Granting Permissions for Amazon Config Administration - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Granting Permissions for Amazon Config Administration

To allow users to administer Amazon Config, you must grant explicit permissions to IAM users to perform the actions associated with Amazon Config tasks. For most scenarios, you can do this using an Amazon managed policy that contains predefined permissions.


The permissions you grant to users to perform Amazon Config administration tasks are not the same as the permissions that Amazon Config itself requires in order to deliver log files to Amazon S3 buckets or send notifications to Amazon SNS topics.

Users who set up and manage Amazon Config must have full-access permissions. With full-access permissions, users can provide Amazon S3 and Amazon SNS endpoints that Amazon Config delivers data to, create a role for Amazon Config, and turn on and turn off recording.

Users who use Amazon Config but don't need to set up Amazon Config should have read-only permissions. With read-only permissions, users can look up the configurations of resources or search for resources by tags.

A typical approach is to create an IAM group that has the appropriate permissions and then add individual IAM users to that group. For example, you might create an IAM group for users who should have full access to Amazon Config actions, and a separate group for users who should be able to view the configurations but not create or change a role.

Creating an IAM Group and Users for Amazon Config Access

  1. Sign in to the Amazon Identity and Access Management (IAM) console at

  2. From the dashboard, choose Groups in the navigation pane, and then choose Create New Group.

  3. Type a name, and then choose Next Step.

  4. On the Attach Policy page, find and choose AWSConfigUserAccess. This policy provides user access to use Amazon Config, including searching by tags on resources, and reading all tags. This does not provide permission to configure Amazon Config which requires administrative privileges.


    You can also create a custom policy that grants permissions to individual actions. For more information, see Granting Custom Permissions for Amazon Config Users .

  5. Choose Next Step.

  6. Review the information for the group you are about to create.


    You can edit the group name, but you will need to choose the policy again.

  7. Choose Create Group. The group that you created appears in the list of groups.

  8. Choose the group name that you created, choose Group Actions, and then choose Add Users to Group.

  9. On the Add Users to Group page, choose the existing IAM users, and then choose Add Users. If you don't already have IAM users, choose Create New Users, enter user names, and then choose Create.

  10. If you created new users, choose Users in the navigation pane and complete the following for each user:

    1. Choose the user.

    2. If the user will use the console to manage Amazon Config, in the Security Credentials tab, choose Manage Password, and then create a password for the user.

    3. If the user will use the Amazon CLI or API to manage Amazon Config, and if you didn't already create access keys, in the Security Credentials tab, choose Manage Access Keys and then create access keys. Store the keys in a secure location.

    4. Give each user his or her credentials (access keys or password).

Granting Full-Access Permission for Amazon Config Access

  1. Sign in to the Amazon Identity and Access Management (IAM) console at

  2. In the navigation pane, choose Policies, and then choose Create Policy. This will bring up the Policy Editor.

  3. You can use the visual editor tab or the JSON tab to create your own custom policy. You can select import managed policy to use the permissions from a policy created by yourself or one that is managed by Amazon.

  4. Select Next:Tags.

  5. Add any tags you would like your policy to have.

  6. Select Next:Review.

  7. Type a policy name and optionally a description. Review the permissions provided by the policy.

  8. Select Create Policy.

  9. In the list of policies, select the policy that you created. You can use the Filter menu and the Search box to find the policy.

  10. Select the radio button next to the policy you created, and then select Actions in the top right hand side. In this dropdown list select Attach.

  11. Select the users, groups, or roles, and then choose Attach Policy. You can use the Filter menu and the Search box to filter the list.

  12. Select Attach policy.


Instead of creating a managed policy, you can also create an inline policy from the IAM console and attach it to an IAM user, group, or role. For more information, see Working with Inline Policies in the IAM User Guide.

Additional Resources

To learn more about creating IAM users, groups, policies, and permissions, see Creating an Admins Group Using the Console and Permissions and Policies in the IAM User Guide.