Managing the Delivery Channel - Amazon Config
Updating the Delivery ChannelRenaming the Delivery Channel
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing the Delivery Channel

As Amazon Config continually records the changes that occur to your Amazon resources, it sends notifications and updated configuration states through the delivery channel. You can manage the delivery channel to control where Amazon Config sends configuration updates.

You can have only one delivery channel per region per Amazon account, and the delivery channel is required to use Amazon Config.

When Amazon Config detects a configuration change for a resource and the notification exceeds the maximum size allowed by Amazon SNS, the notification includes a brief summary of the configuration item. You can view the complete notification in the Amazon S3 bucket location specified in the s3BucketLocation field. For more information, see Example Oversized Configuration Item Change Notification.

Note

Amazon Config supports Amazon KMS encryption for Amazon S3 buckets used by Amazon Config

You can provide an Amazon Key Management Service (Amazon KMS) key or alias Amazon Resource Name (ARN) to encrypt the data delivered to your Amazon Simple Storage Service (Amazon S3) bucket. By default, Amazon Config delivers configuration history and snapshot files to your Amazon S3 bucket and encrypts the data at rest using S3 AES-256 server-side encryption, SSE-S3. However, if you provide Amazon Config with your KMS key or alias ARN, Amazon Config uses that KMS key instead of AES-256 encryption.

Amazon Config does not support the delivery channel to an Amazon S3 bucket where object lock is enabled with default rentention enabled. For more information, see How S3 Object Lock works.

Updating the Delivery Channel

When you update the delivery channel, you can set the following options:

  • The Amazon S3 bucket to which Amazon Config sends configuration snapshots and configuration history files.

  • How often Amazon Config delivers configuration snapshots to your Amazon S3 bucket.

  • The Amazon SNS topic to which Amazon Config sends notifications about configuration changes.

To update the delivery channel (console)

  • You can use the Amazon Config console to set the Amazon S3 bucket and the Amazon SNS topic for your delivery channel. For steps to manage these settings, see Setting Up Amazon Config with the Console.

    The console does not provide options to rename the delivery channel, set the frequency for configuration snapshots, or delete the delivery channel. To do these tasks, you must use the Amazon CLI, the Amazon Config API, or one of the Amazon SDKs.

To update the delivery channel (Amazon CLI)

  1. Use the put-delivery-channel command:

    $ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

    The deliveryChannel.json file specifies the delivery channel attributes:

    {
    "name": "default",
    "s3BucketName": "config-bucket-123456789012",
    "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic",
    "configSnapshotDeliveryProperties": {
        "deliveryFrequency": "Twelve_Hours"
    }
}

    This example sets the following attributes:

    • name – The name of the delivery channel. By default, Amazon Config assigns the name default to a new delivery channel.

      You cannot update the delivery channel name with the put-delivery-channel command. For the steps to change the name, see Renaming the Delivery Channel.

    • s3BucketName – The name of the Amazon S3 bucket to which Amazon Config delivers configuration snapshots and configuration history files.

      If you specify a bucket that belongs to another Amazon account, that bucket must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon S3 Bucket.

    • snsTopicARN – The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon Config sends notifications about configuration changes.

      If you choose a topic from another account, that topic must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon SNS Topic.

    • configSnapshotDeliveryProperties – Contains the deliveryFrequency attribute, which sets how often Amazon Config delivers configuration snapshots.

  2. (Optional) You can use the describe-delivery-channels command to verify that the delivery channel settings are updated:

    $ aws configservice describe-delivery-channels
{
    "DeliveryChannels": [
        {
            "configSnapshotDeliveryProperties": {
                "deliveryFrequency": "Twelve_Hours"
            },
            "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic",
            "name": "default",
            "s3BucketName": "config-bucket-123456789012"
        }
    ]
}

Renaming the Delivery Channel

To change the delivery channel name, you must delete it and create a new delivery channel with the desired name. Before you can delete the delivery channel, you must temporarily stop the configuration recorder.

The Amazon Config console does not provide the option to delete the delivery channel, so you must use the Amazon CLI, the Amazon Config API, or one of the Amazon SDKs.

To rename the delivery channel (Amazon CLI)

  1. Use the stop-configuration-recorder command to stop the configuration recorder:

    $ aws configservice stop-configuration-recorder --configuration-recorder-name configRecorderName

  2. Use the describe-delivery-channels command, and take note of your delivery channel's attributes:

    $ aws configservice describe-delivery-channels
{
    "DeliveryChannels": [
        {
            "configSnapshotDeliveryProperties": {
                "deliveryFrequency": "Twelve_Hours"
            },
            "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic",
            "name": "default",
            "s3BucketName": "config-bucket-123456789012"
        }
    ]
}

  3. Use the delete-delivery-channel command to delete the delivery channel:

    $ aws configservice delete-delivery-channel --delivery-channel-name default

  4. Use the put-delivery-channel command to create a delivery channel with the desired name:

    $ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

    The deliveryChannel.json file specifies the delivery channel attributes:

    {
    "name": "myCustomDeliveryChannelName",
    "s3BucketName": "config-bucket-123456789012",
    "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic",
    "configSnapshotDeliveryProperties": {
        "deliveryFrequency": "Twelve_Hours"
    }
}

  5. Use the start-configuration-recorder command to resume recording:

    $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName