Frequently Asked Questions - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Frequently Asked Questions

Indirect Relationships in Amazon Config

What is resource relationship?

In Amazon, resources refer to entities that are manageable, such as an Amazon Elastic Compute Cloud (Amazon EC2) instance, an Amazon CloudFormation stack, or an Amazon S3 bucket. Amazon Config is a service that tracks and monitors resources by creating configuration items (CIs) whenever a change to a recorded resource type is detected, or at the recording frequency that you set. For instance, when Amazon Config is set up to track Amazon EC2 instances, it creates a configuration item every time an instance is created, updated, or deleted. Each configuration item created by Amazon Config has several fields, including accountId, arn (Amazon Resource Name), awsRegion, configuration, tags, and relationships. The relationships field of a CI enables Amazon Config to display how resources are linked to one another. For instance, a relationship may indicate that an Amazon EBS volume with ID vol-123ab45d is attached to an Amazon EC2 instance with ID i-a1b2c3d4, which is associated with security group sg-ef678hk.

What is a direct and an indirect relationship with respect to a resource?

Amazon Config derives the relationships for most resource types from the configuration field, which are called "direct" relationships. A direct relationship is a one-way connection (A→B) between a resource (A) and another resource (B), typically obtained from the describe API response of resource (A). In the past, for some resource types that Amazon Config initially supported, it also captured relationships from the configurations of other resources, creating "indirect" relationships that are bidirectional (B→A). For example, the relationship between an Amazon EC2 instance and its security group is direct because the security groups are included in the describe API response for the Amazon EC2 instance. On the other hand, the relationship between a security group and an Amazon EC2 instance is indirect because describing a security group does not return any information about the instances it is associated with. As a result, when a resource configuration change is detected, Amazon Config not only creates a CI for that resource, but also generates CIs for any related resources, including those with indirect relationships. For example, when Amazon Config detects changes in an Amazon EC2 instance, it creates a CI for the instance and a CI for the security group that is associated with the instance.

Which indirect relationships does Amazon Config support?

The following indirect resource relationships are supported in Amazon Config.

Resource type is indirectly related to the resource type
AWS::EC2::RouteTable AWS::EC2::Instance, AWS::EC2::NetworkInterface, AWS::EC2::Subnet, AWS::EC2::VPNGateway, AWS::EC2::VPC
AWS::EC2::EIP AWS::EC2::Instance, AWS::EC2::NetworkInterface
AWS::EC2::Instance AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::VPC
AWS::EC2::NetworkInterface AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::VPC
AWS::EC2::NetworkACL AWS::EC2::Subnet, AWS::EC2::VPC
AWS::EC2::VPNConnection AWS::EC2::VPNGateway, AWS::EC2::CustomerGateway
AWS::EC2::InternetGateway AWS::EC2::VPC
AWS::EC2::SecurityGroup AWS::EC2::VPC
AWS::EC2::Subnet AWS::EC2::VPC
AWS::EC2::VPNGateway AWS::EC2::VPC

How are the configuration items created due to direct and indirect relationship?

For a direct relationship between resources (A→B), any configuration change to the resource B will initiate a configuration item (CI) for the resource A as well. Similarly, for an indirect relationship (B→A), when there is a configuration change to resource A a new CI will be generated for resource B. For example, Amazon EC2 instance to security group is a direct relationship so any configuration change to a security group would generate a CI for the security group as well as a CI for the EC2 instance. Similarly, security group to Amazon EC2 instance is an indirect relationship so any configuration change to an EC2 instance would generate a CI for the Amazon EC2 instance as well as a CI for the security group.

What are the configuration items generated due to indirect relationships?

Below are the additional configuration items (CIs) generated due to indirect resource relationships.

Configuration changes to the following resource types will generate CIs for the following resources types
AWS::EC2::RouteTable AWS::EC2::Instance, AWS::EC2::NetworkInterface, AWS::EC2::Subnet, AWS::EC2::VPNGateway, and AWS::EC2::VPC
AWS::EC2::EIP AWS::EC2::Instance, AWS::EC2::NetworkInterface
AWS::EC2::Instance AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::VPC
AWS::EC2::NetworkInterface AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::VPC
AWS::EC2::NetworkACL AWS::EC2::Subnet, AWS::EC2::VPC
AWS::EC2::VPNConnection AWS::EC2::VPNGateway, AWS::EC2::CustomerGateway
AWS::EC2::InternetGateway AWS::EC2::VPC
AWS::EC2::SecurityGroup AWS::EC2::VPC
AWS::EC2::Subnet AWS::EC2::VPC
AWS::EC2::VPNGateway AWS::EC2::VPC

How do I retrieve configuration data related to indirect relationships?

You can run Structured Query Language (SQL) queries in Amazon Config Advanced Queries to retrieve configuration data related to indirect resource relationships. For example, if you want to retrieve the list of Amazon EC2 instances related to a security group, use the following query:

SELECT resourceId, resourceType WHERE resourceType ='AWS::EC2::Instance' AND relationships.resourceId = 'sg-234213'