Starting Amazon Config with the Amazon CLI - Amazon Config
put-configuration-recorderput-delivery-channelstart-configuration-recorder
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Starting Amazon Config with the Amazon CLI

Note

Before setting up Amazon Config with the Amazon CLI, you need to create an S3 bucket, an SNS topic, and an IAM role with attached policies as prerequisites. You can then use the Amazon CLI to specify the bucket, topic, and role for Amazon Config. To set up your prerequisites for Amazon Config, see Prerequisites.

To start Amazon Config with the Amazon CLI, use the put-configuration-recorder, put-delivery-channel, and start-configuration-recorder commands, as follows:

  • The put-configuration-recorder command creates a new configuration recorder to record your specified resource configurations.

  • The put-delivery-channel command creates a delivery channel object to deliver configuration information to an S3 bucket and SNS topic.

  • After a delivery channel is created, the start-configuration-recorder starts recording your selected resource configurations, which you can see in your Amazon account.

Note

You can have only one configuration recorder and only one delivery channel for each Amazon Region in your account.

You can specify the name of the recorder and the Amazon Resource Name (ARN) of the IAM role assumed by Amazon Config and used by the configuration recorder. Amazon Config automatically assigns the name of "default" when creating the configuration recorder. You cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.

To set up Amazon Config for Multi-Account Multi-Region Data Aggregation with the Amazon CLI, see Setting Up an Aggregator Using the Amazon Command Line Interface. You must create a separate configuration recorder for each Region in each Amazon account that you would want to record configuration items.

put-configuration-recorder

Your put-configuration-recorder command should look like the following example.

$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json \
--recording-group file://recordingGroup.json

This command uses the --configuration-recorder and ---recording-group fields.

Note

Recording group and configuration recorder

The --recording-group field specifies which resource types are recorded.

The --configuration-recorder field specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

put-configuration-recorder uses the following options for the --recording-group parameter:

  • allSupported=true – Amazon Config records configuration changes for all supported resource types, excluding the global IAM resource types. When Amazon Config adds support for a new resource type, Amazon Config automatically starts recording resources of that type.

  • includeGlobalResourceTypes=true – This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by Amazon Config in Regions where Amazon Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by Amazon Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

    • Asia Pacific (Hyderabad)

    • Asia Pacific (Melbourne)

    • Canada West (Calgary)

    • Europe (Spain)

    • Europe (Zurich)

    • Israel (Tel Aviv)

    • Middle East (UAE)

    Important

    Aurora global clusters are recorded in all enabled Regions

    The AWS::RDS::GlobalCluster resource type will be recorded in all supported Amazon Config Regions where the configuration recorder is enabled, even if includeGlobalResourceTypes is set to false. The includeGlobalResourceTypes option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.

    If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use one of the following recording strategies:

    1. Record all current and future resource types with exclusions (EXCLUSION_BY_RESOURCE_TYPES), or

    2. Record specific resource types (INCLUSION_BY_RESOURCE_TYPES).

    For more information, see Selecting Which Resources are Recorded.

    Important

    includeGlobalResourceTypes and the exclusion recording strategy

    The includeGlobalResourceTypes field has no impact on the EXCLUSION_BY_RESOURCE_TYPES recording strategy. This means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will not be automatically added as exclusions for exclusionByResourceTypes when includeGlobalResourceTypes is set to false.

    The includeGlobalResourceTypes field should only be used to modify the AllSupported field, as the default for the AllSupported field is to record configuration changes for all supported resource types excluding the global IAM resource types. To include the global IAM resource types when AllSupported is set to true, make sure to set includeGlobalResourceTypes to true.

    To exclude the global IAM resource types for the EXCLUSION_BY_RESOURCE_TYPES recording strategy, you need to manually add them to the resourceTypes field of exclusionByResourceTypes.

    Note

    Required and optional fields

    Before you can set includeGlobalResourceTypes to true, set the allSupported field to true.

    Optionally, you can set the useOnly field of RecordingStrategy to ALL_SUPPORTED_RESOURCE_TYPES.

    Note

    Overriding fields

    If you set includeGlobalResourceTypesto false but list global IAM resource types in the resourceTypes field of RecordingGroup, Amazon Config will still record configuration changes for those specified resource types regardless of if you set the includeGlobalResourceTypes field to false.

    If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the resourceTypes field in addition to setting the includeGlobalResourceTypes field to false.

  • recordingStrategy – Specifies the recording strategy for the configuration recorder. The recordingGroup.json file specifies which types of resources Amazon Config will record:

    • If you set the useOnly field of RecordingStrategy to ALL_SUPPORTED_RESOURCE_TYPES, Amazon Config records configuration changes for all supported resource types, excluding the global IAM resource types. Optionally, you can set the allSupported field of RecordingGroup to true. When Amazon Config adds support for a new resource type, Amazon Config automatically starts recording resources of that type.

    • If you set the useOnly field of RecordingStrategy to INCLUSION_BY_RESOURCE_TYPES, Amazon Config records configuration changes for only the resource types you specify in the resourceTypes field of RecordingGroup.

    • If you set the useOnly field of RecordingStrategy to EXCLUSION_BY_RESOURCE_TYPES, Amazon Config records configuration changes for all supported resource types except the resource types that you specify as to exclude from being recorded in the resourceTypes field of ExclusionByResourceTypes.

    Note

    Required and optional fields

    The recordingStrategy field is optional when you set the allSupported field of --recording-group to true.

    The recordingStrategy field is optional when you list resource types in the resourceTypes field of --recording-group.

    The recordingStrategy field is required if you list resource types to exclude from recording in the resourceTypes field of exclusionByResourceTypes.

    Note

    Overriding fields

    If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the exclusionByResourceTypes field will override other properties in the request.

    For example, even if you set includeGlobalResourceTypes to false, the global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exemptions in the resourceTypes field of exclusionByResourceTypes.

    Note

    Global resource types and the resource exclusion recording strategy

    By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES recording strategy, when Amazon Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, Amazon Config starts recording resources of that type automatically.

    Unless specifically listed as exclusions, AWS::RDS::GlobalCluster will be recorded automatically in all supported Amazon Config Regions were the configuration recorder is enabled.

    IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Amazon Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by Amazon Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

    • Asia Pacific (Hyderabad)

    • Asia Pacific (Melbourne)

    • Canada West (Calgary)

    • Europe (Spain)

    • Europe (Zurich)

    • Israel (Tel Aviv)

    • Middle East (UAE)

    The following shows the Request syntax for the recordingGroup.json.

    { 
    "allSupported": boolean,
    "exclusionByResourceTypes": { 
        "resourceTypes": [ Comma-separated list of resource types to exclude ]
    },
    "includeGlobalResourceTypes": boolean,
    "recordingStrategy": { 
        "useOnly": "Recording strategy for the configuration recorder"
    },
    "resourceTypes": [ Comma-separated list of resource types to include]
}
    Note

    Pre-existing Amazon Config role

    If you have used an Amazon service that uses Amazon Config, such as Amazon Security Hub or Amazon Control Tower, and an Amazon Config role has already been created, make sure that the IAM role that you use when setting up Amazon Config keeps the same minimum permissions as the already created Amazon Config role. You must do this so that the other Amazon service continues to run as expected.

    For example, if Amazon Control Tower has an IAM role that allows Amazon Config to read Amazon Simple Storage Service (Amazon S3) objects, make sure that the same permissions are granted within the IAM role you use when setting up Amazon Config. Otherwise, it may interfere with how Amazon Control Tower operates. For more information about IAM roles for Amazon Config, see Identity and Access Management for Amazon Config.

    Note

    High Number of Amazon Config Evaluations

    You may notice increased activity in your account during your initial month recording with Amazon Config when compared to subsequent months. During the initial bootstrapping process, Amazon Config runs evaluations on all the resources in your account that you have selected for Amazon Config to record.

    If you are running ephemeral workloads, you may see increased activity from Amazon Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and Amazon Auto Scaling. If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with Amazon Config turned off to avoid increased configuration recording and rule evaluations.

    Note

    Region Availability

    Before specifying a resource type for Amazon Config to track, check Resource Coverage by Region Availability to see if the resource type is supported in the Amazon Region where you are setting up Amazon Config. If a resource type is supported by Amazon Config in at least one Region, you can enable the recording of that resource type in all Regions supported by Amazon Config, even if the specified resource type is not supported in the Amazon Region where you are setting up Amazon Config.

put-configuration-recorder uses the following fields for the --configuration-recorder parameter:

  • name – The name of the configuration recorder. Amazon Config automatically assigns the name of "default" when creating the configuration recorder.

  • roleARN – Amazon Resource Name (ARN) of the IAM role assumed by Amazon Config and used by the configuration recorder.

  • recordingMode – Specifies the default recording frequency that Amazon Config uses to record configuration changes. Amazon Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

    • recordingFrequency – The default recording frequency that Amazon Config uses to record configuration changes.

      Note

      Amazon Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

    • recordingModeOverrides – This field allows you to specify your overrides for the recording mode. It is an array of recordingModeOverride objects. Each recordingModeOverride object in the recordingModeOverrides array consists of three fields:

      • description – A description that you provide for the override.

      • recordingFrequency – The recording frequency that will be applied to all the resource types specified in the override.

      • resourceTypes – A comma-separated list that specifies which resource types Amazon Config includes in the override.

Note

Required and optional fields

The recordingMode field for put-configuration-recorder is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.

Note

Limits

Daily recording is not supported for the following resource types:

  • AWS::Config::ResourceCompliance

  • AWS::Config::ConformancePackCompliance

  • AWS::Config::ConfigurationRecorder

For the Record all current and future supported resource types (ALL_SUPPORTED_RESOURCE_TYPES) recording strategy, these resource types will be set to Continuous recording.

The configurationRecorder.json file specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

{
  "name": "default",
  "roleARN": "arn:aws:iam::123456789012:role/config-role",
  "recordingMode": {
    "recordingFrequency": CONTINUOUS or DAILY,
    "recordingModeOverrides": [ 
        { 
            "description": "Description you provide for the override",
            "recordingFrequency": CONTINUOUS or DAILY,
            "resourceTypes": [ Comma-separated list of resource types to include in the override ]
        }
    ]
  }
}

put-delivery-channel

To set up the delivery channel, use the put-delivery-channel command.

$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

The deliveryChannel.json file specifies the delivery channel attributes.

{
    "name": "default",
    "s3BucketName": "config-bucket-123456789012",
    "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic",
    "configSnapshotDeliveryProperties": {
        "deliveryFrequency": "Twelve_Hours"
    }
}

This example sets the following attributes:

  • name – The name of the delivery channel. By default, Amazon Config assigns the name of default to a new delivery channel.

    You cannot update the delivery channel name with the put-delivery-channel command. For the steps to change the name, see Renaming the Delivery Channel.

  • s3BucketName – The name of the S3 bucket where Amazon Config delivers configuration snapshots and configuration history files.

    If you specify a bucket that belongs to another Amazon account, that bucket must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon S3 Bucket for the Amazon Config Delivery Channel.

  • snsTopicARN – The Amazon Resource Name (ARN) of the Amazon SNS topic where Amazon Config sends notifications about configuration changes.

    If you choose a topic from another account, that topic must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon SNS Topic.

  • configSnapshotDeliveryProperties – Contains the deliveryFrequency attribute, which sets how often Amazon Config delivers configuration snapshots.

start-configuration-recorder

To finish turning on Amazon Config, use the start-configuration-recorder command.

$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName