Starting Amazon Config with a customer managed configuration recorder using the Amazon CLI - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Starting Amazon Config with a customer managed configuration recorder using the Amazon CLI

You can start Amazon Config by creating a customer managed configuration recorder. To create a customer managed configuration recorder with the Amazon CLI, use the following commands: put-configuration-recorder, put-delivery-channel, and start-configuration-recorder.

  • The put-configuration-recorder command creates a customer managed configuration recorder.

  • The put-delivery-channel command creates a delivery channel where Amazon Config delivers configuration information to an S3 bucket and SNS topic.

  • The start-configuration-recorder starts the customer managed configuration recorder. The customer managed configuration recorder will begin recording configuration changes for the resource types you specify.

Considerations

S3 bucket, SNS topic, and IAM role are required

To create a customer managed configuration recorder, you need to create an S3 bucket, an SNS topic, and an IAM role with attached policies as prerequisites. To set up your prerequisites for Amazon Config, see Prerequisites.

One customer managed configuration recorder per account per Region

You can have only one customer managed configuration recorder for each Amazon Web Services account for each Amazon Web Services Region.

One delivery channel per account per Region

You can have only one delivery channel region for each Amazon Web Services account for each Amazon Web Services Region.

Policies and compliance results

IAM policies and other policies managed in Amazon Organizations can impact whether Amazon Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use Amazon Config.

Step 1: Run the put-configuration-recorder

Use the put-configuration-recorder command to create a customer managed configuration recorder:

This command uses the --configuration-recorder and ---recording-group fields.

$ aws configservice put-configuration-recorder \ --configuration-recorder file://configurationRecorder.json \ --recording-group file://recordingGroup.json

The configuration-recorder field

The configurationRecorder.json file specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field to override the recording frequency for specific resource types.

{ "name": "default", "roleARN": "arn:aws:iam::123456789012:role/config-role", "recordingMode": { "recordingFrequency": CONTINUOUS or DAILY, "recordingModeOverrides": [ { "description": "Description you provide for the override", "recordingFrequency": CONTINUOUS or DAILY, "resourceTypes": [ Comma-separated list of resource types to include in the override ] } ] } }

The recording-group field

The recordingGroup.json file specifies which resource types are recorded.

{ "allSupported": boolean, "exclusionByResourceTypes": { "resourceTypes": [ Comma-separated list of resource types to exclude ] }, "includeGlobalResourceTypes": boolean, "recordingStrategy": { "useOnly": "Recording strategy for the configuration recorder" }, "resourceTypes": [ Comma-separated list of resource types to include] }

For more information about these fields, see put-configuration-recorder in the Amazon CLI Command Reference.

Step 2: Run the put-delivery-channel command

Use the put-delivery-channel command to create a delivery channel:

This command uses the --delivery-channel field.

$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

The delivery-channel field

The deliveryChannel.json file specifies the following:

  • The name for the delivery channel.

  • The s3BucketName where Amazon Config sends configuration snapshots.

  • The snsTopicARN where Amazon Config sends notifications

  • The configSnapshotDeliveryProperties which sets how often Amazon Config delivers configuration snapshots and how often it invokes evaluations for periodic rules.

{ "name": "default", "s3BucketName": "config-bucket-123456789012", "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } }

For more information about these fields, see put-delivery-channel in the Amazon CLI Command Reference.

Step 3: Run the start-configuration-recorder command

Use the start-configuration-recorder command to start Amazon Config:

$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName

For more information about these fields, see start-configuration-recorder in the Amazon CLI Command Reference.