Manual setup for Amazon Config - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Manual setup for Amazon Config

With the Get started workflow, you can go through all the manual selections of the setup process to get started with the Amazon Config console. For a simplified getting started process, see 1-click setup.

To set up Amazon Config with the console using Get started
  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. Choose Get started.

The setup page includes three steps. The following provides a breakdown of that procedure after you choose Get started.

  • Settings: To select the manner by which the Amazon Config console records resources and roles, and choose where configuration history and configuration snapshot files are sent.

  • Rules: For Amazon Web Services Regions that support Amazon Config rules, this step is available for you to configure initial managed rules that you can add to your account. After setting up, Amazon Config will evaluate your Amazon resources against the rules that you chose. Additional rules can be created and existing ones can be updated and in your account after setup.

  • Review: To verify your setup details.

Step 1: Settings

Recording strategy

In the Recording method section, choose a recording strategy. You can specify the Amazon resources that you want Amazon Config to record.

All resource types with customizable overrides

Set up Amazon Config to record configuration changes for all current and future supported resource types in this Region. You can override the recording frequency for specific resource types or exclude specific resource types from recording. For more information, see Supported Resource Types.

  • Default settings

    Configure the default recording frequency for all current and future supported resource types. For more information see, Recording Frequency.

    • Continuous recording – Amazon Config will record configuration changes continuously whenever a change occurs.

    • Daily recording – You will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

    Note

    Amazon Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

  • Override settings

    Override the recording frequency for specific resource types, or exclude specific resource types from recording. If you change the recording frequency for a resource type or stop recording a resource type, the configuration items that were already recorded will remain unchanged.

Specific resource types

Set Amazon Config to record configuration changes for only the resource types that you specify.

  • Specific resource types

    Choose a resource type to record and its frequency. For more information see, Recording Frequency.

    • Continuous recording – Amazon Config will record configuration changes continuously whenever a change occurs.

    • Daily recording – You will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

    Note

    Amazon Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

    If you change the recording frequency for a resource type or stop recording a resource type, the configuration items that were already recorded will remain unchanged.

Considerations When Recording Resources

High Number of Amazon Config Evaluations

You may notice increased activity in your account during your initial month recording with Amazon Config when compared to subsequent months. During the initial bootstrapping process, Amazon Config runs evaluations on all the resources in your account that you have selected for Amazon Config to record.

If you are running ephemeral workloads, you may see increased activity from Amazon Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and Amazon Auto Scaling. . If you want to avoid the increased activity from running ephemeral workloads, you can set up the configuration recorder to exclude these resource types from being recorded, or run these types of workloads in a separate account with Amazon Config turned off to avoid increased configuration recording and rule evaluations.

Considerations: All resource types with customizable overrides

Globally recorded resource types | Aurora global clusters are initially included in recording

The AWS::RDS::GlobalCluster resource type will be recorded in all supported Amazon Config Regions where the configuration recorder is enabled.

If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, choose "Amazon RDS GlobalCluster", and choose the override "Exclude from recording".

Global resource types | IAM resource types are initially excluded from recording

The global IAM resource types are initially excluded from recording to help you reduce costs. This bundle includes IAM users, groups, roles, and customer managed policies. Choose Remove to remove the override and include these resources in your recording.

The exception is for US East (N. Virginia). The global IAM resource types are initially included in the US East (N. Virginia) Region as this Region functions as the home Region for the global IAM resource types.

Additionally, the global IAM resource types (AWS::IAM::User, AWS::IAM::Group, AWS::IAM::Role, and AWS::IAM::Policy) cannot be recorded in Regions supported by Amazon Config after February 2022. For a list of those Regions, see Recording Amazon Resources | Global Resources.

Limits

You can add up to 100 frequency overrides and 600 exclusion overrides.

Daily recording is not supported for the following resource types:

  • AWS::Config::ResourceCompliance

  • AWS::Config::ConformancePackCompliance

  • AWS::Config::ConfigurationRecorder

Considerations: Specific resource types

Region Availability

Before specifying a resource type for Amazon Config to track, check Resource Coverage by Region Availability to see if the resource type is supported in the Amazon Region where you set up Amazon Config. If a resource type is supported by Amazon Config in at least one Region, you can enable the recording of that resource type in all Regions supported by Amazon Config, even if the specified resource type is not supported in the Amazon Region where you set up Amazon Config.

Limits

No limits if all resource types have the same frequency. You can add up to 100 resource types with Daily frequency if at least one resource type is set to Continuous.

The Daily frequency is not supported for the following resource types:

  • AWS::Config::ResourceCompliance

  • AWS::Config::ConformancePackCompliance

  • AWS::Config::ConfigurationRecorder

Data governance

  • For Data retention period, choose either the default retention period to retain Amazon Config data for 7 years (2557) or set a custom rentention period for items recorded by Amazon Config.

    Amazon Config allows you to delete your data by specifying a retention period for your ConfigurationItems. When you specify a retention period, Amazon Config retains your ConfigurationItems for that specified period. You can choose a period between a minimum of 30 days and a maximum of 7 years (2557 days). Amazon Config deletes data older than your specified retention period.

  • For IAM role for Amazon Config, choose either an existing Amazon Config service-linked role or an IAM a role from your account.

    • Service-linked roles are predefined by Amazon Config and include all the permissions that the service requires to call other Amazon services.

      Note

      Recommended: Use the Service-linked role

      It is recommended that you use the service-linked role. A service-linked role adds all the necessary permissions for Amazon Config to run as expected.

    • Otherwise, choose an IAM role from one of your pre-existing roles and permission policies.

      Note

      Authorization Policies for Amazon Organizations Can Prevent Acceses

      If you use a pre-existing IAM role, make sure there is not an authorization policy for Amazon Organizations which prevents Amazon Config from having permission to record your resources. For more information on authorization policies for Amazon Organizations, see Managing policies in Amazon Organizations in the Amazon Organizations User Guide.

      Keep Minimum Permisions When Reusing an IAM role

      If you use an Amazon service that uses Amazon Config, such as Amazon Security Hub or Amazon Control Tower, and an IAM role has already been created, make sure that the IAM role that you use when setting up Amazon Config keeps the same minimum permissions as the pre-existing IAM role. You must do this to ensure that the other Amazon service continues to run as expected.

      For example, if Amazon Control Tower has an IAM role that allows Amazon Config to read S3 objects, make sure that the same permissions are granted to the IAM role you use when setting up Amazon Config. Otherwise, it may interfere with how Amazon Control Tower operates.

Delivery method

  • For Delivery method, choose the S3 bucket to which Amazon Config sends configuration history and configuration snapshot files:

    • Create a bucket – For S3 bucket name, type a name for your S3 bucket.

      The name that you type must be unique across all existing bucket names in Amazon S3. One way to help ensure uniqueness is to include a prefix; for example, the name of your organization. You can't change the bucket name after it is created. For more information, see Bucket Restrictions and Limitations in the Amazon Simple Storage Service User Guide.

    • Choose a bucket from your account – For S3 bucket name, choose your preferred bucket.

    • Choose a bucket from another account – For S3 bucket name, type the bucket name.

      Note

      Bucket Permissions

      If you choose a bucket from another account, that bucket must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon S3 Bucket for the Amazon Config Delivery Channel.

  • For Amazon SNS topic, choose Stream configuration changes and notifications to an Amazon SNS topic to have Amazon Config send notifications such as configuration history delivery, configuration snapshot delivery, and compliance.

  • If you chose to have Amazon Config stream to an Amazon SNS topic, choose the target topic:

    • Create a topic – For Topic Name, type a name for your SNS topic.

    • Choose a topic from your account – For Topic Name, select your preferred topic.

    • Choose a topic from another account – For Topic ARN, type the Amazon Resource Name (ARN) of the topic. If you choose a topic from another account, the topic must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon SNS Topic.

      Note

      Region for the Amazon SNS Topic

      The Amazon SNS topic must exist in the same Region as the Region in which you set up Amazon Config.

Step 2: Rules

If you are setting up Amazon Config in a Region that supports rules, choose Next.

Step 3: Review

Review your Amazon Config set up details. You can go back to edit changes for each section. Choose Confirm to finish setting up Amazon Config.

For more information

For information about looking up the existing resources in your account and understanding the configurations of your resources, see Looking up Resources, Viewing Compliance Informance, and Viewing Compliance History.

You can also use Amazon Simple Queue Service to monitor Amazon resources programmatically. For more information, see Monitoring Amazon Resource Changes with Amazon SQS.