# Amazon Config terminology and concepts
To help you understand Amazon Config, this topic explains some of the key concepts.
**Contents**
+ [Amazon Config Interfaces](#config-concepts-manage)
+ [Amazon Config Console](#config-concepts-console)
+ [Amazon Config CLI](#config-concepts-cli)
+ [Amazon Config APIs](#config-concepts-api)
+ [Amazon Config SDKs](#config-concepts-sdk)
+ [Resource Management](#config-platform-concept)
+ [Amazon Resources](#aws-resources)
+ [Resource Relationship](#resource-relationship)
+ [Configuration Recorder](#config-recorder)
+ [Delivery Channel](#delivery-channel)
+ [Configuration Items](#config-items)
+ [Configuration History](#config-history)
+ [Configuration Snapshot](#config-snapshot)
+ [Configuration Stream](#config-stream)
+ [Amazon Config Rules](#aws-config-rules)
+ [Evaluation Results](#aws-config-managed-rules-evaluation-results)
+ [Rule Types](#aws-config-managed-rules-type)
+ [Trigger Types](#aws-config-rules-trigger)
+ [Evaluation modes](#aws-config-rules-proactive-detective)
## Amazon Config Interfaces
### Amazon Config Console
You can manage the service using the Amazon Config console. For more information about the Amazon Web Services Management Console, see [Amazon Web Services Management Console](https://docs.amazonaws.cn/awsconsolehelpdocs/latest/gsg/getting-started.html).
### Amazon Config CLI
The Amazon Command Line Interface is a unified tool that you can use to interact with Amazon Config from the command line. For more information, see the [Amazon Command Line Interface User Guide](https://docs.amazonaws.cn/cli/latest/userguide/). For a complete list of Amazon Config CLI commands, see [Available Commands](https://docs.amazonaws.cn/cli/latest/reference/configservice/index.html).
### Amazon Config APIs
In addition to the console and the CLI, you can also use the Amazon Config RESTful APIs to program Amazon Config directly. For more information, see the [Amazon Config API Reference](https://docs.amazonaws.cn/config/latest/APIReference/).
### Amazon Config SDKs
As an alternative to using the Amazon Config API, you can use one of the Amazon SDKs. Each SDK consists of libraries and sample code for various programming languages and platforms. The SDKs provide a convenient way to create programmatic access to Amazon Config. For example, you can use the SDKs to sign requests cryptographically, manage errors, and retry requests automatically. For more information, see the [Tools for Amazon Web Services](http://www.amazonaws.cn/tools/) page.
## Resource Management
Understanding the basic components of Amazon Config will help you track resource inventory and changes and evaluate configurations of your Amazon resources.
### Amazon Resources
*Amazon resources* are entities that you create and manage using the Amazon Web Services Management Console, the Amazon Command Line Interface (CLI), the Amazon SDKs, or Amazon partner tools. Examples of Amazon resources include Amazon EC2 instances, security groups, Amazon VPCs, and Amazon Elastic Block Store. Amazon Config refers to each resource using its unique identifier, such as the resource ID or an [Amazon Resource Name (ARN)](https://docs.amazonaws.cn/general/latest/gr/glos-chap.html#ARN). For a list of resource types that Amazon Config supports, see [Supported Resource Types for Amazon Config](resource-config-reference.md).
### Resource Relationship
Amazon Config discovers Amazon resources in your account and then creates a map of relationships between Amazon resources. For example, a relationship might include an Amazon EBS volume `vol-123ab45d` attached to an Amazon EC2 instance `i-a1b2c3d4` that is associated with security group `sg-ef678hk`.
For more information, see [Supported Resource Types for Amazon Config](resource-config-reference.md).
## Configuration Recorder
The *configuration recorder* stores the configuration changes to the resource types in scope as configuration items. For more information, see [Working with the configuration recorder](stop-start-recorder.md).
There are two types of configuration recorders.
| **Type** | **Description** |
| --- | --- |
| Customer managed configuration recorder | A configuration recorder that you managed. The resource types in scope are set by you. By default, a customer managed configuration recorder records all supported resources in the Amazon Web Services Region where Amazon Config is running. |
| Service-linked configuration recorder | A configuration recorder that is linked to a specific Amazon Web Services service. The resource types in scope are set by the linked service. |
## Delivery Channel
As Amazon Config continually records the changes that occur to your Amazon resources, it sends notifications and updated configuration states through the *delivery channel*. You can manage the delivery channel to control where Amazon Config sends configuration updates.
### Configuration Items
A *configuration item* represents a point-in-time view of the various attributes of a supported Amazon resource that exists in your account. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events. Amazon Config creates a configuration item whenever it detects a change to a resource type that it is recording. For example, if Amazon Config is recording Amazon S3 buckets, Amazon Config creates a configuration item whenever a bucket is created, updated, or deleted. You can also select for Amazon Config to create a configuration item at the recording frequency that you set.
For more information, see [Components of a Configuration Item](config-item-table.md) and [Recording Frequency](https://docs.amazonaws.cn/config/latest/developerguide/select-resources-recording-frequency.html).
### Configuration History
A *configuration history* is a collection of the configuration items for a given resource over any time period. A configuration history can help you answer questions about, for example, when the resource was first created, how the resource has been configured over the last month, and what configuration changes were introduced yesterday at 9 AM. The configuration history is available to you in multiple formats. Amazon Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. You can select a given resource in the Amazon Config console and navigate to all previous configuration items for that resource using the timeline. Additionally, you can access the historical configuration items for a resource from the API.
For more information, see [Viewing Compliance History](https://docs.amazonaws.cn/config/latest/developerguide/view-manage-resource-console.html) and [Querying Compliance History](https://docs.amazonaws.cn/config/latest/developerguide/quering-resource-compliance-history.html).
### Configuration Snapshot
A *configuration snapshot* is a collection of the configuration items for the supported resources that exist in your account. This configuration snapshot is a complete picture of the resources that are being recorded and their configurations. The configuration snapshot can be a useful tool for validating your configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly or that potentially should not exist. The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. Additionally, you can select a point in time in the Amazon Config console and navigate through the snapshot of configuration items using the relationships between the resources.
For more information, see [Delivering Configuration Snapshots](https://docs.amazonaws.cn/config/latest/developerguide/deliver-snapshot-cli.html), [Viewing Configuration Snapshots](https://docs.amazonaws.cn/config/latest/developerguide/view-configuration-snapshot.html), and [Example Configuration Snapshot](https://docs.amazonaws.cn/config/latest/developerguide/example-s3-snapshot.html).
### Configuration Stream
A *configuration stream* is an automatically updated list of all configuration items for the resources that Amazon Config is recording. Every time a resource is created, modified, or deleted, Amazon Config creates a configuration item and adds to the configuration stream. The configuration stream works by using an Amazon Simple Notification Service (Amazon SNS) topic of your choice. The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems, generating notifications if certain resources are changed, or updating external systems that need to reflect the configuration of your Amazon resources.
## Amazon Config Rules
An Amazon Config rule is a compliance check that helps you manage your ideal configuration settings for specific Amazon resources. Amazon Config evaluates whether your resource configurations comply with relevant rules and displays the compliance results.
### Evaluation Results
There are four possible evaluation results for an Amazon Config rule.
| **Evaluation result** | **Description** |
| --- | --- |
| COMPLIANT | The rule passes the conditions of the compliance check. |
| NON\_COMPLIANT | The rule fails the conditions of the compliance check. |
| ERROR | The one of the required/optional parameters is not valid, not of the correct type, or is formatted incorrectly. |
| NOT\_APPLICABLE | Used to filter out resources that the logic of the rule cannot be applied to. For example, the [alb-desync-mode-check](https://docs.amazonaws.cn/config/latest/developerguide/alb-desync-mode-check.html) rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers. |
### Rule Types
There are two types of rules. For more information about the structure of rule definitions and rule metadata, see [Components of an Amazon Config Rule](https://docs.amazonaws.cn/config/latest/developerguide/evaluate-config_components.html).
| **Type** | **Description** | **More information** |
| --- | --- | --- |
| Managed rules | Predefined, customizable rules created by Amazon Config. | For a list of managed rules, see [List of Amazon Config Managed Rules](https://docs.amazonaws.cn/config/latest/developerguide/managed-rules-by-aws-config.html). |
| Custom rules | Rules that you create from scratch. There are two ways to create Amazon Config custom rules: Lambda functions ([Amazon Lambda Developer Guide](https://docs.amazonaws.cn/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-function)) and Guard ([Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard)) | For more information, see [Creating Amazon Config Custom Policy Rules](https://docs.amazonaws.cn/config/latest/developerguide/evaluate-config_develop-rules_cfn-guard.html) and [Creating Amazon Config Custom Lambda Rules](https://docs.amazonaws.cn/config/latest/developerguide/evaluate-config_develop-rules_lambda-functions.html). |
### Trigger Types
After you add a rule to your account, Amazon Config compares your resources to the conditions of the rule. After this initial evaluation, Amazon Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types.
| **Trigger type** | **Description** |
| --- | --- |
| Configuration changes | Amazon Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after Amazon Config sends a configuration item change notification. You choose which resources initiate the evaluation by defining the rule's *scope*. The scope can include the following:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/config/latest/developerguide/config-concepts.html)
Amazon Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations. |
| Periodic | Amazon Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours. |
| Hybrid | Some rules have both configuration change and periodic triggers. For these rules, Amazon Config evaluates your resources when it detects a configuration change and also at the frequency that you specify. |
### Evaluation modes
There are two evaluation modes for Amazon Config rules.
| **Evaluation mode** | **Description** |
| --- | --- |
| Proactive | Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an Amazon resource, would be COMPLIANT or NON\_COMPLIANT given the set of proactive rules that you have in your account in your Region.
For more information, see [Evaluation modes](https://docs.amazonaws.cn/config/latest/developerguide/evaluate-config_components.html#evaluate-config_use-managed-rules-proactive-detective). For a list of managed rules that support proactive evaluation, see [List of Amazon Config Managed Rules by Evaluation Mode](https://docs.amazonaws.cn/config/latest/developerguide/managed-rules-by-evaluation-mode.html). |
| Detective | Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources. |
**Note**
Proactive rules do not remediate resources that are flagged as NON\_COMPLIANT or prevent them from being deployed.