For details about the costs associated with resource recording, see Amazon Config pricing.
Recommendation: Consider excluding the
AWS::Config::ResourceCompliance resource type from recording
before deleting rules
Deleting rules creates configuration items (CIs) for
AWS::Config::ResourceCompliance that can affect your costs for the
configuration recorder. If you are deleting rules which evaluate a large number of
resource types, this can lead to a spike in the number of CIs recorded.
To avoid the associated costs, you can opt to disable recording for the
AWS::Config::ResourceCompliance resource type before deleting
rules, and re-enable recording after the rules have been deleted.
However, since deleting rules is an asynchronous process, it might take an hour or
more to complete. During the time when recording is disabled for
AWS::Config::ResourceCompliance, rule evaluations will not be
recorded in the associated resource’s history.
Amazon Config recommends that you weigh these factors on a case-by-case basis before
deciding how to proceed with deleting rules.
Recommendation: Add logic to handle the evaluation of deleted resources
for custom lambda rules
When creating Amazon Config custom lambda rules, it is highly recommended that you add
logic to handle the evaluation of deleted resources.
When evaluation results are marked as NOT_APPLICABLE, they will be
marked for deletion and cleaned up. If they're NOT marked as
NOT_APPLICABLE, the evaluation results will remain unchanged until
the rule is deleted, which can cause an unexpected spike in the creation of CIs for
AWS::Config::ResourceCompliance upon rule deletion.
For information on how to set Amazon Config custom lambda rules to return
NOT_APPLICABLE for deleted resources, see Managing deleted resources with Amazon Config custom lambda rules.
Recommendation: Provide the resources in scope for custom lambda
rules
Amazon Config Custom Lambda Rules can cause a high number of Lambda function invocations if
the rule is not scoped to one or more resource types. To avoid increased activity
associated with your account, it is highly recommended to provide resources in scope
for your Custom Lambda rules. If no resource types are selected, the rule will
invoke the Lambda function for all resources in the account.
Defaut Values for Managed Rules
The default values specified for managed rules are pre-populated only when using
the Amazon console. Default values are not supplied for the API, CLI, or SDK.
Configuration Item Recording Delays
Amazon Config usually records configuration changes to your resources right after a change
is detected, or at the frequency that you specify. However, this is on a best effort
basis and can take longer at times. For example, a resource type with known delays is
AWS::SecretsManager::Secret. This
resource type is an example, and this list is non-exhaustive.
Policies and compliance results
IAM
policies and other policies
managed in Amazon Organizations can impact whether Amazon Config has permissions to record
configuration changes for your resources. Additionally, rules directly evaluate the
configuration of a resource and rules don't take into account these policies when
running evaluations. Make sure that the policies in effect align with how you intend
to use Amazon Config.
Tagging support for resource types
If a resource type does not support tagging or does not include tag information in its
describe API response, Amazon Config won't capture tag data in the configuration items (CIs) for that
resource type. Amazon Config will still record these resources. However, any functionality that relies
on tag data won't work. This affects tag-based filtering, grouping, or compliance evaluation
that relies on tag data.
Directory Buckets Are Not Supported
Managed rules only support general purpose buckets when evaluating Amazon Simple Storage Service (Amazon S3)
resources. For more
information on general purpose buckets and directory buckets, see Buckets
overview and Directory
buckets in the Amazon S3 User Guide.
Managed Rules and Global IAM Resource Types
The global IAM resource types onboarded before February 2022
(AWS::IAM::Group, AWS::IAM::Policy,
AWS::IAM::Role, and AWS::IAM::User) can only be
recorded by Amazon Config in Amazon Regions where Amazon Config was available before February 2022.
These resource types cannot be recorded in Regions supported by Amazon Config after February
2022. For a list of those Regions, see Recording Amazon Resources | Global Resources.
If you record a global IAM resource type in at least one Region, periodic rules
that report compliance on the global IAM resource type will run evaluations in all
Regions where the periodic rule is added, even if you have not enabled the recording
of the global IAM resource type in the Region where the periodic rule was
added.
To avoid unnecessary evaluations, you should only deploy periodic rules that
report compliance on a global IAM resource type to one of the supported Regions.
For a list of which managed rules are supported in which Regions, see List of Amazon Config Managed Rules by Region Availability.