Manual setup for Amazon Config
With the Get started workflow, you can go through all the manual selections of the setup process to get started with the Amazon Config console. For a simplified getting started process, see 1-click setup.
To set up Amazon Config with the console using Get started
Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/
. -
Choose Get started.
The setup page includes three steps. The following provides a breakdown of that procedure after you choose Get started.
-
Settings: To select the manner by which the Amazon Config console records resources and roles, and choose where configuration history and configuration snapshot files are sent.
-
Rules: For Amazon Web Services Regions that support Amazon Config rules, this step is available for you to configure initial managed rules that you can add to your account. After setting up, Amazon Config will evaluate your Amazon resources against the rules that you chose. Additional rules can be created and existing ones can be updated and in your account after setup.
-
Review: To verify your setup details.
Step 1: Settings
Recording strategy
In the Recording method section, choose a recording strategy. You can specify the Amazon resources that you want Amazon Config to record.
Considerations When Recording Resources
High Number of Amazon Config Evaluations
You might notice increased activity in your account during your initial month recording with Amazon Config when compared to subsequent months. During the initial bootstrapping process, Amazon Config runs evaluations on all the resources in your account that you have selected for Amazon Config to record.
If you are running ephemeral workloads, you may see increased activity from Amazon Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and Amazon Auto Scaling. . If you want to avoid the increased activity from running ephemeral workloads, you can set up the configuration recorder to exclude these resource types from being recorded, or run these types of workloads in a separate account with Amazon Config turned off to avoid increased configuration recording and rule evaluations.
Data governance
For Data retention period, choose either the default retention period to retain Amazon Config data for 7 years (2557) or set a custom rentention period for items recorded by Amazon Config.
Amazon Config allows you to delete your data by specifying a retention period for your
ConfigurationItems
. When you specify a retention period, Amazon Config retains yourConfigurationItems
for that specified period. You can choose a period between a minimum of 30 days and a maximum of 7 years (2557 days). Amazon Config deletes data older than your specified retention period.-
For IAM role for Amazon Config, choose either an existing Amazon Config service-linked role or an IAM a role from your account.
-
Service-linked roles are predefined by Amazon Config and include all the permissions that the service requires to call other Amazon services.
Note
Recommended: Use the Service-linked role
It is recommended that you use the service-linked role. A service-linked role adds all the necessary permissions for Amazon Config to run as expected.
Otherwise, choose an IAM role from one of your pre-existing roles and permission policies.
Note
Policies and compliance results
IAM policies and other policies managed in Amazon Organizations can impact whether Amazon Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use Amazon Config.
Keep Minimum Permisions When Reusing an IAM role
If you use an Amazon service that uses Amazon Config, such as Amazon Security Hub or Amazon Control Tower, and an IAM role has already been created, make sure that the IAM role that you use when setting up Amazon Config keeps the same minimum permissions as the pre-existing IAM role. You must do this to ensure that the other Amazon service continues to run as expected.
For example, if Amazon Control Tower has an IAM role that allows Amazon Config to read S3 objects, make sure that the same permissions are granted to the IAM role you use when setting up Amazon Config. Otherwise, it may interfere with how Amazon Control Tower operates.
-
Delivery method
-
For Delivery method, choose the S3 bucket to which Amazon Config sends configuration history and configuration snapshot files:
-
Create a bucket – For S3 bucket name, type a name for your S3 bucket.
The name that you type must be unique across all existing bucket names in Amazon S3. One way to help ensure uniqueness is to include a prefix; for example, the name of your organization. You can't change the bucket name after it is created. For more information, see Bucket Restrictions and Limitations in the Amazon Simple Storage Service User Guide.
-
Choose a bucket from your account – For S3 bucket name, choose your preferred bucket.
-
Choose a bucket from another account – For S3 bucket name, type the bucket name.
Note
Bucket Permissions
If you choose a bucket from another account, that bucket must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon S3 Bucket for the Amazon Config Delivery Channel.
-
-
For Amazon SNS topic, choose Stream configuration changes and notifications to an Amazon SNS topic to have Amazon Config send notifications such as configuration history delivery, configuration snapshot delivery, and compliance.
-
If you chose to have Amazon Config stream to an Amazon SNS topic, choose the target topic:
-
Create a topic – For Topic Name, type a name for your SNS topic.
-
Choose a topic from your account – For Topic Name, select your preferred topic.
-
Choose a topic from another account – For Topic ARN, type the Amazon Resource Name (ARN) of the topic. If you choose a topic from another account, the topic must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon SNS Topic.
Note
Region for the Amazon SNS Topic
The Amazon SNS topic must exist in the same Region as the Region in which you set up Amazon Config.
-
Step 2: Rules
If you are setting up Amazon Config in a Region that supports rules, choose Next.
Step 3: Review
Review your Amazon Config set up details. You can go back to edit changes for each section. Choose Confirm to finish setting up Amazon Config.
For more information
For information about looking up the existing resources in your account and understanding the configurations of your resources, see Looking up Resources, Viewing Compliance Informance, and Viewing Compliance History.
You can also use Amazon Simple Queue Service to monitor Amazon resources programmatically. For more information, see Monitoring Amazon Resource Changes with Amazon SQS.