Frequently Asked Questions
Unable to see my latest configuration changes
Can I expect to view my configuration changes right away?
Amazon Config usually records configuration changes to your resources right after a change is detected, or at the frequency that you specify.
However, this is on a best effort basis and can take longer at times. If issues persist after sometime, contact Amazon Web Services Support
Indirect Relationships in Amazon Config
Topics
- What is resource relationship?
- What is a direct and an indirect relationship with respect to a resource?
- Which indirect relationships does Amazon Config support?
- How are the configuration items created due to direct and indirect relationship?
- What are the configuration items generated due to indirect relationships?
- How do I retrieve configuration data related to indirect relationships?
What is resource relationship?
In Amazon, resources refer to entities that are manageable, such as an Amazon Elastic Compute Cloud (Amazon EC2) instance, an Amazon CloudFormation stack,
or an Amazon S3 bucket. Amazon Config is a service that tracks and monitors resources by creating configuration items
(CIs) whenever a change to a recorded resource type is detected, or at the recording frequency that you set. For instance, when Amazon Config is set up to track Amazon EC2 instances,
it creates a configuration item every time an instance is created, updated, or deleted. Each configuration item created by Amazon Config has several fields,
including accountId, arn (Amazon Resource Name), awsRegion, configuration, tags, and relationships. The relationships field of a CI enables Amazon Config to display how resources are linked to one another.
For instance, a relationship may indicate that an
Amazon EBS volume with ID vol-123ab45d is attached to an Amazon EC2 instance with
ID i-a1b2c3d4, which is associated with security group sg-ef678hk.
What is a direct and an indirect relationship with respect to a resource?
Amazon Config derives the relationships for most resource types from the configuration field, which are called "direct" relationships. A direct relationship is a one-way connection (A→B) between a resource (A) and another resource (B), typically obtained from the describe API response of resource (A). In the past, for some resource types that Amazon Config initially supported, it also captured relationships from the configurations of other resources, creating "indirect" relationships that are bidirectional (B→A). For example, the relationship between an Amazon EC2 instance and its security group is direct because the security groups are included in the describe API response for the Amazon EC2 instance. On the other hand, the relationship between a security group and an Amazon EC2 instance is indirect because describing a security group does not return any information about the instances it is associated with. As a result, when a resource configuration change is detected, Amazon Config not only creates a CI for that resource, but also generates CIs for any related resources, including those with indirect relationships. For example, when Amazon Config detects changes in an Amazon EC2 instance, it creates a CI for the instance and a CI for the security group that is associated with the instance.
Which indirect relationships does Amazon Config support?
The following indirect resource relationships are supported in Amazon Config.
| Resource type | is indirectly related to the resource type |
|---|---|
AWS::EC2::RouteTable |
AWS::EC2::Instance, AWS::EC2::NetworkInterface, AWS::EC2::Subnet, AWS::EC2::VPNGateway, AWS::EC2::VPC |
AWS::EC2::EIP |
AWS::EC2::Instance, AWS::EC2::NetworkInterface |
AWS::EC2::Instance |
AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::VPC |
AWS::EC2::NetworkInterface |
AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::VPC |
AWS::EC2::NetworkACL |
AWS::EC2::Subnet, AWS::EC2::VPC |
AWS::EC2::VPNConnection |
AWS::EC2::VPNGateway, AWS::EC2::CustomerGateway |
AWS::EC2::InternetGateway |
AWS::EC2::VPC |
AWS::EC2::SecurityGroup |
AWS::EC2::VPC |
AWS::EC2::Subnet |
AWS::EC2::VPC |
AWS::EC2::VPNGateway |
AWS::EC2::VPC |
How are the configuration items created due to direct and indirect relationship?
For a direct relationship between resources (A→B), any configuration change to the resource B will initiate a configuration item (CI) for the resource A as well. Similarly, for an indirect relationship (B→A), when there is a configuration change to resource A a new CI will be generated for resource B. For example, Amazon EC2 instance to security group is a direct relationship so any configuration change to a security group would generate a CI for the security group as well as a CI for the EC2 instance. Similarly, security group to Amazon EC2 instance is an indirect relationship so any configuration change to an EC2 instance would generate a CI for the Amazon EC2 instance as well as a CI for the security group.
What are the configuration items generated due to indirect relationships?
Below are the additional configuration items (CIs) generated due to indirect resource relationships.
| Configuration changes to the following resource types | will generate CIs for the following resources types |
|---|---|
AWS::EC2::RouteTable |
AWS::EC2::Instance, AWS::EC2::NetworkInterface, AWS::EC2::Subnet, AWS::EC2::VPNGateway, and AWS::EC2::VPC |
AWS::EC2::EIP |
AWS::EC2::Instance, AWS::EC2::NetworkInterface |
AWS::EC2::Instance |
AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::VPC |
AWS::EC2::NetworkInterface |
AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::VPC |
AWS::EC2::NetworkACL |
AWS::EC2::Subnet, AWS::EC2::VPC |
AWS::EC2::VPNConnection |
AWS::EC2::VPNGateway, AWS::EC2::CustomerGateway |
AWS::EC2::InternetGateway |
AWS::EC2::VPC |
AWS::EC2::SecurityGroup |
AWS::EC2::VPC |
AWS::EC2::Subnet |
AWS::EC2::VPC |
AWS::EC2::VPNGateway |
AWS::EC2::VPC |
How do I retrieve configuration data related to indirect relationships?
You can run Structured Query Language (SQL) queries in Amazon Config Advanced Queries to retrieve configuration data related to indirect resource relationships. For example, if you want to retrieve the list of Amazon EC2 instances related to a security group, use the following query:
SELECT resourceId, resourceType WHERE resourceType ='AWS::EC2::Instance' AND relationships.resourceId = 'sg-234213'