Supported Resource Types for Amazon Config - Amazon Config
Amazon AppStreamAmazon AppFlowAmazon API GatewayAmazon AthenaAmazon CloudFrontAmazon CloudWatchAmazon CodeGuruAmazon CognitoAmazon ConnectAmazon DetectiveAmazon DynamoDBAmazon EC2Amazon ECRAmazon ECSAmazon EFSAmazon EKSAmazon EMRAmazon EventBridgeAmazon ForecastAmazon Fraud DetectorAmazon GuardDutyAmazon InspectorAmazon IVSAmazon KeyspacesAmazon OpenSearch ServiceAmazon PersonalizeAmazon PinpointAmazon QLDBAmazon KendraAmazon KinesisAmazon LexAmazon LightsailAmazon Lookout for MetricsAmazon Lookout for VisionAmazon Managed GrafanaAmazon Managed Service for PrometheusAmazon MemoryDBAmazon MQAmazon MSKAmazon RedshiftAmazon RDSAmazon Route 53Amazon SageMaker AIAmazon SESAmazon SNSAmazon SQSAmazon S3Amazon WorkSpacesAmazon AmplifyAmazon AppConfigAmazon App RunnerAmazon App MeshAmazon AppSyncAmazon Audit ManagerAmazon Auto ScalingAmazon BackupAmazon BatchAmazon BudgetsAmazon Certificate ManagerAmazon CloudFormationAmazon CloudTrailAmazon Cloud9Amazon Cloud MapAmazon CodeArtifactAmazon CodeBuildAmazon CodeDeployAmazon CodePipelineAmazon ConfigAmazon DMSAmazon DataSyncAmazon Device FarmAmazon Elastic BeanstalkAmazon FISAmazon Global AcceleratorAmazon GlueAmazon Ground StationAmazon HealthLakeAmazon IAMAmazon IoTAmazon KMSAmazon LambdaAmazon Mainframe ModernizationAmazon Network FirewallAmazon Network ManagerAmazon PanoramaAmazon Private CAAmazon Resilience HubAmazon Resource ExplorerAmazon RoboMakerAmazon SignerAmazon Secrets ManagerAmazon Service CatalogAmazon ShieldAmazon Step FunctionsAmazon Systems ManagerAmazon Transfer FamilyAmazon WAFAmazon X-RayElastic Load BalancingMediaConnectMediaPackageMediaTailor
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Supported Resource Types for Amazon Config

Important

This page is updated on a monthly cadence at the beginning of each month.

Amazon Config supports the following Amazon resources types and resource relationships.

Note

Before specifying a resource type for Amazon Config to track, check Resource Coverage by Region Availability to see if the resource type is supported in the Amazon Region where you set up Amazon Config. If a resource type is supported by Amazon Config in at least one Region, you can enable the recording of that resource type in all Regions supported by Amazon Config, even if the specified resource type is not supported in the Amazon Region where you set up Amazon Config.

Amazon AppStream

Amazon Service Resource Type Value Relationship Related Resource
Amazon AppStream AWS::AppStream::DirectoryConfig NA NA
AWS::AppStream::Application NA NA
AWS::AppStream::Stack NA NA
AWS::AppStream::Fleet NA NA

Amazon AppFlow

Amazon Service Resource Type Value Relationship Related Resource
Amazon AppFlow AWS::AppFlow::Flow NA NA

Amazon Service Resource Type Value Relationship Related Resource
Amazon AppIntegrations AWS::AppIntegrations::EventIntegration NA NA

Amazon API Gateway

Amazon Service Resource Type Value Relationship Related Resource
API Gateway AWS::ApiGateway::Stage is contained in ApiGateway Rest Api
is associated with WAFRegional WebACL
AWS::ApiGateway::RestApi contains ApiGateway Stage
API Gateway V2 AWS::ApiGatewayV2::Stage is contained in ApiGatewayV2 Api
AWS::ApiGatewayV2::Api contains ApiGatewayV2 Stage

To learn more about how Amazon Config integrates with Amazon API Gateway, see Monitoring API Gateway API Configuration with Amazon Config.

Amazon Athena

Amazon Service Resource Type Value Relationship Related Resource
Amazon Athena AWS::Athena::WorkGroup NA NA
AWS::Athena::DataCatalog NA NA
AWS::Athena::PreparedStatement NA NA

Amazon CloudFront

Amazon Service Resource Type Value Relationship Related Resource
Amazon CloudFront AWS::CloudFront::Distribution is associated with Amazon WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate
AWS::CloudFront::StreamingDistribution is associated with Amazon WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate

Amazon CloudWatch

Amazon Service Resource Type Value Relationship Related Resource
Amazon CloudWatch AWS::CloudWatch::Alarm NA NA
AWS::CloudWatch::MetricStream NA NA
Amazon CloudWatch Logs AWS::Logs::Destination NA NA
Amazon CloudWatch RUM AWS::RUM::AppMonitor NA NA
Amazon CloudWatch Evidently AWS::Evidently::Project NA NA
AWS::Evidently::Launch NA NA
AWS::Evidently::Segment NA NA

Amazon CodeGuru

Amazon Service Resource Type Value Relationship Related Resource
Amazon CodeGuru Reviewer AWS::CodeGuruReviewer::RepositoryAssociation NA NA
Amazon CodeGuru Profiler AWS::CodeGuruProfiler::ProfilingGroup NA NA

Amazon Cognito

Amazon Service Resource Type Value Relationship Related Resource
Amazon Cognito AWS::Cognito::UserPool NA NA
AWS::Cognito::UserPoolClient NA NA
AWS::Cognito::UserPoolGroup NA NA

Amazon Connect

Amazon Service Resource Type Value Relationship Related Resource
Amazon Connect AWS::Connect::PhoneNumber NA NA
AWS::Connect::QuickConnect NA NA
AWS::Connect::Instance NA NA
Amazon Connect Customer Profiles AWS::CustomerProfiles::Domain NA NA
AWS::CustomerProfiles::ObjectType NA NA

Amazon Detective

Amazon Service Resource Type Value Relationship Related Resource
Amazon Detective AWS::Detective::Graph NA NA

Amazon DynamoDB

Amazon Service Resource Type Value Relationship Related Resource
Amazon DynamoDB AWS::DynamoDB::Table NA NA

Amazon Elastic Compute Cloud

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Compute Cloud AWS::EC2::Host* contains EC2 instance
AWS::EC2::EIP is attached to EC2 instance
Network interface
AWS::EC2::Instance contains EC2 network interface
is associated with EC2 security group
is attached to Amazon EBS volume
EC2 Elastic IP (EIP)
is contained in EC2 Dedicated host
Route table
Subnet
Virtual private cloud (VPC)
AWS::EC2::NetworkInterface is associated with EC2 security group
is attached to EC2 Elastic IP (EIP)
EC2 instance
is contained in Route table
Subnet
Virtual private cloud (VPC)
AWS::EC2::SecurityGroup* is associated with EC2 instance
EC2 network interface
Virtual private cloud (VPC)
AWS::EC2::NatGateway is contained in Virtual private cloud (VPC)
is contained in Subnet
AWS::EC2::EgressOnlyInternetGateway is attached to Virtual private cloud (VPC)
AWS::EC2::EC2Fleet NA NA
AWS::EC2::SpotFleet NA NA
AWS::EC2::PrefixList NA NA
AWS::EC2::FlowLog NA NA
AWS::EC2::TransitGateway NA NA
AWS::EC2::TransitGatewayAttachment NA NA
AWS::EC2::TransitGatewayRouteTable NA NA
AWS::EC2::VPCEndpoint is contained in Virtual private cloud (VPC)
is attached to Network interface
is contained in Subnet
is contained in Route table
AWS::EC2::VPCEndpointService is associated with ElasticLoadBalancingV2 LoadBalancer
AWS::EC2::VPCPeeringConnection is associated with Virtual private cloud (VPC)
AWS::EC2::RegisteredHAInstance is associated with EC2 instance
AWS::EC2::SubnetRouteTableAssociation NA NA
AWS::EC2::LaunchTemplate NA NA
AWS::EC2::NetworkInsightsAccessScopeAnalysis NA NA
AWS::EC2::TrafficMirrorTarget NA NA
AWS::EC2::TrafficMirrorSession NA NA
AWS::EC2::DHCPOptions NA NA
AWS::EC2::IPAM NA NA
AWS::EC2::NetworkInsightsPath NA NA
AWS::EC2::TrafficMirrorFilter NA NA
AWS::EC2::CapacityReservation NA NA
AWS::EC2::ClientVpnEndpoint NA NA
AWS::EC2::CustomerGateway is attached to VPN connection
AWS::EC2::InternetGateway is attached to Virtual private cloud (VPC)
AWS::EC2::NetworkAcl NA NA
AWS::EC2::RouteTable contains EC2 instance
EC2 network interface
Subnet
VPN gateway
is contained in Virtual private cloud (VPC)
AWS::EC2::Subnet contains EC2 instance
EC2 network interface
is attached to Network ACL
is contained in Route table
Virtual private cloud (VPC)
AWS::EC2::VPC contains EC2 instance
EC2 network interface
Network ACL
Route table
Subnet
is associated with Security group
is attached to Internet gateway
VPN gateway
AWS::EC2::VPNConnection is attached to Customer gateway
VPN gateway
AWS::EC2::VPNGateway is attached to Virtual private cloud (VPC)
VPN connection
is contained in Route table
AWS::EC2::IPAMScope NA NA
AWS::EC2::CarrierGateway NA NA
AWS::EC2::TransitGatewayConnect NA NA
AWS::EC2::IPAMPool NA NA
AWS::EC2::TransitGatewayMulticastDomain NA NA
AWS::EC2::NetworkInsightsAccessScope NA NA
AWS::EC2::NetworkInsightsAnalysis NA NA
Amazon Elastic Block Store AWS::EC2::Volume is attached to EC2 instance
EC2 Image Builder AWS::ImageBuilder::ImagePipeline NA NA
AWS::ImageBuilder::DistributionConfiguration NA NA
AWS::ImageBuilder::ContainerRecipe NA NA
AWS::ImageBuilder::InfrastructureConfiguration NA NA
AWS::ImageBuilder::ImageRecipe NA NA

*Amazon Config records the configuration details of Dedicated hosts and the instances that you launch on them. As a result, you can use Amazon Config as a data source when you report compliance with your server-bound software licenses. For example, you can view the configuration history of an instance and determine which Amazon Machine Image (AMI) it is based on. Then, you can look up the configuration history of the host, which includes details such as the numbers of sockets and cores, to check that the host complies with the license requirements of the AMI. For more information, see Tracking Configuration Changes with Amazon Config in the Amazon EC2 User Guide.

*The EC2 SecurityGroup Properties definition contains IP CIDR blocks, which are converted to IP ranges internally, and may return unexpected results when trying to find a specific IP range. For workarounds to search for specific IP ranges, see Limitations for Advanced Queries.

Amazon Elastic Container Registry

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Container Registry AWS::ECR::Repository NA NA
AWS::ECR::RegistryPolicy NA NA
AWS::ECR::PullThroughCacheRule NA NA
Amazon Elastic Container Registry Public AWS::ECR::PublicRepository NA NA

Amazon Elastic Container Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Container Service AWS::ECS::Cluster NA NA
AWS::ECS::TaskDefinition NA NA
AWS::ECS::Service* NA NA
AWS::ECS::TaskSet NA NA
AWS::ECS::CapacityProvider NA NA

*This service currently only support the new Amazon Resource Name (ARN) format. For more information, see Amazon Resource Names (ARNs) and IDs in the ECS developer guide.

Old (not supported): arn:aws:ecs:region:aws_account_id:service/service-name

New (supported): arn:aws:ecs:region:aws_account_id:service/cluster-name/service-name

Amazon Elastic File System

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic File System AWS::EFS::FileSystem NA NA
AWS::EFS::AccessPoint NA NA

Amazon Elastic Kubernetes Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Kubernetes Service AWS::EKS::Cluster NA NA
AWS::EKS::FargateProfile NA NA
AWS::EKS::IdentityProviderConfig NA NA
AWS::EKS::Addon NA NA

Amazon EMR

Amazon Service Resource Type Value Relationship Related Resource
Amazon EMR AWS::EMR::SecurityConfiguration NA NA

Amazon EventBridge

Amazon Service Resource Type Value Relationship Related Resource
Amazon EventBridge AWS::Events::EventBus NA NA
AWS::Events::ApiDestination NA NA
AWS::Events::Archive NA NA
AWS::Events::Endpoint NA NA
AWS::Events::Connection NA NA
AWS::Events::Rule NA NA
Amazon EventBridge schemas AWS::EventSchemas::RegistryPolicy NA NA
AWS::EventSchemas::Discoverer NA NA
AWS::EventSchemas::Schema NA NA

Amazon Forecast

Amazon Service Resource Type Value Relationship Related Resource
Amazon Forecast AWS::Forecast::Dataset NA NA
AWS::Forecast::DatasetGroup NA NA

Amazon Fraud Detector

Amazon Service Resource Type Value Relationship Related Resource
Amazon Fraud Detector AWS::FraudDetector::Label NA NA
AWS::FraudDetector::EntityType NA NA
AWS::FraudDetector::Variable NA NA
AWS::FraudDetector::Outcome NA NA

Amazon GuardDuty

Amazon Service Resource Type Value Relationship Related Resource
Amazon GuardDuty AWS::GuardDuty::Detector NA NA
AWS::GuardDuty::ThreatIntelSet NA NA
AWS::GuardDuty::IPSet NA NA
AWS::GuardDuty::Filter NA NA

Amazon Inspector

Amazon Service Resource Type Value Relationship Related Resource
Amazon Inspector AWS::InspectorV2::Filter NA NA

Amazon Interactive Video Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Interactive Video Service AWS::IVS::Channel NA NA
AWS::IVS::RecordingConfiguration NA NA
AWS::IVS::PlaybackKeyPair NA NA

Amazon Keyspaces (for Apache Cassandra)

Amazon Service Resource Type Value Relationship Related Resource
Amazon Keyspaces (for Apache Cassandra) AWS::Cassandra::Keyspace NA NA

Amazon OpenSearch Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon OpenSearch Service AWS::Elasticsearch::Domain is associated with KMS Key
EC2 security group
EC2 subnet
Virtual private cloud (VPC)
AWS::OpenSearch::Domain NA NA
Note

On September 8, 2021, Amazon Elasticsearch Service was renamed to Amazon OpenSearch Service. OpenSearch Service supports OpenSearch as well as legacy Elasticsearch OSS. For more information, see Amazon OpenSearch Service - Summary of changes.

You might continue to see your data for AWS::OpenSearch::Domain under the existing AWS::Elasticsearch::Domain resource type for several weeks, even if you upgrade one or more domains to OpenSearch.

Amazon Personalize

Amazon Service Resource Type Value Relationship Related Resource
Amazon Personalize AWS::Personalize::Dataset NA NA
AWS::Personalize::Schema NA NA
AWS::Personalize::Solution NA NA
AWS::Personalize::DatasetGroup NA NA

Amazon Pinpoint

Amazon Service Resource Type Value Relationship Related Resource
Amazon Pinpoint AWS::Pinpoint::ApplicationSettings NA NA
AWS::Pinpoint::Segment NA NA
AWS::Pinpoint::App NA NA
AWS::Pinpoint::Campaign NA NA
AWS::Pinpoint::InAppTemplate NA NA
AWS::Pinpoint::EmailChannel NA NA
AWS::Pinpoint::EmailTemplate NA NA
AWS::Pinpoint::EventStream NA NA

Amazon Quantum Ledger Database (Amazon QLDB)

Amazon Service Resource Type Value Relationship Related Resource
Amazon QLDB AWS::QLDB::Ledger NA NA

Amazon Kendra

Amazon Service Resource Type Value Relationship Related Resource
Amazon Kendra AWS::Kendra::Index NA NA

Amazon Kinesis

Amazon Service Resource Type Value Relationship Related Resource
Amazon Kinesis AWS::Kinesis::Stream NA NA
AWS::Kinesis::StreamConsumer NA NA
Amazon Kinesis Analytics V2 AWS::KinesisAnalyticsV2::Application NA NA
Amazon Data Firehose AWS::KinesisFirehose::DeliveryStream NA NA
Kinesis video stream AWS::KinesisVideo::SignalingChannel NA NA
AWS::KinesisVideo::Stream NA NA

Amazon Lex

Amazon Service Resource Type Value Relationship Related Resource
Amazon Lex AWS::Lex::BotAlias NA NA
AWS::Lex::Bot NA NA

Amazon Lightsail

Amazon Service Resource Type Value Relationship Related Resource
Amazon Lightsail AWS::Lightsail::Disk NA NA
AWS::Lightsail::Certificate NA NA
AWS::Lightsail::Bucket NA NA
AWS::Lightsail::StaticIp NA NA

Amazon Lookout for Metrics

Amazon Service Resource Type Value Relationship Related Resource
Amazon Lookout for Metrics AWS::LookoutMetrics::Alert NA NA

Amazon Lookout for Vision

Amazon Service Resource Type Value Relationship Related Resource
Amazon Lookout for Vision AWS::LookoutVision::Project NA NA

Amazon Managed Grafana

Amazon Service Resource Type Value Relationship Related Resource
Amazon Managed Grafana AWS::Grafana::Workspace NA NA

Amazon Managed Service for Prometheus

Amazon Service Resource Type Value Relationship Related Resource
Amazon Managed Service for Prometheus AWS::APS::RuleGroupsNamespace NA NA

Amazon MemoryDB

Amazon Service Resource Type Value Relationship Related Resource
Amazon MemoryDB AWS::MemoryDB::SubnetGroup NA NA

Amazon MQ

Amazon Service Resource Type Value Relationship Related Resource
Amazon MQ AWS::AmazonMQ::Broker NA NA

Amazon Managed Streaming for Apache Kafka

Amazon Service Resource Type Value Relationship Related Resource
Amazon Managed Streaming for Apache Kafka AWS::MSK::Cluster NA NA
AWS::MSK::Configuration NA NA
AWS::MSK::BatchScramSecret NA NA
AWS::MSK::ClusterPolicy NA NA
AWS::MSK::VpcConnection NA NA
Amazon Managed Streaming for Apache Kafka Connect AWS::KafkaConnect::Connector NA NA

Amazon Redshift

Amazon Service Resource Type Value Relationship Related Resource
Amazon Redshift AWS::Redshift::Cluster is associated with Cluster parameter group
Cluster security group
Cluster subnet group
Security group
Virtual private cloud (VPC)
AWS::Redshift::ClusterParameterGroup NA NA
AWS::Redshift::ClusterSecurityGroup NA NA
AWS::Redshift::ScheduledAction NA NA
AWS::Redshift::ClusterSnapshot is associated with Cluster
Virtual private cloud (VPC)
AWS::Redshift::ClusterSubnetGroup is associated with Subnet
Virtual private cloud (VPC)
AWS::Redshift::EventSubscription NA NA
AWS::Redshift::EndpointAccess NA NA
AWS::Redshift::EndpointAuthorization NA NA

Amazon Relational Database Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Relational Database Service AWS::RDS::DBInstance is associated with EC2 security group
RDS DB security group
RDS DB subnet group
AWS::RDS::DBSecurityGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::DBSnapshot is associated with Virtual private cloud (VPC)
AWS::RDS::DBSubnetGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::EventSubscription NA NA
AWS::RDS::DBCluster contains RDS DB instance
is associated with RDS DB subnet group
EC2 security group
AWS::RDS::DBClusterSnapshot is associated with RDS DB cluster
Virtual private cloud (VPC)
AWS::RDS::GlobalCluster NA NA
AWS::RDS::OptionGroup NA NA

Amazon Route 53

Amazon Service Resource Type Value Relationship Related Resource
Amazon Route 53 AWS::Route53::HostedZone NA NA
AWS::Route53::HealthCheck NA NA
Amazon Route 53 Resolver AWS::Route53Resolver::ResolverEndpoint NA NA
AWS::Route53Resolver::ResolverRule NA NA
AWS::Route53Resolver::ResolverRuleAssociation NA NA
AWS::Route53Resolver::FirewallDomainList NA NA
AWS::Route53Resolver::FirewallRuleGroupAssociation NA NA
AWS::Route53Resolver::ResolverQueryLoggingConfig NA NA
AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation NA NA
AWS::Route53Resolver::FirewallRuleGroup NA NA
Amazon Application Recovery Controller (ARC) AWS::Route53RecoveryReadiness::Cell NA NA
AWS::Route53RecoveryReadiness::ReadinessCheck NA NA
AWS::Route53RecoveryReadiness::RecoveryGroup NA NA
AWS::Route53RecoveryControl::Cluster NA NA
AWS::Route53RecoveryControl::ControlPanel NA NA
AWS::Route53RecoveryControl::RoutingControl NA NA
AWS::Route53RecoveryControl::SafetyRule NA NA
AWS::Route53RecoveryReadiness::ResourceSet NA NA

Amazon SageMaker AI

Amazon Service Resource Type Value Relationship Related Resource
Amazon SageMaker AI AWS::SageMaker::CodeRepository NA NA
AWS::SageMaker::Domain NA NA
AWS::SageMaker::AppImageConfig NA NA
AWS::SageMaker::Image NA NA
AWS::SageMaker::Model NA NA
AWS::SageMaker::NotebookInstance NA NA
AWS::SageMaker::NotebookInstanceLifecycleConfig NA NA
AWS::SageMaker::EndpointConfig NA NA
AWS::SageMaker::Workteam NA NA
AWS::SageMaker::FeatureGroup NA NA

Amazon Simple Email Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Simple Email Service AWS::SES::ConfigurationSet NA NA
AWS::SES::ContactList NA NA
AWS::SES::Template NA NA
AWS::SES::ReceiptFilter NA NA
AWS::SES::ReceiptRuleSet NA NA

Amazon Simple Notification Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Simple Notification Service AWS::SNS::Topic NA NA

Amazon Simple Queue Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Simple Queue Service AWS::SQS::Queue NA NA

Amazon Simple Storage Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Simple Storage Service AWS::S3::Bucket* NA NA
AWS::S3::AccountPublicAccessBlock NA NA
AWS::S3::MultiRegionAccessPoint NA NA
AWS::S3::StorageLens NA NA
AWS::S3::AccessPoint NA NA

*If you configured Amazon Config to record your S3 buckets, and are not receiving configuration change notifications, check that your S3 bucket policies have the required permissions. For more information, see Managing Permissions for S3 Bucket Recording.

Amazon S3 Bucket Attributes

Amazon Config also records the following attributes for the Amazon S3 bucket resource type.

Attributes Description
AccelerateConfiguration Transfer acceleration for data over long distances between your client and a bucket.
BucketAcl Access control list used to manage access to buckets and objects.
BucketPolicy Policy that defines the permissions to the bucket.
CrossOriginConfiguration Allow cross-origin requests to the bucket.
LifecycleConfiguration Rules that define the lifecycle for objects in your bucket.
LoggingConfiguration Logging used to track requests for access to the bucket.
NotificationConfiguration Event notifications used to send alerts or trigger workflows for specified bucket events.
ReplicationConfiguration Automatic, asynchronous copying of objects across buckets in different Amazon Regions.
RequestPaymentConfiguration Requester pays is enabled.
TaggingConfiguration Tags added to the bucket to categorize. You can also use tagging to track billing.
WebsiteConfiguration Static website hosting is enabled for the bucket.
VersioningConfiguration Versioning is enabled for objects in the bucket.

For more information about the attributes, see Bucket Configuration Options in the Amazon Simple Storage Service User Guide.

Amazon WorkSpaces

Amazon Service Resource Type Value Relationship Related Resource
Amazon WorkSpaces AWS::WorkSpaces::ConnectionAlias NA NA
AWS::WorkSpaces::Workspace NA NA

Amazon Amplify

Amazon Service Resource Type Value Relationship Related Resource
Amazon Amplify AWS::Amplify::App NA NA
AWS::Amplify::Branch NA NA

Amazon AppConfig

Amazon Service Resource Type Value Relationship Related Resource
Amazon AppConfig AWS::AppConfig::Application NA NA
AWS::AppConfig::Environment NA NA
AWS::AppConfig::ConfigurationProfile NA NA
AWS::AppConfig::DeploymentStrategy NA NA
AWS::AppConfig::HostedConfigurationVersion NA NA
AWS::AppConfig::ExtensionAssociation NA NA

Amazon App Runner

Amazon Service Resource Type Value Relationship Related Resource
Amazon App Runner AWS::AppRunner::VpcConnector NA NA
AWS::AppRunner::Service NA NA

Amazon App Mesh

Amazon Service Resource Type Value Relationship Related Resource
Amazon App Mesh AWS::AppMesh::VirtualNode NA NA
AWS::AppMesh::VirtualService NA NA
AWS::AppMesh::VirtualGateway NA NA
AWS::AppMesh::VirtualRouter NA NA
AWS::AppMesh::Route NA NA
AWS::AppMesh::GatewayRoute NA NA
AWS::AppMesh::Mesh NA NA

Amazon AppSync

Amazon Service Resource Type Value Relationship Related Resource
Amazon AppSync AWS::AppSync::GraphQLApi NA NA

Amazon Audit Manager

Amazon Service Resource Type Value Relationship Related Resource
Amazon Audit Manager AWS::AuditManager::Assessment NA NA

Amazon Auto Scaling

Amazon Service Resource Type Value Relationship Related Resource
Amazon Auto Scaling AWS::AutoScaling::AutoScalingGroup contains Amazon EC2 instance
is associated with Classic Load Balancer
Auto Scaling launch configuration
Subnet
AWS::AutoScaling::LaunchConfiguration is associated with Amazon EC2 security group
AWS::AutoScaling::ScalingPolicy is associated with Auto Scaling group
Alarm
AWS::AutoScaling::ScheduledAction is associated with Auto Scaling group
AWS::AutoScaling::WarmPool NA NA

Amazon Backup

Amazon Service Resource Type Value Relationship Related Resource
Amazon Backup AWS::Backup::BackupPlan NA NA*
AWS::Backup::BackupSelection NA NA
AWS::Backup::BackupVault NA NA*
AWS::Backup::RecoveryPoint NA NA
AWS::Backup::ReportPlan NA NA

Due to how Amazon Backup works, some of these resource types relate to the other Amazon Backup resource types in this table.

AWS::Backup::BackupPlan is related to AWS::Backup::BackupSelection where a Backup Plan has many selections, and AWS::Backup::BackupVault is related to AWS::Backup::RecoveryPoint where an Amazon Backup Vault has multiple recovery points.

For more information, see Managing backups using backup plans and Working with backup vaults.

Amazon Batch

Amazon Service Resource Type Value Relationship Related Resource
Amazon Batch AWS::Batch::JobQueue NA NA
AWS::Batch::ComputeEnvironment NA NA
AWS::Batch::SchedulingPolicy NA NA

Amazon Budgets

Amazon Service Resource Type Value Relationship Related Resource
Amazon Budgets AWS::Budgets::BudgetsAction NA NA

Amazon Certificate Manager

Amazon Service Resource Type Value Relationship Related Resource
Amazon Certificate Manager AWS::ACM::Certificate NA NA

Amazon CloudFormation

Amazon Service Resource Type Value Relationship Related Resource
Amazon CloudFormation AWS::CloudFormation::Stack* contains Supported Amazon resource types

*Amazon Config records configuration changes to Amazon CloudFormation stacks and supported resource types in the stacks. Amazon Config does not record configuration changes for resource types in the stack that are not yet supported. Unsupported resource types appear in the supplementary configuration section of the configuration item for the stack.

Amazon CloudTrail

Amazon Service Resource Type Value Relationship Related Resource
Amazon CloudTrail AWS::CloudTrail::Trail NA NA

Amazon Cloud9

Amazon Service Resource Type Value Relationship Related Resource
Amazon Cloud9 AWS::Cloud9::EnvironmentEC2 NA NA

Amazon Cloud Map

Amazon Service Resource Type Value Relationship Related Resource
Service Discovery AWS::ServiceDiscovery::Service NA NA
AWS::ServiceDiscovery::PublicDnsNamespace NA NA
AWS::ServiceDiscovery::HttpNamespace NA NA
AWS::ServiceDiscovery::Instance NA NA

Amazon CodeArtifact

Amazon Service Resource Type Value Relationship Related Resource
Amazon CodeArtifact AWS::CodeArtifact::Repository NA NA

Amazon CodeBuild

Amazon Service Resource Type Value Relationship Related Resource
Amazon CodeBuild AWS::CodeBuild::Project* is associated with S3 bucket
IAM role
AWS::CodeBuild::ReportGroup NA NA

*To learn more about how Amazon Config integrates with Amazon CodeBuild, see Use Amazon Config with Amazon CodeBuild Sample.

Amazon CodeDeploy

Amazon Service Resource Type Value Relationship Related Resource
Amazon CodeDeploy AWS::CodeDeploy::Application contains DeploymentGroup
AWS::CodeDeploy::DeploymentConfig NA NA
AWS::CodeDeploy::DeploymentGroup is contained in Application

Amazon CodePipeline

Amazon Service Resource Type Value Relationship Related Resource
Amazon CodePipeline AWS::CodePipeline::Pipeline* is attached to S3 bucket
is associated with IAM role
Code project
Lambda function
Cloudformation stack
ElasticBeanstalk application

*Amazon Config records configuration changes to CodePipeline pipelines and supported resource types in the pipelines. Amazon Config does not record configuration changes for resource types in the pipelines that are not yet supported. Unsupported resource types such as CodeCommit repository, CodeDeploy application, ECS cluster, and ECS service appear in the supplementary configuration section of the configuration item for the stack.

Amazon Config

Amazon Service Resource Type Value Relationship Related Resource
Amazon Config AWS::Config::ResourceCompliance* is associated with All resources*
AWS::Config::ConformancePackCompliance NA NA
AWS::Config::ConfigurationRecorder* NA NA

*The relationship between AWS::Config::ResourceCompliance and a related resource depends on how AWS::Config::ResourceCompliance reports compliance for that specific resource type.

*AWS::Config::ConfigurationRecorder is a system resource type of Amazon Config and recording of this resource type is enabled by default.

Note

Recording for the AWS::Config::ConformancePackCompliance and AWS::Config::ConfigurationRecorder resource types come with no additional charge.

Amazon Database Migration Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Database Migration Service AWS::DMS::EventSubscription NA NA
AWS::DMS::ReplicationSubnetGroup NA NA
AWS::DMS::ReplicationInstance NA NA
AWS::DMS::ReplicationTask NA NA
AWS::DMS::Certificate NA NA
AWS::DMS::Endpoint NA NA

Amazon DataSync

Amazon Service Resource Type Value Relationship Related Resource
Amazon DataSync AWS::DataSync::LocationSMB NA NA
AWS::DataSync::LocationFSxLustre NA NA
AWS::DataSync::LocationFSxWindows NA NA
AWS::DataSync::LocationS3 NA NA
AWS::DataSync::LocationEFS NA NA
AWS::DataSync::LocationNFS NA NA
AWS::DataSync::LocationHDFS NA NA
AWS::DataSync::LocationObjectStorage NA NA
AWS::DataSync::Task NA NA

Amazon Device Farm

Amazon Service Resource Type Value Relationship Related Resource
Amazon Device Farm AWS::DeviceFarm::TestGridProject NA NA
AWS::DeviceFarm::InstanceProfile NA NA
AWS::DeviceFarm::Project NA NA

Amazon Elastic Beanstalk

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Beanstalk AWS::ElasticBeanstalk::Application contains Elastic Beanstalk Application Version
Elastic Beanstalk Environment
is associated with IAM role
AWS::ElasticBeanstalk::ApplicationVersion is contained in Elastic Beanstalk Application
is associated with Elastic Beanstalk Environment
S3 bucket
AWS::ElasticBeanstalk::Environment is contained in Elastic Beanstalk Application
is associated with Elastic Beanstalk Application Version
IAM role
contains CloudFormation Stack

Amazon Fault Injection Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Fault Injection Service AWS::FIS::ExperimentTemplate NA NA

Amazon Global Accelerator

Amazon Service Resource Type Value Relationship Related Resource
Amazon Global Accelerator AWS::GlobalAccelerator::Listener NA NA
AWS::GlobalAccelerator::EndpointGroup NA NA
AWS::GlobalAccelerator::Accelerator NA NA

Amazon Glue

Amazon Service Resource Type Value Relationship Related Resource
Amazon Glue AWS::Glue::Job NA NA
AWS::Glue::Classifier NA NA
AWS::Glue::MLTransform NA NA

Amazon Ground Station

Amazon Service Resource Type Value Relationship Related Resource
Amazon Ground Station AWS::GroundStation::Config NA NA
AWS::GroundStation::MissionProfile NA NA
AWS::GroundStation::DataflowEndpointGroup NA NA

Amazon HealthLake

Amazon Service Resource Type Value Relationship Related Resource
Amazon HealthLake AWS::HealthLake::FHIRDatastore NA NA

Amazon Identity and Access Management (IAM)

Amazon Service Resource Type Value Relationship Related Resource
Amazon Identity and Access Management AWS::IAM::User is attached to IAM group
IAM customer managed policy
AWS::IAM::Group contains IAM user
is attached to IAM customer managed policy
AWS::IAM::Role is attached to IAM customer managed policy
AWS::IAM::Policy is attached to IAM user
IAM group
IAM role
AWS::IAM::SAMLProvider NA NA
AWS::IAM::ServerCertificate NA NA
AWS::IAM::InstanceProfile NA NA
AWS::IAM::OIDCProvider NA NA
Amazon Identity and Access Management Access Analyzer AWS::AccessAnalyzer::Analyzer NA NA

Amazon Config includes inline policies with the configuration details that it records. For more information on inline policies, see Managed policies and inline policies in the IAM User Guide.

Amazon IoT

Amazon Service Resource Type Value Relationship Related Resource
Amazon IoT AWS::IoT::Authorizer NA NA
AWS::IoT::SecurityProfile NA NA
AWS::IoT::RoleAlias NA NA
AWS::IoT::Dimension NA NA
AWS::IoT::Policy NA NA
AWS::IoT::MitigationAction NA NA
AWS::IoT::ScheduledAudit NA NA
AWS::IoT::AccountAuditConfiguration NA NA
AWS::IoTSiteWise::Gateway NA NA
AWS::IoT::CustomMetric NA NA
AWS::IoT::JobTemplate NA NA
AWS::IoT::ProvisioningTemplate NA NA
AWS::IoT::CACertificate NA NA
Amazon IoT Wireless AWS::IoTWireless::ServiceProfile NA NA
AWS::IoTWireless::MulticastGroup NA NA
AWS::IoTWireless::FuotaTask NA NA
Amazon IoT Core AWS::IoT::FleetMetric NA NA
Amazon IoT Analytics AWS::IoTAnalytics::Datastore NA NA
AWS::IoTAnalytics::Dataset NA NA
AWS::IoTAnalytics::Pipeline NA NA
AWS::IoTAnalytics::Channel NA NA
Amazon IoT Events AWS::IoTEvents::Input NA NA
AWS::IoTEvents::DetectorModel NA NA
AWS::IoTEvents::AlarmModel NA NA
Amazon IoT TwinMaker AWS::IoTTwinMaker::Workspace NA NA
AWS::IoTTwinMaker::Entity NA NA
AWS::IoTTwinMaker::Scene NA NA
AWS::IoTTwinMaker::SyncJob NA NA
Amazon IoT SiteWise AWS::IoTSiteWise::Dashboard NA NA
AWS::IoTSiteWise::Project NA NA
AWS::IoTSiteWise::Portal NA NA
AWS::IoTSiteWise::AssetModel NA NA
Amazon IoT Greengrass Version 2 AWS::GreengrassV2::ComponentVersion NA NA

Amazon Key Management Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Key Management Service AWS::KMS::Key NA NA
AWS::KMS::Alias NA NA

Amazon Lambda

Amazon Service Resource Type Value Relationship Related Resource
Amazon Lambda AWS::Lambda::Function is associated with IAM role
EC2 security group
is contained in EC2 subnet
AWS::Lambda::Alias NA NA
AWS::Lambda::CodeSigningConfig NA NA

Amazon Mainframe Modernization

Amazon Service Resource Type Value Relationship Related Resource
Amazon Mainframe Modernization AWS::M2::Environment NA NA

Amazon Network Firewall

Amazon Service Resource Type Value Relationship Related Resource
Amazon Network Firewall AWS::NetworkFirewall::Firewall is attached to EC2 Subnet
is associated with NetworkFirewall FirewallPolicy
AWS::NetworkFirewall::FirewallPolicy is associated with NetworkFirewall RuleGroup
AWS::NetworkFirewall::RuleGroup NA NA
AWS::NetworkFirewall::TLSInspectionConfiguration NA NA

Amazon Network Manager

Amazon Service Resource Type Value Relationship Related Resource
Amazon Network Manager AWS::NetworkManager::TransitGatewayRegistration NA NA
AWS::NetworkManager::Site NA NA
AWS::NetworkManager::Device NA NA
AWS::NetworkManager::Link NA NA
AWS::NetworkManager::GlobalNetwork NA NA
AWS::NetworkManager::CustomerGatewayAssociation NA NA
AWS::NetworkManager::LinkAssociation NA NA
AWS::NetworkManager::ConnectPeer NA NA

Amazon Panorama

Amazon Service Resource Type Value Relationship Related Resource
Amazon Panorama AWS::Panorama::Package NA NA

Amazon Private Certificate Authority

Amazon Service Resource Type Value Relationship Related Resource
Amazon Private Certificate Authority AWS::ACMPCA::CertificateAuthority NA NA
AWS::ACMPCA::CertificateAuthorityActivation NA NA

Amazon Resilience Hub

Amazon Service Resource Type Value Relationship Related Resource
Amazon Resilience Hub AWS::ResilienceHub::ResiliencyPolicy NA NA
AWS::ResilienceHub::App NA NA

Amazon Resource Explorer

Amazon Service Resource Type Value Relationship Related Resource
Amazon Resource Explorer AWS::ResourceExplorer2::Index NA NA

Amazon RoboMaker

Amazon Service Resource Type Value Relationship Related Resource
Amazon RoboMaker AWS::RoboMaker::RobotApplicationVersion NA NA
AWS::RoboMaker::RobotApplication NA NA
AWS::RoboMaker::SimulationApplication NA NA

Amazon Signer

Amazon Service Resource Type Value Relationship Related Resource
Amazon Signer AWS::Signer::SigningProfile NA NA

Amazon Secrets Manager

Amazon Service Resource Type Value Relationship Related Resource
Amazon Secrets Manager AWS::SecretsManager::Secret is associated with Lambda function
is associated with KMS Key

Amazon Service Catalog

Amazon Service Resource Type Value Relationship Related Resource
Amazon Service Catalog AWS::ServiceCatalog::CloudFormationProduct is contained in Portfolio
is associated with CloudFormationProvisionedProduct
AWS::ServiceCatalog::CloudFormationProvisionedProduct is associated with Portfolio
CloudFormationProduct
CloudFormationStack
AWS::ServiceCatalog::Portfolio contains CloudFormationProduct

Amazon Shield

Amazon Service Resource Type Value Relationship Related Resource
Amazon Shield AWS::Shield::Protection is associated with Amazon CloudFront distribution
AWS::ShieldRegional::Protection is associated with EC2 EIP
is associated with ElasticLoadBalancing Balancer
is associated with ElasticLoadBalancingV2 LoadBalancer

Amazon Step Functions

Amazon Service Resource Type Value Relationship Related Resource
Amazon Step Functions AWS::StepFunctions::Activity NA NA
AWS::StepFunctions::StateMachine NA NA

Amazon Systems Manager

Amazon Service Resource Type Value Relationship Related Resource
Amazon Systems Manager AWS::SSM::ManagedInstanceInventory* is associated with EC2 instance
AWS::SSM::PatchCompliance is associated with Managed Instance Inventory
AWS::SSM::AssociationCompliance is associated with Managed Instance Inventory
AWS::SSM::FileData is associated with Managed Instance Inventory
AWS::SSM::Document NA NA

*To learn more about managed instance inventory, see Recording Software Configuration for Managed Instances.

Amazon Transfer Family

Amazon Service Resource Type Value Relationship Related Resource
Amazon Transfer Family AWS::Transfer::Agreement NA NA
AWS::Transfer::Connector NA NA
AWS::Transfer::Workflow NA NA
AWS::Transfer::Certificate NA NA
AWS::Transfer::Profile NA NA

Amazon WAF

Amazon Service Resource Type Value Relationship Related Resource
Amazon WAF AWS::WAF::RateBasedRule NA NA
AWS::WAF::Rule NA NA
AWS::WAF::WebACL is associated with WAF Rule
WAF rate based rule
WAF Rulegroup
AWS::WAF::RuleGroup is associated with WAF Rule
AWS::WAFRegional::RateBasedRule NA NA
AWS::WAFRegional::Rule NA NA
AWS::WAFRegional::WebACL is associated with ElasticLoadBalancingV2 LoadBalancer
WAFRegional Rule
WAFRegional rate based rule
WAFRegional Rulegroup
AWS::WAFRegional::RuleGroup is associated with WAFRegional Rule
Amazon WAF V2 AWS::WAFv2::WebACL is associated with ElasticLoadBalancingV2 LoadBalancer
ApiGateway Stage
WAFv2 IPSet
WAFv2 RegexPatternSet
WAFv2 RuleGroup
WAFv2 ManagedRuleSet
AWS::WAFv2::RuleGroup is associated with WAFv2 IPSet
WAFv2 RegexPatternSet
AWS::WAFv2::ManagedRuleSet is associated with WAFv2 RuleGroup
AWS::WAFv2::IPSet NA NA
AWS::WAFv2::RegexPatternSet NA NA

Amazon X-Ray

Amazon Service Resource Type Value Relationship Related Resource
Amazon X-Ray AWS::XRay::EncryptionConfig NA NA

Elastic Load Balancing

Amazon Service Resource Type Value Relationship Related Resource
Elastic Load Balancing

Application Load Balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)

Application Load Balancer Listener

AWS::ElasticLoadBalancingV2::Listener

NA NA

Classic Load Balancer

AWS::ElasticLoadBalancing::LoadBalancer

is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)

Network Load Balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

NA NA

AWS Elemental MediaConnect

Amazon Service Resource Type Value Relationship Related Resource
AWS Elemental MediaConnect AWS::MediaConnect::FlowEntitlement NA NA
AWS::MediaConnect::FlowVpcInterface NA NA
AWS::MediaConnect::FlowSource NA NA

AWS Elemental MediaPackage

Amazon Service Resource Type Value Relationship Related Resource
AWS Elemental MediaPackage AWS::MediaPackage::PackagingGroup NA NA
AWS::MediaPackage::PackagingConfiguration NA NA

AWS Elemental MediaTailor

Amazon Service Resource Type Value Relationship Related Resource
AWS Elemental MediaTailor AWS::MediaTailor::PlaybackConfiguration NA NA