AWS services or capabilities described in AWS documentation might
vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in
China.
Supported Resource Types
AWS Config supports the following AWS resources types and resource relationships.
Amazon API Gateway
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| API Gateway |
AWS::ApiGateway::Stage |
is contained in |
ApiGateway Rest Api |
| is associated with |
WAFRegional WebACL |
AWS::ApiGatewayV2::Stage |
is contained in |
ApiGatewayV2 Api |
AWS::ApiGateway::RestApi |
contains |
ApiGateway Stage |
AWS::ApiGatewayV2::Api |
contains |
ApiGatewayV2 Stage |
To learn more about how AWS Config integrates with Amazon API Gateway, see Monitoring API Gateway API Configuration with AWS Config.
Amazon CloudFront
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CloudFront * |
AWS::CloudFront::Distribution |
is associated with |
AWS WAF WebACL |
| ACM Certificate |
| S3 Bucket |
| IAM Server Certificate |
AWS::CloudFront::StreamingDistribution |
is associated with |
AWS WAF WebACL |
| ACM Certificate |
| S3 Bucket |
| IAM Server Certificate |
*AWS Config support for Amazon CloudFront is available only in the US East (N. Virginia)
region.
Amazon CloudWatch
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CloudWatch |
AWS::CloudWatch::Alarm |
NA |
NA |
Amazon DynamoDB
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon DynamoDB |
AWS::DynamoDB::Table |
NA |
NA |
Amazon Elastic Block Store
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic Block Store |
AWS::EC2::Volume |
is attached to |
EC2 instance |
Amazon Elastic Compute Cloud
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic Compute Cloud |
AWS::EC2::Host* |
contains |
EC2 instance |
AWS::EC2::EIP |
is attached to |
EC2 instance |
| Network interface |
AWS::EC2::Instance |
contains |
EC2 network interface |
| is associated with |
EC2 security group |
| is attached to |
Amazon EBS volume |
| EC2 Elastic IP (EIP) |
| is contained in |
EC2 Dedicated host |
| Route table |
| Subnet |
| Virtual private cloud (VPC) |
AWS::EC2::NetworkInterface |
is associated with |
EC2 security group |
| is attached to |
EC2 Elastic IP (EIP) |
| EC2 instance |
| is contained in |
Route table |
| Subnet |
| Virtual private cloud (VPC) |
AWS::EC2::SecurityGroup |
is associated with |
EC2 instance |
| EC2 network interface |
| Virtual private cloud (VPC) |
AWS::EC2::NatGateway |
is contained in |
Virtual private cloud (VPC) |
| is contained in |
Subnet |
AWS::EC2::EgressOnlyInternetGateway |
is attached to |
Virtual private cloud (VPC) |
AWS::EC2::FlowLog |
NA |
NA |
AWS::EC2::VPCEndpoint |
is contained in |
Virtual private cloud (VPC) |
| is attached to |
Network interface |
| is contained in |
Subnet |
| is contained in |
Route table |
AWS::EC2::VPCEndpointService |
is associated with |
ElasticLoadBalancingV2 LoadBalancer |
AWS::EC2::VPCPeeringConnection |
is associated with |
Virtual private cloud (VPC) |
*AWS Config records the configuration details of Dedicated hosts and the instances
that you launch on them. As a result, you can use AWS Config as a data source when
you report compliance with your server-bound software licenses.
For example, you can view the configuration history of an instance and determine which
Amazon Machine Image (AMI) it is based on.
Then, you can look up the configuration history of the host, which includes details
such as the numbers of sockets and cores, to verify that the host complies with the
license requirements of the AMI.
For more information, see Tracking Configuration Changes with AWS Config in the Amazon EC2 User Guide for Linux Instances.
Amazon Elasticsearch Service
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elasticsearch Service |
AWS::Elasticsearch::Domain |
is associated with |
KMS Key |
| EC2 security group |
| EC2 subnet |
| Virtual private cloud (VPC) |
Amazon Quantum Ledger Database (QLDB)
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon QLDB |
AWS::QLDB::Ledger |
NA |
NA |
Amazon Redshift
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Redshift |
AWS::Redshift::Cluster |
is associated with |
Cluster parameter group |
| Cluster security group |
| Cluster subnet group |
| Security group |
| Virtual private cloud (VPC) |
AWS::Redshift::ClusterParameterGroup |
NA |
NA |
AWS::Redshift::ClusterSecurityGroup |
NA |
NA |
AWS::Redshift::ClusterSnapshot |
is associated with |
Cluster |
| Virtual private cloud (VPC) |
AWS::Redshift::ClusterSubnetGroup |
is associated with |
Subnet |
| Virtual private cloud (VPC) |
AWS::Redshift::EventSubscription |
NA |
NA |
Amazon Relational Database Service
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Relational Database Service |
AWS::RDS::DBInstance |
is associated with |
EC2 security group |
| RDS DB security group |
| RDS DB subnet group |
AWS::RDS::DBSecurityGroup |
is associated with |
EC2 security group |
| Virtual private cloud (VPC) |
AWS::RDS::DBSnapshot |
is associated with |
Virtual private cloud (VPC) |
AWS::RDS::DBSubnetGroup |
is associated with |
EC2 security group |
| Virtual private cloud (VPC) |
AWS::RDS::EventSubscription |
NA |
NA |
AWS::RDS::DBCluster |
contains |
RDS DB instance |
| is associated with |
RDS DB subnet group |
| EC2 security group |
AWS::RDS::DBClusterSnapshot |
Is associated with |
RDS DB cluster |
| Virtual private cloud (VPC) |
Amazon S3 Bucket Attributes
AWS Config also records the following attributes for the Amazon S3 bucket resource
type.
| Attributes |
Description |
| AccelerateConfiguration |
Transfer acceleration for data over long distances between your client and a
bucket.
|
| BucketAcl |
Access control list used to manage access to buckets and objects. |
| BucketPolicy |
Policy that defines the permissions to the bucket. |
| CrossOriginConfiguration |
Allow cross-origin requests to the bucket. |
| LifecycleConfiguration |
Rules that define the lifecycle for objects in your bucket. |
| LoggingConfiguration |
Logging used to track requests for access to the bucket. |
| NotificationConfiguration |
Event notifications used to send alerts or trigger workflows for specified bucket
events.
|
| ReplicationConfiguration |
Automatic, asynchronous copying of objects across buckets in different AWS
Regions.
|
| RequestPaymentConfiguration |
Requester pays is enabled. |
| TaggingConfiguration |
Tags added to the bucket to categorize. You can also use tagging to track
billing.
|
| WebsiteConfiguration |
Static website hosting is enabled for the bucket. |
| VersioningConfiguration |
Versioning is enabled for objects in the bucket. |
For more information about the attributes, see Bucket Configuration Options in the Amazon Simple Storage Service Developer Guide.
Amazon Simple Notification Service
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Simple Notification Service |
AWS::SNS::Topic |
NA |
NA |
Amazon Simple Queue Service
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Simple Queue Service |
AWS::SQS::Queue |
NA |
NA |
Amazon Simple Storage Service
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Simple Storage Service |
AWS::S3::Bucket* |
NA |
NA |
AWS::S3::AccountPublicAccessBlock |
NA |
NA |
*If you configured AWS Config to record your S3 buckets, and are not receiving configuration
change notifications, verify your S3 bucket policies have the required permissions.
For more information, see Managing Permissions for S3 Bucket Recording.
Amazon Virtual Private Cloud
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Virtual Private Cloud |
AWS::EC2::CustomerGateway |
is attached to |
VPN connection |
AWS::EC2::InternetGateway |
is attached to |
Virtual private cloud (VPC) |
AWS::EC2::NetworkAcl |
NA |
NA |
AWS::EC2::RouteTable |
contains |
EC2 instance |
| EC2 network interface |
| Subnet |
| VPN gateway |
| is contained in |
Virtual private cloud (VPC) |
AWS::EC2::Subnet |
contains |
EC2 instance |
| EC2 network interface |
| is attached to |
Network ACL |
| is contained in |
Route table |
| Virtual private cloud (VPC) |
AWS::EC2::VPC |
contains |
EC2 instance |
| EC2 network interface |
| Network ACL |
| Route table |
| Subnet |
| is associated with |
Security group |
| is attached to |
Internet gateway |
| VPN gateway |
AWS::EC2::VPNConnection |
is attached to |
Customer gateway |
| VPN gateway |
AWS::EC2::VPNGateway |
is attached to |
Virtual private cloud (VPC) |
| VPN connection |
| is contained in |
Route table |
AWS Auto Scaling
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Auto Scaling |
AWS::AutoScaling::AutoScalingGroup |
contains |
Amazon EC2 instance |
| is associated with |
Classic Load Balancer |
| Auto Scaling launch configuration |
| Subnet |
AWS::AutoScaling::LaunchConfiguration |
is associated with |
Amazon EC2 security group |
AWS::AutoScaling::ScalingPolicy |
is associated with |
Auto Scaling group |
| Alarm |
AWS::AutoScaling::ScheduledAction |
is associated with |
Auto Scaling group |
AWS Certificate Manager
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Certificate Manager |
AWS::ACM::Certificate |
NA |
NA |
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS CloudFormation |
AWS::CloudFormation::Stack* |
contains |
Supported AWS resource types |
*AWS Config records configuration changes to AWS CloudFormation stacks and supported
resource types in the stacks. AWS Config does not record configuration changes for
resource types in the stack that are not yet supported.
Unsupported resource types appear in the supplementary configuration section of the
configuration item for the stack.
AWS CloudTrail
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS CloudTrail |
AWS::CloudTrail::Trail |
NA |
NA |
AWS CodeBuild
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS CodeBuild |
AWS::CodeBuild::Project* |
is associated with |
S3 bucket |
| IAM role |
*To learn more about how AWS Config integrates with AWS CodeBuild, see Use AWS Config with AWS CodeBuild Sample.
AWS CodePipeline
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS CodePipeline |
AWS::CodePipeline::Pipeline* |
is attached to |
S3 bucket |
| is associated with |
IAM role |
| Code project |
| Lambda function |
| Cloudformation stack |
| ElasticBeanstalk application |
*AWS Config records configuration changes to CodePipeline pipelines and supported resource
types in the pipelines. AWS Config does not record configuration changes for resource
types in the pipelines that are not yet supported.
Unsupported resource types such as CodeCommit repository, CodeDeploy application, ECS cluster, and ECS service appear in the supplementary configuration section of the configuration item for the
stack.
AWS Elastic Beanstalk
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Elastic Beanstalk |
AWS::ElasticBeanstalk::Application |
contains |
Elastic Beanstalk Application Version |
| Elastic Beanstalk Environment |
| is associated with |
IAM role |
AWS::ElasticBeanstalk::ApplicationVersion |
is contained in |
Elastic Beanstalk Application |
| is associated with |
Elastic Beanstalk Environment |
| S3 bucket |
AWS::ElasticBeanstalk::Environment |
is contained in |
Elastic Beanstalk Application |
| is associated with |
Elastic Beanstalk Application Version |
| IAM role |
| contains |
CloudFormation Stack |
AWS Identity and Access Management
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Identity and Access Management |
AWS::IAM::User* |
is attached to |
IAM group |
| IAM customer managed policy |
AWS::IAM::Group* |
contains |
IAM user |
| is attached to |
IAM customer managed policy |
AWS::IAM::Role* |
is attached to |
IAM customer managed policy |
AWS::IAM::Policy |
is attached to |
IAM user |
| IAM group |
| IAM role |
*AWS Identity and Access Management (IAM) resources are global resources. Global resources are not tied to an individual region and can be used in all regions.
The configuration details for a global resource are the same in all regions.
For more information, see Selecting Which Resources AWS Config Records.
AWS Config includes inline policies with the configuration details that it records.
AWS Key Management Service
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Key Management Service |
AWS::KMS::Key |
NA |
NA |
AWS Lambda Function
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Lambda Function |
AWS::Lambda::Function |
is associated with |
IAM role |
| EC2 security group |
| contains |
EC2 subnet |
AWS Network Firewall
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Network Firewall |
AWS::NetworkFirewall::Firewall |
is attached to |
EC2 Subnet |
| is associated with |
NetworkFirewall FirewallPolicy |
AWS::NetworkFirewall::FirewallPolicy |
is associated with |
NetworkFirewall RuleGroup |
AWS::NetworkFirewall::RuleGroup |
NA |
NA |
AWS Config support for Network Firewall is available only in the US East (N. Virginia),
Europe (Ireland) and US West (Oregon) regions.
AWS Secrets Manager
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS SecretsManager |
AWS::SecretsManager::Secret |
is associated with |
Lambda function |
| is associated with |
KMS Key |
AWS Service Catalog
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Service Catalog |
AWS::ServiceCatalog::CloudFormationProduct |
is contained in |
Portfolio |
| is associated with |
CloudFormationProvisionedProduct |
AWS::ServiceCatalog::CloudFormationProvisionedProduct |
is associated with |
Portfolio |
| CloudFormationProduct |
| CloudFormationStack |
AWS::ServiceCatalog::Portfolio |
contains |
CloudFormationProduct |
AWS Shield
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Shield* |
AWS::Shield::Protection |
is associated with |
Amazon CloudFront distribution |
AWS::ShieldRegional::Protection |
is associated with |
EC2 EIP |
| is associated with |
ElasticLoadBalancing Balancer |
| is associated with |
ElasticLoadBalancingV2 LoadBalancer |
*AWS Config support for AWS::Shield::Protection is available only in the US East (N. Virginia) region. The AWS::ShieldRegional::Protection is available in all regions where AWS Shield is supported.
AWS Systems Manager
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Systems Manager |
AWS::SSM::ManagedInstanceInventory* |
is associated with |
EC2 instance |
AWS::SSM::PatchCompliance |
is associated with |
Managed Instance Inventory |
AWS::SSM::AssociationCompliance |
is associated with |
Managed Instance Inventory |
AWS::SSM::FileData |
is associated with |
Managed Instance Inventory |
*To learn more about managed instance inventory, see Recording Software Configuration for Managed Instances.
AWS WAF
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS WAF* |
AWS::WAF::RateBasedRule |
NA |
NA |
AWS::WAF::Rule |
NA |
NA |
AWS::WAF::WebACL |
is associated with |
WAF Rule |
| WAF rate based rule |
| WAF Rulegroup |
AWS::WAF::RuleGroup |
is associated with |
WAF Rule |
AWS::WAFRegional::RateBasedRule |
NA |
NA |
AWS::WAFRegional::Rule |
NA |
NA |
AWS::WAFRegional::WebACL |
is associated with |
ElasticLoadBalancingV2 LoadBalancer |
| WAFRegional Rule |
| WAFRegional rate based rule |
| WAFRegional Rulegroup |
AWS::WAFRegional::RuleGroup |
is associated with |
WAFRegional Rule |
*The AWS WAF resource type values are available only in the US East (N. Virginia) Region.
The AWS::WAFRegional::RateBasedRule, AWS::WAFRegional::Rule, AWS::WAFRegional::WebACL,
and AWS::WAFRegional::RuleGroup are available in all regions where AWS WAF is supported.
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS WAFv2* |
AWS::WAFv2::WebACL |
is associated with |
ElasticLoadBalancingV2 LoadBalancer |
| ApiGateway Stage |
| WAFv2 IPSet |
| WAFv2 RegexPatternSet |
| WAFv2 RuleGroup |
| WAFv2 ManagedRuleSet |
AWS::WAFv2::RuleGroup |
is associated with |
WAFv2 IPSet |
| WAFv2 RegexPatternSet |
AWS::WAFv2::ManagedRuleSet |
is associated with |
WAFv2 RuleGroup |
*The AWS WAFv2 resource type values are available in all the AWS Regions where AWS
WAFv2 is supported.
AWS X-Ray
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS X-Ray |
AWS::XRay::EncryptionConfig |
NA |
NA |
Elastic Load Balancing
| AWS Service |
Resource Type Value |
Relationship |
Related Resource |
| Elastic Load Balancing |
Application Load Balancer
AWS::ElasticLoadBalancingV2::LoadBalancer
|
is associated with |
EC2 security group |
| is attached to |
Subnet |
| is contained in |
Virtual private cloud (VPC) |
|
Classic Load Balancer
AWS::ElasticLoadBalancing::LoadBalancer
|
is associated with |
EC2 security group |
| is attached to |
Subnet |
| is contained in |
Virtual private cloud (VPC) |
|
Network Load Balancer
AWS::ElasticLoadBalancingV2::LoadBalancer
|
NA |
NA |