Manual setup - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Manual setup

With the Get started workflow, you can go through all the manual selections of the setup process to get started with the Amazon Config console.

Note

For more information about the 1-click setup process, see 1-click setup.

To set up Amazon Config with the console using Get started

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

    Note

    If this is the first time that you are opening the Amazon Config console, or you are setting up Amazon Config in a new Amazon Region, the Amazon Config console page looks like the following image.

    
                    The Amazon Config getting started page provides an overview of the
                        service.
  2. Choose Get started.

The setup page includes three steps. The following provides a breakdown of that procedure after you choose Get started.

  • Settings: To select the manner by which the Amazon Config console records resources and roles, and choose where configuration history and configuration snapshot files are sent.

  • Rules: For Regions that support rules, this subsection is available for you to configure initial Amazon managed rules that you can add to your account.

    Note

    After setting up, Amazon Config will evaluate your Amazon resources against the rules that you chose. Additional rules can be created and existing ones can be updated and in your account after setup. For more information about rules, see Managing your Amazon Config Rules.

  • Review: To verify your setup details.

Settings

General settings

  1. On the Settings page, for Resource types to record, specify all the resource types you want Amazon Config to record. These resource types are Amazon resources or third-party resources or custom resources. For more information about the following options, see Selecting Which Resources Amazon Config Records.

    • Record all resources supported in this region

      • Amazon Config records configuration changes for supported Amazon resource types as well as third-party resource types registered in the Amazon CloudFormation registry. Amazon Config automatically starts recording new supported Amazon resource types. Amazon Config also automatically starts recording third-party resources and custom resource types that are managed through Amazon CloudFormation. For more information, see Supported Resource Types.

      • Choose Include global resources to record supported global resources types (such as IAM resources). Amazon Config automatically starts recording new supported global resource types.

        Important

        Global resource types onboarded to Amazon Config recording after February 2022 will only be recorded in the service's home region for the commercial partition and Amazon GovCloud (US-West) for the GovCloud partition. You can view the Configuration Items for these new global resource types only in their home region and Amazon GovCloud (US-West).

        Supported global resource types onboarded before February 2022 such as AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User remain unchanged, and they will continue to deliver Configuration Items in all supported regions in Amazon Config. The change will only affect new global resource types onboarded after February 2022.

    • Record specific resource types

      • Amazon Config records configuration changes for only the resource types that you specify.

  2. For Amazon Config role, choose either an existing Amazon Config service-linked role or choose a role from your account.

    • Service-linked roles are predefined by Amazon Config and include all the permissions that the service requires to call other Amazon services.

    Note

    Service-linked role

    If you haven't yet added a service-linked role, one will be added for you.

    Pre-existing Amazon Config role

    If you have used an Amazon service that uses Amazon Config, such as Amazon Security Hub or Amazon Control Tower, and an Amazon Config role has already been created, make sure that the IAM role that you use when setting up Amazon Config keeps the same minimum permissions as the already created Amazon Config role. You must do this so that the other Amazon service continues to run as expected.

    For example, if Amazon Control Tower has an IAM role that allows Amazon Config to read Amazon Simple Storage Service (Amazon S3) objects, make sure that the same permissions are granted within the IAM role you use when setting up Amazon Config. Otherwise, it may interfere with how Amazon Control Tower operates. For more information about IAM roles for Amazon Config, see Amazon Identity and Access Management.

Delivery method

  1. For Delivery method, choose the S3 bucket to which Amazon Config sends configuration history and configuration snapshot files:

    • Create a bucket – For S3 bucket name, type a name for your S3 bucket.

      The name that you type must be unique across all existing bucket names in Amazon S3. One way to help ensure uniqueness is to include a prefix; for example, the name of your organization. You can't change the bucket name after it is created. For more information, see Bucket Restrictions and Limitations in the Amazon Simple Storage Service User Guide.

    • Choose a bucket from your account – For S3 bucket name, choose your preferred bucket.

    • Choose a bucket from another account – For S3 bucket name, type the bucket name.

      Note

      If you choose a bucket from another account, that bucket must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon S3 Bucket.

  2. For Amazon SNS topic, choose Stream configuration changes and notifications to an Amazon SNS topic to have Amazon Config send notifications such as configuration history delivery, configuration snapshot delivery, and compliance.

  3. If you chose to have Amazon Config stream to an Amazon SNS topic, choose the target topic:

    • Create a topic – For Topic Name, type a name for your SNS topic.

    • Choose a topic from your account – For Topic Name, select your preferred topic.

    • Choose a topic from another account – For Topic ARN, type the Amazon Resource Name (ARN) of the topic. If you choose a topic from another account, the topic must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon SNS Topic.

      Note

      The Amazon SNS topic must exist in the same region as the region in which you set up Amazon Config.

Rules

If you are setting up Amazon Config in a region that supports rules, choose Next. For more information, see Managing your Amazon Config Rules.

Otherwise, choose Confirm.

Review

Review your Amazon Config set up details. You can go back to edit changes for each section. Choose Confirm to finish setting up Amazon Config.

For more information

For information about looking up the existing resources in your account and understanding the configurations of your resources, see Viewing Amazon Resource Configurations and History.

You can also use Amazon Simple Queue Service to monitor Amazon resources programmatically. For more information, see Monitoring Amazon Resource Changes with Amazon SQS.