Amazon software development kits (SDKs) are available for many popular programming languages. Each SDK provides an API, code examples, and documentation that make it easier for developers to build applications in their preferred language.

February 24, 2022

Security IAM Role Trust policy update

With this release, Amazon Config updates the IAM trust policy statement to include security protections in the trust policy that restrict access with sourceARN and/or sourceAccountId for the Amazon Security Token Service (Amazon STS) operation. This helps make sure that the IAM role trust policy is accessing your resources on behalf of expected users and scenarios only.

The following page is updated:

February 18, 2022

Changes to Global Resource Type Recording

Amazon Config now changes how new global resource types are recorded in Amazon Config Recording. Global resource types are Amazon resources that do not require you to specify a region at creation. Before this change, you could enable the recording of global resource types in all supported regions in Amazon Config. After this change, new global resource types onboarded to Amazon Config recording can only be recorded in the service's home region for the commercial partition, and Amazon GovCloud (US-West) for the Amazon GovCloud (US) partition. You will now be able to view the configuration items for these new global resource types only in their home region and Amazon GovCloud (US-West). For a list of home regions for global resource types onboarded after February 2022, see the table on the Recording All Supported Resource Types page.

February 18, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an Amazon Web Services account, retrieve information about an Amazon Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived Amazon Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account. For more information, see Amazon managed policies for Amazon Config.

February 10, 2022

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams. For more information, see Amazon managed policies for Amazon Config.

February 2, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to Amazon CodeDeploy resource types. For more information, see Supported Resource Types.

January 5, 2022

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon SageMaker AI resource types. For more information, see Supported Resource Types.

December 20, 2021

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon OpenSearch Service resource types. For more information, see Supported Resource Types.

October 12, 2021

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get details about Amazon ElastiCache snapshots. For more information, see Amazon managed policies for Amazon Config.

September 8, 2021

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to new Amazon Elastic Compute Cloud resource types. For more information, see Supported Resource Types.

September 7, 2021

Security Amazon SNS policy update

With this release, Amazon Config updates the IAM policy statement for the Amazon SNS topic when using service-linked roles to include security protections that restrict access with sourceARN and/or sourceAccountId in the topic policy. This helps make sure Amazon SNS is accessing your resources on behalf of expected users and scenarios only.

The following page is updated:

August 17, 2021

Security Amazon Lambda policy update

With this release, Amazon Config updates the Amazon Lambda resource-based policy for Amazon Config custom rules to include security protections that restrict access with sourceARN and/or sourceAccountId in the invoke request. This helps make sure Amazon Lambda is accessing your resources on behalf of expected users and scenarios only.

The following pages are updated:

August 12, 2021

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to Amazon Kinesis resource types. For more information, see Supported Resource Types.

August 6, 2021

Example Amazon Lambda Functions for Amazon Config Custom Rules

With this release, Amazon Config provides Python example functions in Example Amazon Lambda Functions for Amazon Config Rules (Python).

July 29, 2021

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant permission to list tags for a log group, list tags for a state machine, and list all state machines. These policies now grant permission to get details about a state machine. These policies also now support additional permission for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker AI, Amazon Simple Notification Service, Amazon Database Migration Service, Amazon Global Accelerator, and Amazon Storage Gateway. For more information, see Amazon managed policies for Amazon Config.

July 28, 2021

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to Amazon Backup resource types. For more information, see Supported Resource Types.

July 14, 2021

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

June 25, 2021

Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

June 10, 2021

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant permission to view the permissions of Amazon Systems Manager documents and information about IAM Access Analyzer. These policies now support additional Amazon resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, Amazon Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow Amazon Config to invoke the read-only APIs required to support these resource types. These policies also now support filtering Lambda@Edge functions for the lambda-inside-vpc Amazon Config managed rule. For more information, see Amazon managed policies for Amazon Config.

June 8, 2021

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to Amazon Elastic File System resource types. For more information, see Supported Resource Types.

May 13, 2021

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grants permission that allow Amazon Config to make read-only GET calls to API Gateway to support a Config Rule for API Gateway. These policies also adds permissions that allow Amazon Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new AWS::S3::AccessPoint resource type. For more information, see Amazon managed policies for Amazon Config.

May 10, 2021

Amazon Config Custom Rules

The following pages in the developer guide are updated:

April 30, 2021

Security IAM update

The AWSConfigServiceRolePolicy policy and AWS_ConfigRole policy now grant permission to view information about Amazon Systems Manager specified documents. These policies also now support additional Amazon resource types for Amazon Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker AI, Amazon Database Migration Service, and Amazon Route 53. These permission changes allow Amazon Config to invoke the read-only APIs required to support these resource types. For more information, see Amazon managed policies for Amazon Config.

April 14, 2021

Pagination update

With this release, Amazon Config advanced queries feature now supports pagination for queries that contain aggregate functions, such as COUNT and SUM. You can now use advanced queries to get complete results for your aggregate queries through pagination, which were previously limited to 500 rows. For more information, see Querying the Current Configuration State of Amazon Resources

March 26, 2021

Region support

With this release, Amazon Config and Amazon Config Rules is now supported in Asia Pacific (Osaka) Region.

March 4, 2021

Amazon Config supports new resources types

With this release, you can use Amazon Config to record configuration changes to Amazon Elastic Container Registry, Amazon Elastic Container Service, and Amazon Elastic Kubernetes Service resource types. For more information, see Supported Resource Types.

February 25, 2021

KMS encryption support

With this release, Amazon Config allows you to use KMS-based encryption on objects delivered by Amazon Config for S3 bucket delivery.

The following data types are updated:

The following pages in the developer guide are updated:

February 16, 2021

Saved Query Region support

With this release, saved query is now supported in Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions.

February 15, 2021

Advanced queries Region support

With this release, advanced queries is now supported in Africa (Cape Town) and Europe (Milan) Regions. For more information, see Querying the Current Configuration State of Amazon Resources.

February 15, 2021

Amazon Config documentation history notification available through RSS feed

You can now receive notification about updates to the Amazon Config documentation by subscribing to an RSS feed.

January 1, 2021

Earlier Updates

The following table describes the documentation release history of Amazon Config prior to Dec 31, 2020.

Change Description Release Date
Saved Query support

With this release, Amazon Config allows you to save your queries. After you save the query, you can search it, copy it to the query editor, edit it, or delete it. For more information about how to save a query, see the Query Using the SQL Query Editor for Amazon Config (Console) and Query Using the SQL Query Editor for Amazon Config (Amazon CLI).

For more information about APIs, see the Amazon Config API Reference:

Also see Service Limits for Amazon Config.

December 21, 2020
Amazon Config supports Amazon Network Firewall

With this release, you can use Amazon Config to record configuration changes to your Amazon Network Firewall FirewallPolicy, RuleGroup, and Firewall resource types. For more information, see Supported Resource Types for Amazon Config.

December 4, 2020
Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

September 17, 2020
Amazon Config supports Amazon WAFv2

With this release, you can use Amazon Config to record configuration changes to your Amazon WAFv2 WebACL, IPSet, RegexPatternSet, RuleGroup, and ManagedRuleSet resource types. For more information, see Supported Resource Types for Amazon Config.

September 1, 2020
Documentation update

A note has been added to Full access to Amazon Config about creating custom permissions that grant full access.

The documentation has been updated for the following rules:

August 24, 2020
Documentation update

Example relationship queries are added. For more information, see Example Relationship Queries for Amazon Config.

July 30, 2020
Amazon Config supports Amazon Systems Manager resource type

With this release, you can use Amazon Config to record configuration changes to the Amazon Systems Manager file data resource type. For more information, see Supported Resource Types for Amazon Config.

July 9, 2020
Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

For more information, see List of Amazon Config Managed Rules.

July 9, 2020
Advanced queries Region support

With this release, advanced queries is now supported in Asia Pacific (Hong Kong) and Middle East (Bahrain) Regions. For more information, see Querying the Current Configuration State of Amazon Resources with Amazon Config.

July 1, 2020
Documentation update

The documentation has been updated for the following rules:

June 30, 2020
Documentation update

The documentation has been updated with information about security for Amazon Config. See Security in Amazon Config.

June 24, 2020
Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

For more information, see List of Amazon Config Managed Rules.

May 28, 2020
Amazon Config rules Region support

With this release, few Amazon Config rules are supported in Africa (Cape Town) and Europe (Milan) regions. For a detailed list of rules and the regions they are supported in, see List of Amazon Config Managed Rules.

April 28, 2020
Amazon Config supports Amazon Secrets Manager

With this release, you can use Amazon Config to record configuration changes to your Secrets Manager secret. For more information, see Supported Resource Types for Amazon Config.

April 20, 2020
Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

For more information, see List of Amazon Config Managed Rules.

April 16, 2020
Documentation update

Amazon Config limits are available in this developer guide. For more information, see Service Limits for Amazon Config.

April 8, 2020
Documentation update

Third-party resources that are managed (that is, created/updated/deleted) through Amazon CloudFormation registry are automatically tracked in Amazon Config as configuration items. For more information, see Recording Configurations with Amazon Config for Third-Party Resources using the Amazon CLI.

March 30, 2020
Documentation update

The Amazon Config Managed Rules are updated to include Amazon Web Services Region information. For more information, see List of Amazon Config Managed Rules.

March 27, 2020
Amazon Config supports Amazon SNS resource type

With this release, you can use Amazon Config to record configuration changes to your Amazon SNS topic. For more information, see Supported Resource Types for Amazon Config.

March 6, 2020
Advanced queries Region support

With this release, advanced queries is now supported in Europe (Stockholm) Region. For more information, see Querying the Current Configuration State of Amazon Resources with Amazon Config.

March 5, 2020
Amazon Config supports Amazon SQS resource type

With this release, you can use Amazon Config to record configuration changes to your Amazon SQS queue.

For more information, see Supported Resource Types for Amazon Config.

February 13, 2020
Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

For more information, see List of Amazon Config Managed Rules.

December 20, 2019
Record configurations for custom resource types

With this release, Amazon Config introduces support to record configurations for custom resource types. You can publish the configuration data of third-party resources into Amazon Config and view and monitor the resource inventory and configuration history using Amazon Config console and APIs. For more information, see Recording Configurations with Amazon Config for Third-Party Resources using the Amazon CLI.

For more information about APIs, see the Amazon Config API Reference:

November 20, 2019
Amazon Config supports Amazon OpenSearch Service and Amazon Key Management Service resource types

With this release, you can use Amazon Config to record configuration changes to your Amazon OpenSearch Service domain and Amazon Key Management Service key.

For more information, see Supported Resource Types for Amazon Config.

November 11, 2019
Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

For more information, see List of Amazon Config Managed Rules.

October 10, 2019
Amazon Config supports Amazon RDS resource type

With this release, you can use Amazon Config to record configuration changes to your Amazon Relational Database Service (Amazon RDS) DBCluster and DBClusterSnapshot.

For more information, see Supported Resource Types for Amazon Config.

September 17, 2019
Amazon Config supports Amazon QLDB resource type

With this release, you can use Amazon Config to record configuration changes to Amazon Quantum Ledger Database (QLDB) ledger resource type.

For more information, see Supported Resource Types for Amazon Config.

September 10, 2019
Amazon Config allows you to apply auto remediation on noncompliant resources as evaluated by Amazon Config Rules

With this release, Amazon Config introduces support to apply auto remediation using Amazon Systems Manager automation documents on noncompliant resources as evaluated by Amazon Config Rules. For more information, see Remediating Noncompliant Resources with Amazon Config.

With this release, Amazon Config adds the following new APIs. For more information, see the Amazon Config API Reference :

September 5, 2019
Amazon Config updates managed rules

With this release, Amazon Config supports the following managed rules:

For more information, see List of Amazon Config Managed Rules.

August 22, 2019
Amazon Config updates managed rules

With this release, Amazon Config updates the following managed rules:

For more information, see List of Amazon Config Managed Rules.

July 31, 2019
Amazon Config supports Amazon EC2 resource types

With this release, you can use Amazon Config to record configuration changes to the following Amazon EC2 resources; VPCEndpoint, VPCEndpointService, and VPCPeeringConnection.

For more information, see Supported Resource Types for Amazon Config.

July 12, 2019
Amazon Config allows you to manage Amazon Config rules across all Amazon Web Services accounts within an organization

With this release, Amazon Config introduces support for managing Amazon Config rules across all Amazon Web Services accounts within an organization. You can centrally create, update, and delete Amazon Config rules across all accounts in your organization. For more information, see .

For more information about APIs, see the Amazon Config API Reference:

July 9, 2019
Amazon Config supports Amazon S3 and Amazon EC2 resource types

With this release, you can use Amazon Config to record configuration changes to the Amazon S3 AccountPublicAccessBlock resource and the following Amazon EC2 resources; NatGateway, EgressOnlyInternetGateway, and FlowLog.

For more information, see Supported Resource Types for Amazon Config.

May 17, 2019
Amazon Config allows you to delete a remediation action using Amazon Web Services Management Console.

With this release, Amazon Config introduces support to delete a remediation action using Amazon Web Services Management Console. For more information, see Remediating Noncompliant Resources with Amazon Config.

April 24, 2019
Amazon Config supports Amazon API Gateway resource type

With this release, you can use Amazon Config to record configuration changes to the following Amazon API Gateway resources; Api (WebSocket API), RestApi (REST API), Stage (WebSocket API stage), and Stage (REST API stage).

For more information, see Supported Resource Types for Amazon Config.

March 20, 2019
Amazon Config allows you to run advanced queries

With this release, Amazon Config adds support to run advanced queries based on resource configuration properties. For more information, see Querying the Current Configuration State of Amazon Resources with Amazon Config.

With this release, Amazon Config adds SelectResourceConfig API. For more information, see SelectResourceConfig in the Amazon Config API Reference:

March 19, 2019
Amazon Config allows you to assign tags your Amazon Config resources

With this release, Amazon Config introduces support for tag based access control for three Amazon Config resources—ConfigRule, ConfigurationAggregator, and AggregationAuthorization. For more information, see Tagging Your Amazon Config Resources.

With this release, you can add, remove or list tags from your Amazon Config resources using the following data types. For more information, see the Amazon Config API Reference:

March 14, 2019
Amazon Config allows you to apply remediation on noncompliant resources as evaluated by Amazon Config Rules

With this release, Amazon Config introduces support to apply remediation using Amazon Systems Manager automation documents on noncompliant resources as evaluated by Amazon Config Rules. For more information, see Remediating Noncompliant Resources with Amazon Config.

With this release, Amazon Config adds the following new APIs. For more information, see the Amazon Config API Reference :

March 12, 2019
Amazon Config supports Amazon Config Rules in China (Ningxia) Region

This release only supports 54 Amazon Config Rules in the China (Ningxia) Region. For more information, see List of Amazon Config Managed Rules.

However, Amazon Config does not currently support the following rules in the China (Ningxia) Region:

  • acm-certificate-expiration-check

  • cmk-backing-key-rotation-enabled

  • cloudformation-stack-drift-detection-check

  • cloudformation-stack-notification-check

  • cloud-trail-encryption-enabled

  • cloud-trail-log-file-validation-enabled

  • codebuild-project-envvar-awscred-check

  • codebuild-project-source-repo-url-check

  • codepipeline-deployment-count-check

  • codepipeline-region-fanout-check

  • dynamodb-table-encryption-enabled

  • elb-acm-certificate-required

  • encrypted-volumes

  • fms-webacl-resource-policy-check

  • fms-webacl-rulegroup-association-check

  • guardduty-enabled-centralized

  • lambda-function-public-access-prohibited

  • lambda-function-settings-check

  • rds-storage-encrypted

  • root-account-mfa-hardware-mfa-enabled

  • root-account-mfa-enabled

  • s3-bucket-blacklisted-actions-prohibited

  • s3-bucket-policy-grantee-check

  • s3-bucket-policy-not-more-permissive

  • s3-bucket-public-read-prohibited

  • s3-bucket-public-write-prohibited

  • s3-bucket-server-side-encryption-enabled

  • s3-bucket-ssl-requests-only

March 12, 2019
Amazon Config supports new managed rules

This release supports the following new managed rules:

For more information, see List of Amazon Config Managed Rules.

January 21, 2019
Amazon Config supports Service Catalog resource type

With this release, you can use Amazon Config to record configuration changes to the following Service Catalog resources; CloudFromation product, provisioned product, and portfolio. For more information, see Supported Resource Types for Amazon Config.

January 11, 2019
Service-linked Amazon Config rules support

With this release, Amazon Config adds a new managed config rule that supports other Amazon services to create Amazon Config Rules in your account. For more information, see Service-Linked Amazon Config Rules.

November 20, 2018
Amazon Config supports new managed rules

This release supports the following new managed rules:

For more information, see List of Amazon Config Managed Rules.

November 12, 2018
Amazon Config supports new managed rules

This release supports the following new managed rules:

For more information, see List of Amazon Config Managed Rules.

October 24, 2018
Compliance history support

With this release, Amazon Config now supports storing compliance history of resources as evaluated by Amazon Config Rules. For more information, see Viewing Compliance History Timeline for Resources and Rules.

October 18, 2018
Amazon Config supports resource-level permissions for Amazon Config Rules APIs actions

With this release, Amazon Config supports resource-level permissions for certain Amazon Config Rules API actions. For more information about the supported APIs, see Supported Resource-Level Permissions for Amazon Config Rule API Actions.

October 1, 2018
Amazon Config supports CodePipeline resource type

With this release, you can use Amazon Config to record configuration changes to the Amazon CodePipeline resource type. For more information, see Supported Resource Types for Amazon Config.

September 12, 2018
Amazon Config supports new managed rules

This release supports the following new managed rules:

For more information, see List of Amazon Config Managed Rules.

September 5, 2018
Amazon Config supports Amazon Systems Manager resource type

With this release, you can use Amazon Config to record configuration changes to the Amazon Systems Manager patch compliance and association compliance resource types. For more information, see Supported Resource Types for Amazon Config.

August 9, 2018
Amazon Config allows you to delete your Amazon Config data using Amazon Web Services Management Console

With this release, Amazon Config introduces support for retention period using Amazon Web Services Management Console. In the Amazon Web Services Management Console, you can select a custom data retention period for your ConfigurationItems . For more information, see Deleting Amazon Config Data.

August 7, 2018
Amazon Config supports Amazon Shield resource type

With this release, you can use Amazon Config to record configuration changes to the Amazon Shield Protection resource type. For more information, see Supported Resource Types for Amazon Config.

August 7, 2018
Amazon Config supports Amazon PrivateLink

With this release, Amazon Config supports Amazon PrivateLink, enabling you to route data between your Amazon Virtual Private Cloud (VPC) and Amazon Config entirely within the Amazon network. For more information, see Using Amazon Config with Interface Amazon VPC Endpoints.

July 31, 2018
Amazon Config allows you to delete your Amazon Config data

With this release, Amazon Config introduces support for retention period. Amazon Config allows you to delete your data by specifying a retention period for your ConfigurationItems . For more information, see Deleting Amazon Config Data.

With this release, Amazon Config adds the following new APIs. For more information, see the Amazon Config API Reference :

May 25, 2018
Amazon Config supports new managed rules

This release supports the following two new managed rules:

For more information, see List of Amazon Config Managed Rules.

May 10, 2018
Amazon Config supports Amazon X-Ray resource type

With this release, you can use Amazon Config to record configuration changes to the Amazon X-Ray EncryptionConfig resource type. For more information, see Supported Resource Types for Amazon Config.

May 1, 2018
Amazon Config supports Amazon Elastic Beanstalk resource type

With this release, you can use Amazon Config to record configuration changes to the Amazon Elastic Beanstalk Application, Application Version, and Environment resources.

For more information, see Supported Resource Types for Amazon Config.

April 24, 2018
Monitoring Amazon Config with Amazon CloudWatch Events

With this release, use Amazon CloudWatch Events to detect and react to changes in the status of Amazon Config events.

For more information, see Monitoring Amazon Config with Amazon EventBridge.

March 29, 2018
New API operation

With this release, Amazon Config adds support for BatchGetResourceConfig API, allowing you to batch-retrieve the current state of one or more of your resources.

March 20, 2018
Amazon Config supports Amazon WAF RuleGroup resource type

With this release, you can use Amazon Config to record configuration changes to the Amazon WAF RuleGroup and Amazon WAF RuleGroup Regional resources.

For more information, see Supported Resource Types for Amazon Config.

February 15, 2018
Amazon Config supports new managed rules

This release supports the following new managed rules:

For more information, see List of Amazon Config Managed Rules.

January 25, 2018
Amazon Config supports Elastic Load Balancing resource type

With this release, you can use Amazon Config to record configuration changes to your Elastic Load Balancing classic load balancers.

For more information, see Supported Resource Types for Amazon Config.

November 17, 2017
Amazon Config supports the Amazon CloudFront and Amazon WAF resource type

With this release, you can use Amazon Config to record configuration changes to your CloudFront distribution and streaming distribution.

With this release, you can use Amazon Config to record configuration changes to the following Amazon WAF and Amazon WAF Regional resources; rate based rule, rule, and Web ACL.

For more information, see Supported Resource Types for Amazon Config.

November 15, 2017
Amazon Config supports the Amazon CodeBuild resource type

With this release, you can use Amazon Config to record configuration changes to your Amazon CodeBuild projects.

For more information, see Supported Resource Types for Amazon Config.

October 20, 2017
Amazon Config supports Auto Scaling resources and one new managed rule

With this release, you can use Amazon Config to record configuration changes to the following Auto Scaling resources; groups, launch configuration, scheduled action, and scaling policy.

For more information, see Supported Resource Types for Amazon Config.

This release also supports the following managed rule:

For more information, see Amazon Config Managed Rules.

September 18, 2017
Amazon Config supports the Amazon CodeBuild resource type

With this release, you can use Amazon Config to record configuration changes to your Amazon CodeBuild projects.

For more information, see Supported Resource Types for Amazon Config.

October 20, 2017
Amazon Config supports Auto Scaling resources and one new managed rule

With this release, you can use Amazon Config to record configuration changes to the following Auto Scaling resources; groups, launch configuration, scheduled action, and scaling policy.

For more information, see Supported Resource Types for Amazon Config.

This release also supports the following managed rule:

For more information, see Amazon Config Managed Rules.

September 18, 2017
Amazon Config supports the DynamoDB table resource type and one new managed rule

With this release, you can use Amazon Config to record configuration changes to your DynamoDB tables.

For more information, see Supported Resource Types for Amazon Config.

This release supports the following managed rule:

For more information, see Amazon Config Managed Rules.

September 8, 2017
New page in the Amazon Config console

You can use the Dashboard in the Amazon Config console to see the following:

  • Total number of resources

  • Total number of rules

  • Number of noncompliant resources

  • Number of noncompliant rules

For more information, see Viewing the Amazon Config Dashboard.

July 17, 2017
New API operation

You can use the GetDiscoveredResourceCounts operation to return the number of resource types, the number of each resource type, and the total number of resources that Amazon Config is recording in a Region for your Amazon Web Services account.

July 17, 2017
Amazon Config supports the Amazon CloudFormation stack resource type and one new managed rule

With this release, you can use Amazon Config to record configuration changes to your Amazon CloudFormation stacks.

For more information, see Supported Resource Types for Amazon Config.

July 6, 2017
New and updated content

This release adds support for Amazon Config Rules in the Canada (Central) Region and South America (São Paulo) Region.

For all regions that support Amazon Config and Config Rules, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

July 5, 2017
New and updated content

Amazon Config Rules is available in the Amazon GovCloud (US) Region. For more information, see the Amazon GovCloud (US) User Guide.

For regions that support Amazon Config, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

June 8, 2017
Amazon Config supports the Amazon CloudWatch alarm resource type and three new managed rules

With this release, you can use Amazon Config to record configuration changes to your Amazon CloudWatch alarms.

For more information, see Supported Resource Types for Amazon Config.

This release supports three new managed rules:

For more information, see Amazon Config Managed Rules.

June 1, 2017
New and updated content

This release supports specifying the application version number for the following managed rules:

For more information, see Amazon Config Managed Rules.

June 1, 2017
New and updated content

This release adds support for Amazon Config Rules in the Asia Pacific (Mumbai) Region. For more information, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

April 27, 2017
New and updated content

This release supports an updated console experience for adding Amazon Config managed rules to your account for the first time.

When you set up Amazon Config Rules for the first time or in a new Region, you can search for Amazon managed rules by name, description, or label. You can choose Select all to select all rules or choose Clear all to clear all rules.

For more information, see Add, View, Update and Delete Rules (Console).

April 5, 2017
Amazon Config supports new managed rules

This release supports the following new managed rules:

For more information, see List of Amazon Config Managed Rules.

February 21, 2017
New and updated content

This release adds support for Amazon Config Rules in the Europe (London) Region. For more information, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

February 21, 2017
New and updated content

This release adds Amazon CloudFormation templates for Amazon Config managed rules. You can use the templates to create managed rules for your account. For more information, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.

February 16, 2017
New and updated content

This release adds support for a new test mode for the PutEvaluations API. Set the TestMode parameter to true in your custom rule to verify whether your Amazon Lambda function will deliver evaluation results to Amazon Config. No updates occur to your existing evaluations, and evaluation results are not sent to Amazon Config.

For more information, see PutEvaluations in the Amazon Config API Reference.

February 16, 2017
New and updated content

This release adds support for Amazon Config Rules in the Asia Pacific (Seoul), and US West (N. California) Regions. For more information, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

December 21, 2016
New and updated content

This release adds support for Amazon Config in the Europe (London) Region. For more information, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

December 13, 2016
New and updated content

This release adds support for Amazon Config in the Canada (Central) Region. For more information, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

December 8, 2016
Amazon Config supports Amazon Redshift resource types and two new managed rules

With this release, you can use Amazon Config to record configuration changes to your Amazon Redshift clusters, cluster parameter groups, cluster security groups, cluster snapshots, cluster subnet groups, and event subscriptions.

For more information, see Supported Resource Types for Amazon Config.

This release supports two new managed rules:

For more information, see List of Amazon Config Managed Rules.

December 7, 2016
New and updated content

This release adds support for a new managed rule:

For more information, see List of Amazon Config Managed Rules.

December 7, 2016
New and updated content This release adds support for creating up to 50 rules per Region in an account. For more information, see Amazon Config Limits in the Amazon Web Services General Reference. December 7, 2016
Amazon Config supports the managed instance inventory resource type for Amazon EC2 Systems Manager and three new managed rules

With this release, you can use Amazon Config to record software configuration changes on your managed instances with support for managed instance inventory.

For more information, see Recording Software Configuration for Managed Instances.

This release supports three new managed rules:

For more information, see List of Amazon Config Managed Rules.

December 1, 2016
New and updated content Amazon Config is available in the China (Beijing) Region. October 24, 2016
Amazon Config supports the Amazon S3 bucket resource and two new managed rules

With this release, you can use Amazon Config to record configuration changes to your Amazon S3 buckets. For more information, see Supported Resource Types for Amazon Config.

This release supports two new managed rules:

For more information, see Amazon Config Managed Rules.

October 18, 2016
New and updated content

This release adds support for Amazon Config and Amazon Config Rules in the US East (Ohio) Region. For more information, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

October 17, 2016
New and updated managed rules

This update adds support for eight new managed rules:

You can specify multiple parameter values for the following rules:

For more information, see List of Amazon Config Managed Rules.

October 4, 2016
New and updated content for the Amazon Config console This update adds support for viewing Amazon CloudTrail API activity in the Amazon Config timeline. If CloudTrail is logging for your account, you can view create, update, and delete API events for configuration changes to your resources. For more information, see Viewing Compliance History for your Amazon Resources with Amazon Config. September 06, 2016
Amazon Config supports Elastic Load Balancing resource type With this release, you can use Amazon Config to record configuration changes to your Elastic Load Balancing application load balancers. For more information, see Supported Resource Types for Amazon Config. August 31, 2016
New and updated content

This release adds support for Amazon Config Rules in the Asia Pacific (Singapore), and Asia Pacific (Sydney) Regions. For more information, see Amazon Web Services Regions and Endpoints in the Amazon Web Services General Reference.

August 18, 2016
New and updated content for Amazon Config Rules

This update adds support for creating a rule that can be triggered by both configuration changes and at a periodic frequency that you choose. For more information, see Evaluation Mode and Trigger Types for Amazon Config Rules.

This update also adds support for manually evaluating your resources against your rule and deleting evaluation results. For more information, see Evaluating Your Resources with Amazon Config Rules.

This update also adds support for evaluating additional resource types using custom rules. For more information, see Evaluating Additional Resource Types.

July 25, 2016
Amazon Config supports Amazon RDS and Amazon Certificate Manager (ACM) resource types

With this release, you can use Amazon Config to record configuration changes to your Amazon Relational Database Service (Amazon RDS) DB instances, DB security groups, DB snapshots, DB subnet groups, and event subscriptions. You can also use Amazon Config to record configuration changes to certificates provided by ACM.

For more information, see Supported Resource Types for Amazon Config.

July 21, 2016
Updated information about managing the configuration recorder This update adds steps for renaming and deleting the configuration recorder to Working with the configuration recorder. July 07, 2016
Simplified role creation and updated policies With this update, creating an IAM role for Amazon Config is simplified. This enhancement is available in regions that support Config rules. To support this enhancement, the steps in Setting Up Amazon Config with the Console are updated, the example policy in Permissions for the Amazon S3 Bucket for the Amazon Config Delivery Channel is updated, and the example policy in Identity-based policy examples for Amazon Config is updated. March 31, 2016
Example functions and events for Config rules This update provides updated example functions in Example Amazon Lambda Functions for Amazon Config Rules (Node.js), and this update adds example events in Example Events for Amazon Config Rules. March 29, 2016
Amazon Config Rules GitHub repository This update adds information about the Amazon Config Rules GitHub repository to Evaluating Resources with Amazon Config Rules. This repository provides sample functions for custom rules that are developed and contributed by Amazon Config users. March 1, 2016
Amazon Config Rules This release introduces Amazon Config Rules. With rules, you can use Amazon Config to evaluate whether your Amazon resources comply with your desired configurations. For more information, see Evaluating Resources with Amazon Config Rules. December 18, 2015
Amazon Config supports IAM resource types With this release, you can use Amazon Config to record configuration changes to your IAM users, groups, roles, and customer managed policies. For more information, see Supported Resource Types for Amazon Config. December 10, 2015
Amazon Config supports EC2 Dedicated host With this release, you can use Amazon Config to record configuration changes to your EC2 Dedicated hosts. For more information, see Supported Resource Types for Amazon Config. November 23, 2015
Updated permissions information This update adds information about the following Amazon managed policies for Amazon Config:
October 19, 2015
Amazon Config Rules preview This release introduces the Amazon Config Rules preview. With rules, you can use Amazon Config to evaluate whether your Amazon resources comply with your desired configurations. For more information, see Evaluating Resources with Amazon Config Rules. October 7, 2015
New and updated content

This release adds the ability to look up resources that Amazon Config has discovered. For more information, see Looking Up Resources That Are Discovered by Amazon Config.

August 27, 2015

New and updated content

This release adds the ability to select which resource types Amazon Config records. For more information, see Recording Amazon Resources with Amazon Config.

June 23, 2015

New and updated content

This release adds support for the following regions: Asia Pacific (Tokyo), Asia Pacific (Singapore), Europe (Frankfurt), South America (São Paulo), and US West (N. California). For more information, see Amazon Web Services Regions and Endpoints.

April 6, 2015

New guide

This release introduces Amazon Config.

November 12, 2014