Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Permissions for the IAM Role Assigned to Amazon Config

An IAM role lets you define a set of permissions. Amazon Config assumes the role that you assign to it to write to your S3 bucket, publish to your SNS topic, and make Describe or List API requests to get configuration details for your Amazon resources. For more information about IAM roles, see IAM Roles in the IAM User Guide.

When you use the Amazon Config console to create or update an IAM role, Amazon Config automatically attaches the required permissions for you. For more information, see Setting Up Amazon Config with the Console.

Creating IAM Role Policies

When you use the Amazon Config console to create an IAM role, Amazon Config automatically attaches the required permissions to the role for you.

If you are using the Amazon CLI to set up Amazon Config or you are updating an existing IAM role, you must manually update the policy to allow Amazon Config to access your S3 bucket, publish to your SNS topic, and get configuration details about your resources.

Adding an IAM Trust Policy to your Role

You can create an IAM trust policy that enables Amazon Config to assume a role and use it to track your resources. For more information about trust policies, see Roles terms and concepts in the IAM User Guide.

The following is an example trust policy for Amazon Config roles:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": { 
        "StringEquals": {
          "AWS:SourceAccount": "sourceAccountID"
        }
      }
    }
  ]
}

You can use the AWS:SourceAccount condition in the IAM Role Trust relationship above to restrict the Config service principal to only interact with the Amazon IAM Role when performing operations on behalf of specific accounts.

Amazon Config also supports the AWS:SourceArn condition which restricts the Config service principal to only assume the IAM Role when performing operations on behalf of the owning account. When using the Amazon Config service principal, the AWS:SourceArn property will always be set to arn:aws:config:sourceRegion:sourceAccountID:* where sourceRegion is the region of the configuration recorder and sourceAccountID is the ID of the account containing the configuration recorder. For more information on the Amazon Config Configuration Recorder see Managing the Configuration Recorder. For example, add the following condition restrict the Config service principal to only assume the IAM Role only on behalf of a configuration recorder in the us-east-1 region in the account 123456789012: "ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}.

IAM Role Policy for your S3 Bucket

The following example policy grants Amazon Config permission to access your S3 bucket:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource":[
        "arn:aws:s3:::myBucketName/prefix/AWSLogs/myAccountID/*"
      ],
      "Condition":{
        "StringLike":{
          "s3:x-amz-acl":"bucket-owner-full-control"
        }
      }
    },
    {
      "Effect":"Allow",
      "Action":[
        "s3:GetBucketAcl"
      ],
      "Resource":"arn:aws:s3:::myBucketName"
    }
  ]
}

IAM Role Policy for KMS Key

The following example policy grants Amazon Config permission to use KMS-based encryption on new objects for S3 bucket delivery:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "myKMSKeyARN"
        }
    ]
}

IAM Role Policy for Amazon SNS Topic

The following example policy grants Amazon Config permission to access your SNS topic:

{
  "Version": "2012-10-17",
  "Statement": 
   [
     {
      "Effect":"Allow",
      "Action":"sns:Publish",
      "Resource":"mySNStopicARN"
     }
    ]
}

If your SNS topic is encrypted for additional setup instructions, see Configuring Amazon KMS Permissions in the Amazon Simple Notification Service Developer Guide.

IAM Role Policy for Getting Configuration Details

To record your Amazon resource configurations, Amazon Config requires IAM permissions to get the configuration details about your resources.

Use the Amazon managed policy AWS_ConfigRole and attach it to the IAM role that you assign to Amazon Config. Amazon updates this policy each time Amazon Config adds support for an Amazon resource type, which means Amazon Config will continue to have the required permissions to get configuration details as long as the role has this managed policy attached.

If you create or update a role with the console, Amazon Config attaches the AWS_ConfigRole for you.

If you use the Amazon CLI, use the attach-role-policy command and specify the Amazon Resource Name (ARN) for AWS_ConfigRole:

$ aws iam attach-role-policy --role-name myConfigRole --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole

Managing Permissions for S3 Bucket Recording

Amazon Config records and delivers notifications when an S3 bucket is created, updated, or deleted.

It's recommended that you use either the AWSServiceRoleForConfig (see Using Service-Linked Roles for Amazon Config) or a custom IAM role utilizing the AWS_ConfigRole managed policy. For more information on best practices for configuration recording, see Amazon Config Best Practices.

If you need to manage object-level permissions for your bucket recording, make sure in the S3 bucket policy to provide config.amazonaws.com (the Amazon Config service principal name) access to all S3 related permissions from the AWS_ConfigRole managed policy. For more information, see Permissions for the Amazon S3 Bucket.