Turning on Amazon Config - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Turning on Amazon Config

Note

Before setting up Amazon Config with the Amazon CLI, you need to create an Amazon S3 bucket, an Amazon SNS topic, and an IAM role with attached policies as prerequisites. You can then use the Amazon CLI to specify the bucket, topic, and role for Amazon Config. To set up your prerequisites for Amazon Config, see Prerequisites.

To turn on Amazon Config with the Amazon CLI, use the put-configuration-recorder, put-delivery-channel, and start-configuration-recorder commands.

The put-configuration-recorder command creates a new configuration recorder to record your selected resource configurations. The put-delivery-channel command creates a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic. You can have one configuration recorder and one delivery channel per region in your account. Once a delivery channel is created, the start-configuration-recorder starts recording your selected resource configurations which you can see in your Amazon account.

You can specify the name of the recorder and the Amazon Resource Name (ARN) of the IAM role used to describe the Amazon resources associated with the account. By default, Amazon Config automatically assigns the name "default" when creating the configuration recorder. You cannot change the assigned name.

To set up Amazon Config for Multi-Account Multi-Region Data Aggregation with the Amazon CLI, see Setting Up an Aggregator Using the Amazon Command Line Interface. A separate configuration recorder will need to be created for each region in each Amazon account that you would want to record configuration items.

put-configuration-recorder

Your put-configuration-recorder command should look like the following example:

$ aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role --recording-group allSupported=true,includeGlobalResourceTypes=true

This command uses the following options for the --recording-group parameter:

  • allSupported=true – Amazon Config records configuration changes for every supported type of regional resource. When Amazon Config adds support for a new type of regional resource, it automatically starts recording resources of that type.

  • includeGlobalResourceTypes=true – Amazon Config includes supported types of global resources with the resources that it records. When Amazon Config adds support for a new type of global resource, it automatically starts recording resources of that type.

    Before you can set this option to true, you must set the allSupported option to true.

    If you do not want to include global resources, set this option to false, or omit it.

    Note

    Pre-existing Amazon Config role

    If you have used an Amazon service that uses Amazon Config, such as Amazon Security Hub or Amazon Control Tower, and an Amazon Config role has already been created, make sure that the IAM role that you use when setting up Amazon Config keeps the same minimum permissions as the already created Amazon Config role. You must do this so that the other Amazon service continues to run as expected.

    For example, if Amazon Control Tower has an IAM role that allows Amazon Config to read Amazon Simple Storage Service (Amazon S3) objects, make sure that the same permissions are granted within the IAM role you use when setting up Amazon Config. Otherwise, it may interfere with how Amazon Control Tower operates. For more information about IAM roles for Amazon Config, see Amazon Identity and Access Management.

put-delivery-channel

To setup the delivery channel, use the put-delivery-channel command:

$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

The deliveryChannel.json file specifies the delivery channel attributes:

{ "name": "default", "s3BucketName": "config-bucket-123456789012", "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } }

This example sets the following attributes:

  • name – The name of the delivery channel. By default, Amazon Config assigns the name default to a new delivery channel.

    You cannot update the delivery channel name with the put-delivery-channel command. For the steps to change the name, see Renaming the Delivery Channel.

  • s3BucketName – The name of the Amazon S3 bucket to which Amazon Config delivers configuration snapshots and configuration history files.

    If you specify a bucket that belongs to another Amazon account, that bucket must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon S3 Bucket.

  • snsTopicARN – The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon Config sends notifications about configuration changes.

    If you choose a topic from another account, that topic must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon SNS Topic.

  • configSnapshotDeliveryProperties – Contains the deliveryFrequency attribute, which sets how often Amazon Config delivers configuration snapshots.

start-configuration-recorder

To finish turning on Amazon Config, use the start-configuration-recorder command:

$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName