Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.
Supported Resource Types
Amazon Config supports the following Amazon resources types and resource relationships. Some regions
support a subset of these resource types. What is available in the Amazon Config Console in a given
region is the source of truth regarding what is, or is not, supported in a given region.
Advanced Queries for Amazon Config supports a subset of these resource types. For a list of those
supported resource types, see Supported Resource Types for Advanced Queries.
Periodic rules can run on resources that Amazon Config recording does not support and can be run
without the configuration recorder being enabled. Periodic rules do not depend on
configuration items. For more information on the difference between change–triggered rules and
periodic rules, see Evaluation Mode and Trigger Types for Amazon Config Rules.
When Amazon Config onboards new resource types, the default resources for the new resource types
will be discovered during the account baselining process. If you have the configuration
recorder set up to record all supported resource types, you may receive notifications for
default resources while a new resource type is in the process of onboarding. The public
documentation will be updated once the onboarding process is complete.
Amazon API Gateway
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| API Gateway |
AWS::ApiGateway::Stage |
is contained in |
ApiGateway Rest Api |
| is associated with |
WAFRegional WebACL |
AWS::ApiGateway::RestApi |
contains |
ApiGateway Stage |
| API Gateway V2 |
AWS::ApiGatewayV2::Stage |
is contained in |
ApiGatewayV2 Api |
AWS::ApiGatewayV2::Api |
contains |
ApiGatewayV2 Stage |
To learn more about how Amazon Config integrates with Amazon API Gateway, see Monitoring API Gateway API Configuration with
Amazon Config.
Amazon Athena
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Athena |
AWS::Athena::WorkGroup |
NA |
NA |
AWS::Athena::DataCatalog |
NA |
NA |
Amazon CloudFront
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CloudFront* |
AWS::CloudFront::Distribution |
is associated with |
Amazon WAF WebACL |
| ACM Certificate |
| S3 Bucket |
| IAM Server Certificate |
AWS::CloudFront::StreamingDistribution |
is associated with |
Amazon WAF WebACL |
| ACM Certificate |
| S3 Bucket |
| IAM Server Certificate |
*Amazon Config support for Amazon CloudFront is available only in the US East
(N. Virginia) region.
Amazon CloudWatch
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CloudWatch |
AWS::CloudWatch::Alarm |
NA |
NA |
| Amazon CloudWatch RUM |
AWS::RUM::AppMonitor |
NA |
NA |
Amazon Detective
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Detective |
AWS::Detective::Graph |
NA |
NA |
Amazon DynamoDB
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon DynamoDB |
AWS::DynamoDB::Table |
NA |
NA |
Amazon Elastic Compute Cloud
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic Compute Cloud |
AWS::EC2::Host* |
contains |
EC2 instance |
AWS::EC2::EIP |
is attached to |
EC2 instance |
| Network interface |
AWS::EC2::Instance |
contains |
EC2 network interface |
| is associated with |
EC2 security group |
| is attached to |
Amazon EBS volume |
| EC2 Elastic IP (EIP) |
| is contained in |
EC2 Dedicated host |
| Route table |
| Subnet |
| Virtual private cloud (VPC) |
AWS::EC2::NetworkInterface |
is associated with |
EC2 security group |
| is attached to |
EC2 Elastic IP (EIP) |
| EC2 instance |
| is contained in |
Route table |
| Subnet |
| Virtual private cloud (VPC) |
AWS::EC2::SecurityGroup* |
is associated with |
EC2 instance |
| EC2 network interface |
| Virtual private cloud (VPC) |
AWS::EC2::NatGateway |
is contained in |
Virtual private cloud (VPC) |
| is contained in |
Subnet |
AWS::EC2::EgressOnlyInternetGateway |
is attached to |
Virtual private cloud (VPC) |
AWS::EC2::FlowLog |
NA |
NA |
AWS::EC2::TransitGateway |
NA |
NA |
AWS::EC2::TransitGatewayAttachment |
is attached to |
Virtual private cloud (VPC) |
AWS::EC2::TransitGatewayRouteTable |
NA |
NA |
AWS::EC2::VPCEndpoint |
is contained in |
Virtual private cloud (VPC) |
| is attached to |
Network interface |
| is contained in |
Subnet |
| is contained in |
Route table |
AWS::EC2::VPCEndpointService |
is associated with |
ElasticLoadBalancingV2 LoadBalancer |
AWS::EC2::VPCPeeringConnection |
is associated with |
Virtual private cloud (VPC) |
AWS::EC2::RegisteredHAInstance |
is associated with |
EC2 instance |
AWS::EC2::LaunchTemplate |
NA |
NA |
AWS::EC2::NetworkInsightsAccessScopeAnalysis |
NA |
NA |
| Amazon Elastic Block Store |
AWS::EC2::Volume |
is attached to |
EC2 instance |
| EC2 Image Builder |
AWS::ImageBuilder::ContainerRecipe |
NA |
NA |
AWS::ImageBuilder::DistributionConfiguration |
NA |
NA |
AWS::ImageBuilder::InfrastructureConfiguration |
NA |
NA |
*Amazon Config records the configuration details of Dedicated hosts and
the instances that you launch on them. As a result, you can use Amazon Config as a data source when you
report compliance with your server-bound software licenses. For example, you can view the
configuration history of an instance and determine which Amazon Machine Image (AMI) it is
based on. Then, you can look up the configuration history of the host, which includes details
such as the numbers of sockets and cores, to check that the host complies with the license
requirements of the AMI. For more information, see Tracking Configuration Changes with Amazon Config in the Amazon EC2 User Guide for Linux Instances.
*The EC2 SecurityGroup Properties definition contains IP CIDR
blocks, which are converted to IP ranges internally, and may return unexpected results when
trying to find a specific IP range. For workarounds to search for specific IP ranges, see
Limitations for
Advanced Queries.
Amazon Elastic Container Registry
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic Container Registry |
AWS::ECR::Repository |
NA |
NA |
AWS::ECR::RegistryPolicy |
NA |
NA |
Amazon Elastic Container Registry Public
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic Container Registry Public* |
AWS::ECR::PublicRepository |
NA |
NA |
*Amazon Config support for Amazon Elastic Container Registry Public is available only in the
US East (N. Virginia) Region.
Amazon Elastic Container Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic Container Service |
AWS::ECS::Cluster |
NA |
NA |
AWS::ECS::TaskDefinition |
NA |
NA |
AWS::ECS::Service* |
NA |
NA |
*This service currently only support the new Amazon Resource
Name (ARN) format. For more information, see Amazon Resource Names (ARNs) and IDs in the ECS developer guide.
Old (not supported):
arn:aws:ecs:region:aws_account_id:service/service-name
New (supported):
arn:aws:ecs:region:aws_account_id:service/cluster-name/service-name
Amazon Elastic File System
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic File System |
AWS::EFS::FileSystem |
NA |
NA |
AWS::EFS::AccessPoint |
NA |
NA |
Amazon Elastic Kubernetes Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic Kubernetes Service |
AWS::EKS::Cluster |
NA |
NA |
AWS::EKS::FargateProfile |
NA |
NA |
Amazon EMR
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon EMR |
AWS::EMR::SecurityConfiguration |
NA |
NA |
Amazon EventBridge
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon EventBridge |
AWS::Events::EventBus |
NA |
NA |
AWS::Events::ApiDestination |
NA |
NA |
AWS::Events::Archive |
NA |
NA |
AWS::Events::Endpoint |
NA |
NA |
| Amazon EventBridge schemas |
AWS::EventSchemas::Registry |
NA |
NA |
AWS::EventSchemas::RegistryPolicy |
NA |
NA |
AWS::EventSchemas::Discoverer |
NA |
NA |
Amazon Fraud Detector
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Fraud Detector |
AWS::FraudDetector::Label |
NA |
NA |
AWS::FraudDetector::EntityType |
NA |
NA |
AWS::FraudDetector::Variable |
NA |
NA |
AWS::FraudDetector::Outcome |
NA |
NA |
Amazon GuardDuty
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon GuardDuty |
AWS::GuardDuty::Detector |
NA |
NA |
AWS::GuardDuty::ThreatIntelSet |
NA |
NA |
AWS::GuardDuty::IPSet |
NA |
NA |
AWS::GuardDuty::Filter |
NA |
NA |
Amazon OpenSearch Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon OpenSearch Service |
AWS::Elasticsearch::Domain |
is associated with |
KMS Key |
| EC2 security group |
| EC2 subnet |
| Virtual private cloud (VPC) |
AWS::OpenSearch::Domain |
NA |
NA |
On September 8, 2021, Amazon Elasticsearch Service was renamed to Amazon OpenSearch Service. OpenSearch Service supports OpenSearch as well as legacy Elasticsearch OSS.
For more information, see Amazon OpenSearch Service - Summary of changes.
You may continue to see your data for AWS::OpenSearch::Domain under the existing AWS::Elasticsearch::Domain resource type for several weeks, even if you upgrade one or more domains to OpenSearch.
Amazon Quantum Ledger Database (Amazon QLDB)
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon QLDB |
AWS::QLDB::Ledger |
NA |
NA |
Amazon Kinesis
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Kinesis |
AWS::Kinesis::Stream |
NA |
NA |
AWS::Kinesis::StreamConsumer |
NA |
NA |
Amazon Lightsail
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Lightsail |
AWS::Lightsail::Disk |
NA |
NA |
AWS::Lightsail::Certificate |
NA |
NA |
AWS::Lightsail::Bucket |
NA |
NA |
AWS::Lightsail::StaticIp |
NA |
NA |
Amazon MQ
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon MQ |
AWS::AmazonMQ::Broker |
NA |
NA |
Amazon Managed Streaming for Apache Kafka
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Managed Streaming for Apache Kafka |
AWS::MSK::Cluster |
NA |
NA |
Amazon Redshift
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Redshift |
AWS::Redshift::Cluster |
is associated with |
Cluster parameter group |
| Cluster security group |
| Cluster subnet group |
| Security group |
| Virtual private cloud (VPC) |
AWS::Redshift::ClusterParameterGroup |
NA |
NA |
AWS::Redshift::ClusterSecurityGroup |
NA |
NA |
AWS::Redshift::ClusterSnapshot |
is associated with |
Cluster |
| Virtual private cloud (VPC) |
AWS::Redshift::ClusterSubnetGroup |
is associated with |
Subnet |
| Virtual private cloud (VPC) |
AWS::Redshift::EventSubscription |
NA |
NA |
Amazon Relational Database Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Relational Database Service |
AWS::RDS::DBInstance |
is associated with |
EC2 security group |
| RDS DB security group |
| RDS DB subnet group |
AWS::RDS::DBSecurityGroup |
is associated with |
EC2 security group |
| Virtual private cloud (VPC) |
AWS::RDS::DBSnapshot |
is associated with |
Virtual private cloud (VPC) |
AWS::RDS::DBSubnetGroup |
is associated with |
EC2 security group |
| Virtual private cloud (VPC) |
AWS::RDS::EventSubscription |
NA |
NA |
AWS::RDS::DBCluster |
contains |
RDS DB instance |
| is associated with |
RDS DB subnet group |
| EC2 security group |
AWS::RDS::DBClusterSnapshot |
Is associated with |
RDS DB cluster |
| Virtual private cloud (VPC) |
Amazon Route 53
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Route 53 |
AWS::Route53::HostedZone* |
NA |
NA |
AWS::Route53::HealthCheck* |
NA |
NA |
| Amazon Route 53 Resolver |
AWS::Route53Resolver::ResolverEndpoint |
NA |
NA |
AWS::Route53Resolver::ResolverRule |
NA |
NA |
AWS::Route53Resolver::ResolverRuleAssociation |
NA |
NA |
| Amazon Route 53 Application Recovery Controller |
AWS::Route53RecoveryReadiness::Cell |
NA |
NA |
AWS::Route53RecoveryReadiness::ReadinessCheck |
NA |
NA |
AWS::Route53RecoveryReadiness::RecoveryGroup |
NA |
NA |
*Amazon Config support for these Amazon Route 53 resource types are available only in the
US East (N. Virginia) Region.
Amazon SageMaker
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon SageMaker |
AWS::SageMaker::CodeRepository |
NA |
NA |
AWS::SageMaker::Model |
NA |
NA |
AWS::SageMaker::NotebookInstance |
NA |
NA |
AWS::SageMaker::NotebookInstanceLifecycleConfig |
NA |
NA |
AWS::SageMaker::EndpointConfig |
NA |
NA |
AWS::SageMaker::Workteam |
NA |
NA |
Amazon Simple Email Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Simple Email Service |
AWS::SES::ConfigurationSet |
NA |
NA |
AWS::SES::ContactList |
NA |
NA |
AWS::SES::Template |
NA |
NA |
AWS::SES::ReceiptFilter |
NA |
NA |
AWS::SES::ReceiptRuleSet |
NA |
NA |
Amazon Simple Notification Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Simple Notification Service |
AWS::SNS::Topic |
NA |
NA |
Amazon Simple Queue Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Simple Queue Service |
AWS::SQS::Queue |
NA |
NA |
Amazon Simple Storage Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Simple Storage Service |
AWS::S3::Bucket* |
NA |
NA |
AWS::S3::AccountPublicAccessBlock |
NA |
NA |
*If you configured Amazon Config to record your S3 buckets, and are not
receiving configuration change notifications, check that your S3 bucket policies have the
required permissions. For more information, see Managing Permissions for S3
Bucket Recording.
Amazon S3 Bucket Attributes
Amazon Config also records the following attributes for the Amazon S3 bucket resource type.
| Attributes |
Description |
| AccelerateConfiguration |
Transfer acceleration for data over long distances between your client and a
bucket. |
| BucketAcl |
Access control list used to manage access to buckets and objects. |
| BucketPolicy |
Policy that defines the permissions to the bucket. |
| CrossOriginConfiguration |
Allow cross-origin requests to the bucket. |
| LifecycleConfiguration |
Rules that define the lifecycle for objects in your bucket. |
| LoggingConfiguration |
Logging used to track requests for access to the bucket. |
| NotificationConfiguration |
Event notifications used to send alerts or trigger workflows for specified bucket
events. |
| ReplicationConfiguration |
Automatic, asynchronous copying of objects across buckets in different Amazon
Regions. |
| RequestPaymentConfiguration |
Requester pays is enabled. |
| TaggingConfiguration |
Tags added to the bucket to categorize. You can also use tagging to track
billing. |
| WebsiteConfiguration |
Static website hosting is enabled for the bucket. |
| VersioningConfiguration |
Versioning is enabled for objects in the bucket. |
For more information about the attributes, see Bucket Configuration
Options in the Amazon Simple Storage Service User Guide.
Amazon Virtual Private Cloud
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Virtual Private Cloud |
AWS::EC2::CustomerGateway |
is attached to |
VPN connection |
AWS::EC2::InternetGateway |
is attached to |
Virtual private cloud (VPC) |
AWS::EC2::NetworkAcl |
NA |
NA |
AWS::EC2::RouteTable |
contains |
EC2 instance |
| EC2 network interface |
| Subnet |
| VPN gateway |
| is contained in |
Virtual private cloud (VPC) |
AWS::EC2::Subnet |
contains |
EC2 instance |
| EC2 network interface |
| is attached to |
Network ACL |
| is contained in |
Route table |
| Virtual private cloud (VPC) |
AWS::EC2::VPC |
contains |
EC2 instance |
| EC2 network interface |
| Network ACL |
| Route table |
| Subnet |
| is associated with |
Security group |
| is attached to |
Internet gateway |
| VPN gateway |
AWS::EC2::VPNConnection |
is attached to |
Customer gateway |
| VPN gateway |
AWS::EC2::VPNGateway |
is attached to |
Virtual private cloud (VPC) |
| VPN connection |
| is contained in |
Route table |
Amazon WorkSpaces
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon WorkSpaces |
AWS::WorkSpaces::ConnectionAlias |
NA |
NA |
AWS::WorkSpaces::Workspace |
NA |
NA |
Amazon AppConfig
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon AppConfig |
AWS::AppConfig::Application |
NA |
NA |
AWS::AppConfig::Environment |
NA |
NA |
AWS::AppConfig::ConfigurationProfile |
NA |
NA |
Amazon AppSync
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon AppSync |
AWS::AppSync::GraphQLApi |
NA |
NA |
Amazon Auto Scaling
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Auto Scaling |
AWS::AutoScaling::AutoScalingGroup |
contains |
Amazon EC2 instance |
| is associated with |
Classic Load Balancer |
| Auto Scaling launch configuration |
| Subnet |
AWS::AutoScaling::LaunchConfiguration |
is associated with |
Amazon EC2 security group |
AWS::AutoScaling::ScalingPolicy |
is associated with |
Auto Scaling group |
| Alarm |
AWS::AutoScaling::ScheduledAction |
is associated with |
Auto Scaling group |
Amazon Backup
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Backup |
AWS::Backup::BackupPlan |
NA |
NA* |
AWS::Backup::BackupSelection |
NA |
NA |
AWS::Backup::BackupVault |
NA |
NA* |
AWS::Backup::RecoveryPoint |
NA |
NA |
AWS::Backup::ReportPlan |
NA |
NA |
Due to how Amazon Backup works, some of these resource types relate to the other Amazon Backup
resource types in this table.
AWS::Backup::BackupPlan is related to
AWS::Backup::BackupSelection where a Backup Plan has many selections, and
AWS::Backup::BackupVault is related to AWS::Backup::RecoveryPoint
where an Amazon Backup Vault has multiple recovery points.
For more information, see Managing
backups using backup plans and Working with
backup vaults.
Amazon Batch
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Batch |
AWS::Batch::JobQueue |
NA |
NA |
AWS::Batch::ComputeEnvironment |
NA |
NA |
Amazon Certificate Manager
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Certificate Manager |
AWS::ACM::Certificate |
NA |
NA |
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CloudFormation |
AWS::CloudFormation::Stack* |
contains |
Supported Amazon resource types |
*Amazon Config records configuration changes to Amazon CloudFormation stacks and
supported resource types in the stacks. Amazon Config does not record configuration changes for
resource types in the stack that are not yet supported. Unsupported resource types appear in
the supplementary configuration section of the configuration item for the stack.
Amazon CloudTrail
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CloudTrail |
AWS::CloudTrail::Trail |
NA |
NA |
Amazon Cloud9
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Cloud9 |
AWS::Cloud9::EnvironmentEC2 |
NA |
NA |
Amazon Cloud Map
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Service Discovery |
AWS::ServiceDiscovery::Service |
NA |
NA |
AWS::ServiceDiscovery::PublicDnsNamespace |
NA |
NA |
AWS::ServiceDiscovery::HttpNamespace |
NA |
NA |
Amazon CodeBuild
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CodeBuild |
AWS::CodeBuild::Project* |
is associated with |
S3 bucket |
| IAM role |
*To learn more about how Amazon Config integrates with Amazon CodeBuild, see
Use Amazon Config with Amazon CodeBuild
Sample.
Amazon CodeDeploy
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CodeDeploy |
AWS::CodeDeploy::Application |
contains |
DeploymentGroup |
AWS::CodeDeploy::DeploymentConfig |
NA |
NA |
AWS::CodeDeploy::DeploymentGroup |
is contained in |
Application |
Amazon CodePipeline
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon CodePipeline |
AWS::CodePipeline::Pipeline* |
is attached to |
S3 bucket |
| is associated with |
IAM role |
| Code project |
| Lambda function |
| Cloudformation stack |
| ElasticBeanstalk application |
*Amazon Config records configuration changes to CodePipeline pipelines and
supported resource types in the pipelines. Amazon Config does not record configuration changes for
resource types in the pipelines that are not yet supported. Unsupported resource types such as
CodeCommit repository, CodeDeploy application, ECS cluster, and ECS
service appear in the supplementary configuration section of the configuration item
for the stack.
Amazon Config
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Config |
AWS::Config::ResourceCompliance* |
is associated with |
All resources* |
AWS::Config::ConformancePackCompliance |
NA |
NA |
AWS::Config::ConfigurationRecorder* |
NA |
NA |
*The relationship between
AWS::Config::ResourceCompliance and a related resource depends on how
AWS::Config::ResourceCompliance reports compliance for that specific resource
type.
*AWS::Config::ConfigurationRecorder is a system resource type of Amazon Config and recording of this resource type is enabled by default.
Recording for the AWS::Config::ConformancePackCompliance and AWS::Config::ConfigurationRecorder resource types come with no additional charge.
Amazon Database Migration Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Database Migration Service |
AWS::DMS::EventSubscription |
NA |
NA |
AWS::DMS::ReplicationSubnetGroup |
NA |
NA |
AWS::DMS::ReplicationInstance |
NA |
NA |
AWS::DMS::ReplicationTask |
NA |
NA |
AWS::DMS::Certificate |
NA |
NA |
Amazon DataSync
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon DataSync |
AWS::DataSync::LocationSMB |
NA |
NA |
AWS::DataSync::LocationFSxLustre |
NA |
NA |
AWS::DataSync::LocationFSxWindows |
NA |
NA |
AWS::DataSync::LocationS3 |
NA |
NA |
AWS::DataSync::LocationEFS |
NA |
NA |
AWS::DataSync::LocationNFS |
NA |
NA |
AWS::DataSync::LocationHDFS |
NA |
NA |
AWS::DataSync::LocationObjectStorage |
NA |
NA |
AWS::DataSync::Task |
NA |
NA |
Amazon Elastic Beanstalk
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Elastic Beanstalk |
AWS::ElasticBeanstalk::Application |
contains |
Elastic Beanstalk Application Version |
| Elastic Beanstalk Environment |
| is associated with |
IAM role |
AWS::ElasticBeanstalk::ApplicationVersion |
is contained in |
Elastic Beanstalk Application |
| is associated with |
Elastic Beanstalk Environment |
| S3 bucket |
AWS::ElasticBeanstalk::Environment |
is contained in |
Elastic Beanstalk Application |
| is associated with |
Elastic Beanstalk Application Version |
| IAM role |
| contains |
CloudFormation Stack |
Amazon Fault Injection Simulator
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Fault Injection Simulator |
AWS::FIS::ExperimentTemplate |
NA |
NA |
Amazon Global Accelerator
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Global Accelerator |
AWS::GlobalAccelerator::Listener* |
NA |
NA |
AWS::GlobalAccelerator::EndpointGroup* |
NA |
NA |
AWS::GlobalAccelerator::Accelerator* |
NA |
NA |
*This resource is only available in US West (Oregon) Region.
Amazon Glue
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Glue |
AWS::Glue::Job |
NA |
NA |
AWS::Glue::Classifier |
NA |
NA |
Amazon Identity and Access Management
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Identity and Access Management |
AWS::IAM::User |
is attached to |
IAM group |
| IAM customer managed policy |
AWS::IAM::Group |
contains |
IAM user |
| is attached to |
IAM customer managed policy |
AWS::IAM::Role |
is attached to |
IAM customer managed policy |
AWS::IAM::Policy |
is attached to |
IAM user |
| IAM group |
| IAM role |
| Amazon Identity and Access Management Access Analyzer |
AWS::AccessAnalyzer::Analyzer |
NA |
NA |
Amazon Config includes inline policies with the configuration details that it records. For more
information on inline policies, see Managed policies
and inline policies in the IAM User Guide.
Amazon IoT
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon IoT |
AWS::IoT::Authorizer |
NA |
NA |
AWS::IoT::SecurityProfile |
NA |
NA |
AWS::IoT::RoleAlias |
NA |
NA |
AWS::IoT::Dimension |
NA |
NA |
| Amazon IoT Analytics |
AWS::IoTAnalytics::Datastore |
NA |
NA |
| Amazon IoT Events |
AWS::IoTEvents::Input |
NA |
NA |
AWS::IoTEvents::DetectorModel |
NA |
NA |
AWS::IoTEvents::AlarmModel |
NA |
NA |
Amazon Key Management Service
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Key Management Service |
AWS::KMS::Key |
NA |
NA |
AWS::KMS::Alias |
NA |
NA |
Amazon Lambda Function
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Lambda Function |
AWS::Lambda::Function |
is associated with |
IAM role |
| EC2 security group |
| is contained in |
EC2 subnet |
Amazon Network Firewall
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Network Firewall |
AWS::NetworkFirewall::Firewall |
is attached to |
EC2 Subnet |
| is associated with |
NetworkFirewall FirewallPolicy |
AWS::NetworkFirewall::FirewallPolicy |
is associated with |
NetworkFirewall RuleGroup |
AWS::NetworkFirewall::RuleGroup |
NA |
NA |
Amazon Resilience Hub
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Resilience Hub |
AWS::ResilienceHub::ResiliencyPolicy |
NA |
NA |
Amazon Secrets Manager
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Secrets Manager |
AWS::SecretsManager::Secret |
is associated with |
Lambda function |
| is associated with |
KMS Key |
Service Catalog
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Service Catalog |
AWS::ServiceCatalog::CloudFormationProduct |
is contained in |
Portfolio |
| is associated with |
CloudFormationProvisionedProduct |
AWS::ServiceCatalog::CloudFormationProvisionedProduct |
is associated with |
Portfolio |
| CloudFormationProduct |
| CloudFormationStack |
AWS::ServiceCatalog::Portfolio |
contains |
CloudFormationProduct |
Amazon Shield
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Shield* |
AWS::Shield::Protection |
is associated with |
Amazon CloudFront distribution |
AWS::ShieldRegional::Protection |
is associated with |
EC2 EIP |
| is associated with |
ElasticLoadBalancing Balancer |
| is associated with |
ElasticLoadBalancingV2 LoadBalancer |
*Amazon Config support for AWS::Shield::Protection is
available only in the US East (N. Virginia) Region. The
AWS::ShieldRegional::Protection is available in all regions where Amazon Shield is
supported.
Amazon Step Functions
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Step Functions |
AWS::StepFunctions::Activity |
NA |
NA |
AWS::StepFunctions::StateMachine |
NA |
NA |
Amazon Systems Manager
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Systems Manager |
AWS::SSM::ManagedInstanceInventory* |
is associated with |
EC2 instance |
AWS::SSM::PatchCompliance |
is associated with |
Managed Instance Inventory |
AWS::SSM::AssociationCompliance |
is associated with |
Managed Instance Inventory |
AWS::SSM::FileData |
is associated with |
Managed Instance Inventory |
*To learn more about managed instance inventory, see Recording Software Configuration for Managed Instances.
Amazon Transfer Family
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon Transfer Family |
AWS::Transfer::Workflow |
NA |
NA |
Amazon WAF
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon WAF* |
AWS::WAF::RateBasedRule |
NA |
NA |
AWS::WAF::Rule |
NA |
NA |
AWS::WAF::WebACL |
is associated with |
WAF Rule |
| WAF rate based rule |
| WAF Rulegroup |
AWS::WAF::RuleGroup |
is associated with |
WAF Rule |
AWS::WAFRegional::RateBasedRule |
NA |
NA |
AWS::WAFRegional::Rule |
NA |
NA |
AWS::WAFRegional::WebACL |
is associated with |
ElasticLoadBalancingV2 LoadBalancer |
| WAFRegional Rule |
| WAFRegional rate based rule |
| WAFRegional Rulegroup |
AWS::WAFRegional::RuleGroup |
is associated with |
WAFRegional Rule |
| Amazon WAF V2* |
AWS::WAFv2::WebACL |
is associated with |
ElasticLoadBalancingV2 LoadBalancer |
| ApiGateway Stage |
| WAFv2 IPSet |
| WAFv2 RegexPatternSet |
| WAFv2 RuleGroup |
| WAFv2 ManagedRuleSet |
AWS::WAFv2::RuleGroup |
is associated with |
WAFv2 IPSet |
| WAFv2 RegexPatternSet |
AWS::WAFv2::ManagedRuleSet |
is associated with |
WAFv2 RuleGroup |
AWS::WAFv2::IPSet |
NA |
NA |
AWS::WAFv2::RegexPatternSet |
NA |
NA |
Amazon Config support for the Amazon WAF resource types are available only in the
US East (N. Virginia) Region.
Amazon Config support for the Amazon WAF Regional and Amazon WAF V2 resource types are available in all the
Amazon Web Services Regions where Amazon WAF and Amazon WAF V2 are supported, respectively.
Amazon X-Ray
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Amazon X-Ray |
AWS::XRay::EncryptionConfig |
NA |
NA |
Elastic Load Balancing
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| Elastic Load Balancing |
Application Load Balancer
AWS::ElasticLoadBalancingV2::LoadBalancer
|
is associated with |
EC2 security group |
| is attached to |
Subnet |
| is contained in |
Virtual private cloud (VPC) |
Application Load Balancer Listener
AWS::ElasticLoadBalancingV2::Listener
|
NA |
NA |
Classic Load Balancer
AWS::ElasticLoadBalancing::LoadBalancer
|
is associated with |
EC2 security group |
| is attached to |
Subnet |
| is contained in |
Virtual private cloud (VPC) |
Network Load Balancer
AWS::ElasticLoadBalancingV2::LoadBalancer
|
NA |
NA |
| Amazon Service |
Resource Type Value |
Relationship |
Related Resource |
| AWS Elemental MediaPackage |
AWS::MediaPackage::PackagingGroup |
NA |
NA |