Concepts - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.


Amazon Config provides a detailed view of the resources associated with your Amazon account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time. Let's take a closer look at the concepts of Amazon Config.

Amazon Config

Understanding the basic components of Amazon Config will help you track resource inventory and changes and evaluate configurations of your Amazon resources.

Amazon Resources

Amazon resources are entities that you create and manage using the Amazon Web Services Management Console, the Amazon Command Line Interface (CLI), the Amazon SDKs, or Amazon partner tools. Examples of Amazon resources include Amazon EC2 instances, security groups, Amazon VPCs, and Amazon Elastic Block Store. Amazon Config refers to each resource using its unique identifier, such as the resource ID or an Amazon Resource Name (ARN). For details, see Supported Resource Types.

Configuration History

A configuration history is a collection of the configuration items for a given resource over any time period. A configuration history can help you answer questions about, for example, when the resource was first created, how the resource has been configured over the last month, and what configuration changes were introduced yesterday at 9 AM. The configuration history is available to you in multiple formats. Amazon Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. You can select a given resource in the Amazon Config console and navigate to all previous configuration items for that resource using the timeline. Additionally, you can access the historical configuration items for a resource from the API.

For more information, see Viewing Amazon Resource Configurations and History and Managing Amazon Resource Configurations and History.

Configuration Items

A configuration item represents a point-in-time view of the various attributes of a supported Amazon resource that exists in your account. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events. Amazon Config creates a configuration item whenever it detects a change to a resource type that it is recording. For example, if Amazon Config is recording Amazon S3 buckets, Amazon Config creates a configuration item whenever a bucket is created, updated, or deleted.

For more information, see Components of a Configuration Item.

Configuration Recorder

The configuration recorder stores the configurations of the supported resources in your account as configuration items. You must first create and then start the configuration recorder before you can start recording. You can stop and restart the configuration recorder at any time. For more information, see Managing the Configuration Recorder.

By default, the configuration recorder records all supported resources in the region where Amazon Config is running. You can create a customized configuration recorder that records only the resource types that you specify. For more information, see Selecting Which Resources Amazon Config Records.

If you use the Amazon Web Services Management Console or the CLI to turn on the service, Amazon Config automatically creates and starts a configuration recorder for you.

Configuration Snapshot

A configuration snapshot is a collection of the configuration items for the supported resources that exist in your account. This configuration snapshot is a complete picture of the resources that are being recorded and their configurations. The configuration snapshot can be a useful tool for validating your configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly or that potentially should not exist. The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. Additionally, you can select a point in time in the Amazon Config console and navigate through the snapshot of configuration items using the relationships between the resources.

Configuration Stream

A configuration stream is an automatically updated list of all configuration items for the resources that Amazon Config is recording. Every time a resource is created, modified, or deleted, Amazon Config creates a configuration item and adds to the configuration stream. The configuration stream works by using an Amazon Simple Notification Service (Amazon SNS) topic of your choice. The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems, generating notifications if certain resources are changed, or updating external systems that need to reflect the configuration of your Amazon resources.

Resource Relationship

Amazon Config discovers Amazon resources in your account and then creates a map of relationships between Amazon resources. For example, a relationship might include an Amazon EBS volume vol-123ab45d attached to an Amazon EC2 instance i-a1b2c3d4 that is associated with security group sg-ef678hk.

For more information, see Supported Resource Types.

Amazon Config Rules

An Amazon Config rule represents your desired configuration settings for specific Amazon resources or for an entire Amazon account. If a resource does not pass a rule check, Amazon Config flags the resource and the rule as noncompliant, and Amazon Config notifies you through Amazon SNS.

After you activate a rule, Amazon Config compares your resources to the conditions of the rule. After this initial evaluation, Amazon Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types:

  • Configuration changes – Amazon Config triggers the evaluation when any resource that matches the rule's scope changes in configuration. The evaluation runs after Amazon Config sends a configuration item change notification.

  • Periodic – Amazon Config runs evaluations for the rule at a frequency that you choose (for example, every 24 hours).

There are two types of rules: Amazon Config Managed Rules and Amazon Config Custom Rules. For more information about the structure of rule definitions and rule metadata, see Components of an Amazon Config Rule.

Amazon Config Managed Rules

Managed rules are predefined, customizable rules created by Amazon Config. For a list of managed rules, see List of Amazon Config Managed Rules.

Amazon Config Custom Rules

Custom rules are rules that you can create using either Guard or Amazon Lambda functions. Guard (Guard GitHub Repository) is a policy-as-code language that allows you to write policies that are enforced by Amazon Config Custom Policy rules. Amazon Lambda uses custom code that you upload to evaluate a custom rule. It is invoked by events that are published to it by an event source, which Amazon Config invokes when the custom rule is initiated.

For a walkthrough showing how to create Amazon Config Custom Policy Rules, see Creating Amazon Config Custom Policy Rules. For a walkthrough showing how to create Amazon Config Custom Lambda Rules, see Creating Amazon Config Custom Lambda Rules.

Managing Amazon Config

Amazon Config Console

You can manage the service using the Amazon Config console. The console provides a user interface for performing many Amazon Config tasks such as:

  • Specifying the types of Amazon resources for recording.

  • Configuring resources to record, including:

    • Selecting an Amazon S3 bucket.

    • Selecting an Amazon SNS topic.

    • Creating Amazon Config role.

  • Creating managed rules and custom rules that represent desired configuration settings for specific Amazon resources or for an entire Amazon account.

  • Creating and managing configuration aggregators to aggregate data across multiple accounts and regions.

  • Viewing a snapshot of current configurations of the supported resources.

  • Viewing relationships between Amazon resources.

For more information about the Amazon Web Services Management Console, see Amazon Web Services Management Console.

Amazon Config CLI

The Amazon Command Line Interface is a unified tool that you can use to interact with Amazon Config from the command line. For more information, see the Amazon Command Line Interface User Guide. For a complete list of Amazon Config CLI commands, see Available Commands.

Amazon Config APIs

In addition to the console and the CLI, you can also use the Amazon Config RESTful APIs to program Amazon Config directly. For more information, see the Amazon Config API Reference.

Amazon SDKs

As an alternative to using the Amazon Config API, you can use one of the Amazon SDKs. Each SDK consists of libraries and sample code for various programming languages and platforms. The SDKs provide a convenient way to create programmatic access to Amazon Config. For example, you can use the SDKs to sign requests cryptographically, manage errors, and retry requests automatically. For more information, see the Tools for Amazon Web Services page.

Control Access to Amazon Config

Amazon Identity and Access Management is a web service that enables Amazon Web Services (Amazon) customers to manage users and user permissions. Use IAM to create individual users for anyone who needs access to Amazon Config. Create an IAM user for yourself, give that IAM user administrative privileges, and use that IAM user for all of your work. By creating individual IAM users for people accessing your account, you can give each IAM user a unique set of security credentials. You can also grant different permissions to each IAM user. If necessary, you can change or revoke an IAM user’s permissions at any time. For more information, see Amazon Identity and Access Management.

Partner Solutions

Amazon partners with third-party specialists in logging and analysis to provide solutions that use Amazon Config output. For more information, visit the Amazon Config detail page at Amazon Config.