# Starting Amazon Config with a customer managed configuration recorder using the Amazon CLI
<a name="gs-cli-subscribe"></a>

You can start Amazon Config by creating a customer managed configuration recorder. To create a customer managed configuration recorder with the Amazon CLI, use the following commands: [https://docs.amazonaws.cn/cli/latest/reference/configservice/put-configuration-recorder.html](https://docs.amazonaws.cn/cli/latest/reference/configservice/put-configuration-recorder.html), [https://docs.amazonaws.cn/cli/latest/reference/configservice/put-delivery-channel.html](https://docs.amazonaws.cn/cli/latest/reference/configservice/put-delivery-channel.html), and [https://docs.amazonaws.cn/cli/latest/reference/configservice/start-configuration-recorder.html](https://docs.amazonaws.cn/cli/latest/reference/configservice/start-configuration-recorder.html).
+ The `put-configuration-recorder` command creates a customer managed configuration recorder.
+ The `put-delivery-channel` command creates a delivery channel where Amazon Config delivers configuration information to an S3 bucket and SNS topic.
+ The `start-configuration-recorder` starts the customer managed configuration recorder. The customer managed configuration recorder will begin recording configuration changes for the resource types you specify.

**Topics**
+ [Considerations](#gs-cli-subscribe-considerations)
+ [Step 1: Run the put-configuration-recorder](#gs-cli-subscribe-put-configuration-recorder)
+ [Step 2: Run the put-delivery-channel command](#gs-cli-subscribe-put-delivery-channel)
+ [Step 3: Run the start-configuration-recorder command](#gs-cli-subscribe-start-configuration-recorder)

## Considerations
<a name="gs-cli-subscribe-considerations"></a>

**S3 bucket, SNS topic, and IAM role are required**

To create a customer managed configuration recorder, you need to create an S3 bucket, an SNS topic, and an IAM role with attached policies as prerequisites. To set up your prerequisites for Amazon Config, see [Prerequisites](https://docs.amazonaws.cn/config/latest/developerguide/gs-cli-prereq.html).

**One customer managed configuration recorder per account per Region**

You can have only one customer managed configuration recorder for each Amazon Web Services account for each Amazon Web Services Region.

**One delivery channel per account per Region**

You can have only one delivery channel region for each Amazon Web Services account for each Amazon Web Services Region.

**Policies and compliance results**

[IAM policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html) and [other policies managed in Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies.html) can impact whether Amazon Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use Amazon Config.

## Step 1: Run the put-configuration-recorder
<a name="gs-cli-subscribe-put-configuration-recorder"></a>

Use the [http://docs.amazonaws.cn/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.amazonaws.cn/cli/latest/reference/configservice/put-configuration-recorder.html) command to create a customer managed configuration recorder:

This command uses the `--configuration-recorder` and `---recording-group` fields.

```
$ aws configservice put-configuration-recorder \
--configuration-recorder {{file://configurationRecorder.json}} \
--recording-group {{file://recordingGroup.json}}
```

**The `configuration-recorder` field**

The `configurationRecorder.json` file specifies `name` and `roleArn` as well as the default recording frequency for the configuration recorder (`recordingMode`). You can also use this field to override the recording frequency for specific resource types.

```
{
  "name": "{{default}}",
  "roleARN": "{{arn:aws:iam::123456789012:role/config-role}}",
  "recordingMode": {
    "recordingFrequency": {{CONTINUOUS}} or {{DAILY}},
    "recordingModeOverrides": [ 
        { 
            "description": "{{Description you provide for the override}}",
            "recordingFrequency": {{CONTINUOUS}} or {{DAILY}},
            "resourceTypes": [ {{Comma-separated list of resource types to include in the override}} ]
        }
    ]
  }
}
```

**The `recording-group` field**

The `recordingGroup.json` file specifies which resource types are recorded.

```
{ 
    "allSupported": {{boolean}},
    "exclusionByResourceTypes": { 
        "resourceTypes": [ {{Comma-separated list of resource types to exclude}} ]
    },
    "includeGlobalResourceTypes": {{boolean}},
    "recordingStrategy": { 
        "useOnly": "{{Recording strategy for the configuration recorder}}"
    },
    "resourceTypes": [ {{Comma-separated list of resource types to include}}]
}
```

For more information about these fields, see [http://docs.amazonaws.cn/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.amazonaws.cn/cli/latest/reference/configservice/put-configuration-recorder.html) in the *Amazon CLI Command Reference*.

## Step 2: Run the put-delivery-channel command
<a name="gs-cli-subscribe-put-delivery-channel"></a>

Use the [http://docs.amazonaws.cn/cli/latest/reference/configservice/put-delivery-channel.html](http://docs.amazonaws.cn/cli/latest/reference/configservice/put-delivery-channel.html) command to create a delivery channel:

This command uses the `--delivery-channel` field.

```
$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json
```

**The `delivery-channel` field**

The `deliveryChannel.json` file specifies the following:
+ The `name` for the delivery channel.
+ The `s3BucketName` where Amazon Config sends configuration snapshots.
+ The `snsTopicARN` where Amazon Config sends notifications
+ The `configSnapshotDeliveryProperties` which sets how often Amazon Config delivers configuration snapshots and how often it invokes evaluations for periodic rules.

```
{
    "name": "{{default}}",
    "s3BucketName": "{{config-bucket-123456789012}}",
    "snsTopicARN": "{{arn:aws:sns:us-east-1:123456789012:config-topic}}",
    "configSnapshotDeliveryProperties": {
        "deliveryFrequency": "{{Twelve_Hours}}"
    }
}
```

For more information about these fields, see [http://docs.amazonaws.cn/cli/latest/reference/configservice/put-delivery-channel.html](http://docs.amazonaws.cn/cli/latest/reference/configservice/put-delivery-channel.html) in the *Amazon CLI Command Reference*.

## Step 3: Run the start-configuration-recorder command
<a name="gs-cli-subscribe-start-configuration-recorder"></a>

Use the [http://docs.amazonaws.cn/cli/latest/reference/configservice/start-configuration-recorder.html](http://docs.amazonaws.cn/cli/latest/reference/configservice/start-configuration-recorder.html) command to start Amazon Config:

```
$ aws configservice start-configuration-recorder --configuration-recorder-name {{configRecorderName}}
```

For more information about these fields, see [http://docs.amazonaws.cn/cli/latest/reference/configservice/start-configuration-recorder.html](http://docs.amazonaws.cn/cli/latest/reference/configservice/start-configuration-recorder.html) in the *Amazon CLI Command Reference*.