Supported Resource Types - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Supported Resource Types

Amazon Config supports the following Amazon resources types and resource relationships. Some regions support a subset of these resource types. What is available in the Amazon Config Console in a given region is the source of truth regarding what is, or is not, supported in a given region.

Advanced Queries for Amazon Config supports a subset of these resource types. For a list of those supported resource types, see Supported Resource Types for Advanced Queries.

Note

Periodic rules can run on resources that Amazon Config recording does not support and can be run without the configuration recorder being enabled. Periodic rules do not depend on configuration items. For more information on the difference between change–triggered rules and periodic rules, see Evaluation Mode and Trigger Types for Amazon Config Rules.

When Amazon Config onboards new resource types, the default resources for the new resource types will be discovered during the account baselining process. If you have the configuration recorder set up to record all supported resource types, you may receive notifications for default resources while a new resource type is in the process of onboarding. The public documentation will be updated once the onboarding process is complete.

Amazon API Gateway

Amazon Service Resource Type Value Relationship Related Resource
API Gateway AWS::ApiGateway::Stage is contained in ApiGateway Rest Api
is associated with WAFRegional WebACL
AWS::ApiGateway::RestApi contains ApiGateway Stage
API Gateway V2 AWS::ApiGatewayV2::Stage is contained in ApiGatewayV2 Api
AWS::ApiGatewayV2::Api contains ApiGatewayV2 Stage

To learn more about how Amazon Config integrates with Amazon API Gateway, see Monitoring API Gateway API Configuration with Amazon Config.

Amazon Athena

Amazon Service Resource Type Value Relationship Related Resource
Amazon Athena AWS::Athena::WorkGroup NA NA
AWS::Athena::DataCatalog NA NA

Amazon CloudFront

Amazon Service Resource Type Value Relationship Related Resource
Amazon CloudFront* AWS::CloudFront::Distribution is associated with Amazon WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate
AWS::CloudFront::StreamingDistribution is associated with Amazon WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate

*Amazon Config support for Amazon CloudFront is available only in the US East (N. Virginia) region.

Amazon CloudWatch

Amazon Service Resource Type Value Relationship Related Resource
Amazon CloudWatch AWS::CloudWatch::Alarm NA NA
Amazon CloudWatch RUM AWS::RUM::AppMonitor NA NA

Amazon Detective

Amazon Service Resource Type Value Relationship Related Resource
Amazon Detective AWS::Detective::Graph NA NA

Amazon DynamoDB

Amazon Service Resource Type Value Relationship Related Resource
Amazon DynamoDB AWS::DynamoDB::Table NA NA

Amazon Elastic Compute Cloud

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Compute Cloud AWS::EC2::Host* contains EC2 instance
AWS::EC2::EIP is attached to EC2 instance
Network interface
AWS::EC2::Instance contains EC2 network interface
is associated with EC2 security group
is attached to Amazon EBS volume
EC2 Elastic IP (EIP)
is contained in EC2 Dedicated host
Route table
Subnet
Virtual private cloud (VPC)
AWS::EC2::NetworkInterface is associated with EC2 security group
is attached to EC2 Elastic IP (EIP)
EC2 instance
is contained in Route table
Subnet
Virtual private cloud (VPC)
AWS::EC2::SecurityGroup* is associated with EC2 instance
EC2 network interface
Virtual private cloud (VPC)
AWS::EC2::NatGateway is contained in Virtual private cloud (VPC)
is contained in Subnet
AWS::EC2::EgressOnlyInternetGateway is attached to Virtual private cloud (VPC)
AWS::EC2::FlowLog NA NA
AWS::EC2::TransitGateway NA NA
AWS::EC2::TransitGatewayAttachment is attached to Virtual private cloud (VPC)
AWS::EC2::TransitGatewayRouteTable NA NA
AWS::EC2::VPCEndpoint is contained in Virtual private cloud (VPC)
is attached to Network interface
is contained in Subnet
is contained in Route table
AWS::EC2::VPCEndpointService is associated with ElasticLoadBalancingV2 LoadBalancer
AWS::EC2::VPCPeeringConnection is associated with Virtual private cloud (VPC)
AWS::EC2::RegisteredHAInstance is associated with EC2 instance
AWS::EC2::LaunchTemplate NA NA
AWS::EC2::NetworkInsightsAccessScopeAnalysis NA NA
Amazon Elastic Block Store AWS::EC2::Volume is attached to EC2 instance
EC2 Image Builder AWS::ImageBuilder::ContainerRecipe NA NA
AWS::ImageBuilder::DistributionConfiguration NA NA
AWS::ImageBuilder::InfrastructureConfiguration NA NA

*Amazon Config records the configuration details of Dedicated hosts and the instances that you launch on them. As a result, you can use Amazon Config as a data source when you report compliance with your server-bound software licenses. For example, you can view the configuration history of an instance and determine which Amazon Machine Image (AMI) it is based on. Then, you can look up the configuration history of the host, which includes details such as the numbers of sockets and cores, to check that the host complies with the license requirements of the AMI. For more information, see Tracking Configuration Changes with Amazon Config in the Amazon EC2 User Guide for Linux Instances.

*The EC2 SecurityGroup Properties definition contains IP CIDR blocks, which are converted to IP ranges internally, and may return unexpected results when trying to find a specific IP range. For workarounds to search for specific IP ranges, see Limitations for Advanced Queries.

Amazon Elastic Container Registry

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Container Registry AWS::ECR::Repository NA NA
AWS::ECR::RegistryPolicy NA NA

Amazon Elastic Container Registry Public

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Container Registry Public* AWS::ECR::PublicRepository NA NA

*Amazon Config support for Amazon Elastic Container Registry Public is available only in the US East (N. Virginia) Region.

Amazon Elastic Container Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Container Service AWS::ECS::Cluster NA NA
AWS::ECS::TaskDefinition NA NA
AWS::ECS::Service* NA NA

*This service currently only support the new Amazon Resource Name (ARN) format. For more information, see Amazon Resource Names (ARNs) and IDs in the ECS developer guide.

Old (not supported): arn:aws:ecs:region:aws_account_id:service/service-name

New (supported): arn:aws:ecs:region:aws_account_id:service/cluster-name/service-name

Amazon Elastic File System

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic File System AWS::EFS::FileSystem NA NA
AWS::EFS::AccessPoint NA NA

Amazon Elastic Kubernetes Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Kubernetes Service AWS::EKS::Cluster NA NA
AWS::EKS::FargateProfile NA NA

Amazon EMR

Amazon Service Resource Type Value Relationship Related Resource
Amazon EMR AWS::EMR::SecurityConfiguration NA NA

Amazon EventBridge

Amazon Service Resource Type Value Relationship Related Resource
Amazon EventBridge AWS::Events::EventBus NA NA
AWS::Events::ApiDestination NA NA
AWS::Events::Archive NA NA
AWS::Events::Endpoint NA NA
Amazon EventBridge schemas AWS::EventSchemas::Registry NA NA
AWS::EventSchemas::RegistryPolicy NA NA
AWS::EventSchemas::Discoverer NA NA

Amazon Fraud Detector

Amazon Service Resource Type Value Relationship Related Resource
Amazon Fraud Detector AWS::FraudDetector::Label NA NA
AWS::FraudDetector::EntityType NA NA
AWS::FraudDetector::Variable NA NA
AWS::FraudDetector::Outcome NA NA

Amazon GuardDuty

Amazon Service Resource Type Value Relationship Related Resource
Amazon GuardDuty AWS::GuardDuty::Detector NA NA
AWS::GuardDuty::ThreatIntelSet NA NA
AWS::GuardDuty::IPSet NA NA
AWS::GuardDuty::Filter NA NA

Amazon OpenSearch Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon OpenSearch Service AWS::Elasticsearch::Domain is associated with KMS Key
EC2 security group
EC2 subnet
Virtual private cloud (VPC)
AWS::OpenSearch::Domain NA NA
Note

On September 8, 2021, Amazon Elasticsearch Service was renamed to Amazon OpenSearch Service. OpenSearch Service supports OpenSearch as well as legacy Elasticsearch OSS. For more information, see Amazon OpenSearch Service - Summary of changes.

You may continue to see your data for AWS::OpenSearch::Domain under the existing AWS::Elasticsearch::Domain resource type for several weeks, even if you upgrade one or more domains to OpenSearch.

Amazon Quantum Ledger Database (Amazon QLDB)

Amazon Service Resource Type Value Relationship Related Resource
Amazon QLDB AWS::QLDB::Ledger NA NA

Amazon Kinesis

Amazon Service Resource Type Value Relationship Related Resource
Amazon Kinesis AWS::Kinesis::Stream NA NA
AWS::Kinesis::StreamConsumer NA NA

Amazon Lightsail

Amazon Service Resource Type Value Relationship Related Resource
Amazon Lightsail AWS::Lightsail::Disk NA NA
AWS::Lightsail::Certificate NA NA
AWS::Lightsail::Bucket NA NA
AWS::Lightsail::StaticIp NA NA

Amazon MQ

Amazon Service Resource Type Value Relationship Related Resource
Amazon MQ AWS::AmazonMQ::Broker NA NA

Amazon Managed Streaming for Apache Kafka

Amazon Service Resource Type Value Relationship Related Resource
Amazon Managed Streaming for Apache Kafka AWS::MSK::Cluster NA NA

Amazon Redshift

Amazon Service Resource Type Value Relationship Related Resource
Amazon Redshift AWS::Redshift::Cluster is associated with Cluster parameter group
Cluster security group
Cluster subnet group
Security group
Virtual private cloud (VPC)
AWS::Redshift::ClusterParameterGroup NA NA
AWS::Redshift::ClusterSecurityGroup NA NA
AWS::Redshift::ClusterSnapshot is associated with Cluster
Virtual private cloud (VPC)
AWS::Redshift::ClusterSubnetGroup is associated with Subnet
Virtual private cloud (VPC)
AWS::Redshift::EventSubscription NA NA

Amazon Relational Database Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Relational Database Service AWS::RDS::DBInstance is associated with EC2 security group
RDS DB security group
RDS DB subnet group
AWS::RDS::DBSecurityGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::DBSnapshot is associated with Virtual private cloud (VPC)
AWS::RDS::DBSubnetGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::EventSubscription NA NA
AWS::RDS::DBCluster contains RDS DB instance
is associated with RDS DB subnet group
EC2 security group
AWS::RDS::DBClusterSnapshot Is associated with RDS DB cluster
Virtual private cloud (VPC)

Amazon Route 53

Amazon Service Resource Type Value Relationship Related Resource
Amazon Route 53 AWS::Route53::HostedZone* NA NA
AWS::Route53::HealthCheck* NA NA
Amazon Route 53 Resolver AWS::Route53Resolver::ResolverEndpoint NA NA
AWS::Route53Resolver::ResolverRule NA NA
AWS::Route53Resolver::ResolverRuleAssociation NA NA
Amazon Route 53 Application Recovery Controller AWS::Route53RecoveryReadiness::Cell NA NA
AWS::Route53RecoveryReadiness::ReadinessCheck NA NA
AWS::Route53RecoveryReadiness::RecoveryGroup NA NA

*Amazon Config support for these Amazon Route 53 resource types are available only in the
 US East (N. Virginia) Region.

Amazon SageMaker

Amazon Service Resource Type Value Relationship Related Resource
Amazon SageMaker AWS::SageMaker::CodeRepository NA NA
AWS::SageMaker::Model NA NA
AWS::SageMaker::NotebookInstance NA NA
AWS::SageMaker::NotebookInstanceLifecycleConfig NA NA
AWS::SageMaker::EndpointConfig NA NA
AWS::SageMaker::Workteam NA NA

Amazon Simple Email Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Simple Email Service AWS::SES::ConfigurationSet NA NA
AWS::SES::ContactList NA NA
AWS::SES::Template NA NA
AWS::SES::ReceiptFilter NA NA
AWS::SES::ReceiptRuleSet NA NA

Amazon Simple Notification Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Simple Notification Service AWS::SNS::Topic NA NA

Amazon Simple Queue Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Simple Queue Service AWS::SQS::Queue NA NA

Amazon Simple Storage Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Simple Storage Service AWS::S3::Bucket* NA NA
AWS::S3::AccountPublicAccessBlock NA NA

*If you configured Amazon Config to record your S3 buckets, and are not receiving configuration change notifications, check that your S3 bucket policies have the required permissions. For more information, see Managing Permissions for S3 Bucket Recording.

Amazon S3 Bucket Attributes

Amazon Config also records the following attributes for the Amazon S3 bucket resource type.

Attributes Description
AccelerateConfiguration Transfer acceleration for data over long distances between your client and a bucket.
BucketAcl Access control list used to manage access to buckets and objects.
BucketPolicy Policy that defines the permissions to the bucket.
CrossOriginConfiguration Allow cross-origin requests to the bucket.
LifecycleConfiguration Rules that define the lifecycle for objects in your bucket.
LoggingConfiguration Logging used to track requests for access to the bucket.
NotificationConfiguration Event notifications used to send alerts or trigger workflows for specified bucket events.
ReplicationConfiguration Automatic, asynchronous copying of objects across buckets in different Amazon Regions.
RequestPaymentConfiguration Requester pays is enabled.
TaggingConfiguration Tags added to the bucket to categorize. You can also use tagging to track billing.
WebsiteConfiguration Static website hosting is enabled for the bucket.
VersioningConfiguration Versioning is enabled for objects in the bucket.

For more information about the attributes, see Bucket Configuration Options in the Amazon Simple Storage Service User Guide.

Amazon Virtual Private Cloud

Amazon Service Resource Type Value Relationship Related Resource
Amazon Virtual Private Cloud AWS::EC2::CustomerGateway is attached to VPN connection
AWS::EC2::InternetGateway is attached to Virtual private cloud (VPC)
AWS::EC2::NetworkAcl NA NA
AWS::EC2::RouteTable contains EC2 instance
EC2 network interface
Subnet
VPN gateway
is contained in Virtual private cloud (VPC)
AWS::EC2::Subnet contains EC2 instance
EC2 network interface
is attached to Network ACL
is contained in Route table
Virtual private cloud (VPC)
AWS::EC2::VPC contains EC2 instance
EC2 network interface
Network ACL
Route table
Subnet
is associated with Security group
is attached to Internet gateway
VPN gateway
AWS::EC2::VPNConnection is attached to Customer gateway
VPN gateway
AWS::EC2::VPNGateway is attached to Virtual private cloud (VPC)
VPN connection
is contained in Route table

Amazon WorkSpaces

Amazon Service Resource Type Value Relationship Related Resource
Amazon WorkSpaces AWS::WorkSpaces::ConnectionAlias NA NA
AWS::WorkSpaces::Workspace NA NA

Amazon AppConfig

Amazon Service Resource Type Value Relationship Related Resource
Amazon AppConfig AWS::AppConfig::Application NA NA
AWS::AppConfig::Environment NA NA
AWS::AppConfig::ConfigurationProfile NA NA

Amazon AppSync

Amazon Service Resource Type Value Relationship Related Resource
Amazon AppSync AWS::AppSync::GraphQLApi NA NA

Amazon Auto Scaling

Amazon Service Resource Type Value Relationship Related Resource
Amazon Auto Scaling AWS::AutoScaling::AutoScalingGroup contains Amazon EC2 instance
is associated with Classic Load Balancer
Auto Scaling launch configuration
Subnet
AWS::AutoScaling::LaunchConfiguration is associated with Amazon EC2 security group
AWS::AutoScaling::ScalingPolicy is associated with Auto Scaling group
Alarm
AWS::AutoScaling::ScheduledAction is associated with Auto Scaling group

Amazon Backup

Amazon Service Resource Type Value Relationship Related Resource
Amazon Backup AWS::Backup::BackupPlan NA NA*
AWS::Backup::BackupSelection NA NA
AWS::Backup::BackupVault NA NA*
AWS::Backup::RecoveryPoint NA NA
AWS::Backup::ReportPlan NA NA

Due to how Amazon Backup works, some of these resource types relate to the other Amazon Backup resource types in this table.

AWS::Backup::BackupPlan is related to AWS::Backup::BackupSelection where a Backup Plan has many selections, and AWS::Backup::BackupVault is related to AWS::Backup::RecoveryPoint where an Amazon Backup Vault has multiple recovery points.

For more information, see Managing backups using backup plans and Working with backup vaults.

Amazon Batch

Amazon Service Resource Type Value Relationship Related Resource
Amazon Batch AWS::Batch::JobQueue NA NA
AWS::Batch::ComputeEnvironment NA NA

Amazon Certificate Manager

Amazon Service Resource Type Value Relationship Related Resource
Amazon Certificate Manager AWS::ACM::Certificate NA NA

Amazon CloudFormation

Amazon Service Resource Type Value Relationship Related Resource
Amazon CloudFormation AWS::CloudFormation::Stack* contains Supported Amazon resource types

*Amazon Config records configuration changes to Amazon CloudFormation stacks and supported resource types in the stacks. Amazon Config does not record configuration changes for resource types in the stack that are not yet supported. Unsupported resource types appear in the supplementary configuration section of the configuration item for the stack.

Amazon CloudTrail

Amazon Service Resource Type Value Relationship Related Resource
Amazon CloudTrail AWS::CloudTrail::Trail NA NA

Amazon Cloud9

Amazon Service Resource Type Value Relationship Related Resource
Amazon Cloud9 AWS::Cloud9::EnvironmentEC2 NA NA

Amazon Cloud Map

Amazon Service Resource Type Value Relationship Related Resource
Service Discovery AWS::ServiceDiscovery::Service NA NA
AWS::ServiceDiscovery::PublicDnsNamespace NA NA
AWS::ServiceDiscovery::HttpNamespace NA NA

Amazon CodeBuild

Amazon Service Resource Type Value Relationship Related Resource
Amazon CodeBuild AWS::CodeBuild::Project* is associated with S3 bucket
IAM role

*To learn more about how Amazon Config integrates with Amazon CodeBuild, see Use Amazon Config with Amazon CodeBuild Sample.

Amazon CodeDeploy

Amazon Service Resource Type Value Relationship Related Resource
Amazon CodeDeploy AWS::CodeDeploy::Application contains DeploymentGroup
AWS::CodeDeploy::DeploymentConfig NA NA
AWS::CodeDeploy::DeploymentGroup is contained in Application

Amazon CodePipeline

Amazon Service Resource Type Value Relationship Related Resource
Amazon CodePipeline AWS::CodePipeline::Pipeline* is attached to S3 bucket
is associated with IAM role
Code project
Lambda function
Cloudformation stack
ElasticBeanstalk application

*Amazon Config records configuration changes to CodePipeline pipelines and supported resource types in the pipelines. Amazon Config does not record configuration changes for resource types in the pipelines that are not yet supported. Unsupported resource types such as CodeCommit repository, CodeDeploy application, ECS cluster, and ECS service appear in the supplementary configuration section of the configuration item for the stack.

Amazon Config

Amazon Service Resource Type Value Relationship Related Resource
Amazon Config AWS::Config::ResourceCompliance* is associated with All resources*
AWS::Config::ConformancePackCompliance NA NA
AWS::Config::ConfigurationRecorder* NA NA

*The relationship between AWS::Config::ResourceCompliance and a related resource depends on how AWS::Config::ResourceCompliance reports compliance for that specific resource type.

*AWS::Config::ConfigurationRecorder is a system resource type of Amazon Config and recording of this resource type is enabled by default.

Note

Recording for the AWS::Config::ConformancePackCompliance and AWS::Config::ConfigurationRecorder resource types come with no additional charge.

Amazon Database Migration Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Database Migration Service AWS::DMS::EventSubscription NA NA
AWS::DMS::ReplicationSubnetGroup NA NA
AWS::DMS::ReplicationInstance NA NA
AWS::DMS::ReplicationTask NA NA
AWS::DMS::Certificate NA NA

Amazon DataSync

Amazon Service Resource Type Value Relationship Related Resource
Amazon DataSync AWS::DataSync::LocationSMB NA NA
AWS::DataSync::LocationFSxLustre NA NA
AWS::DataSync::LocationFSxWindows NA NA
AWS::DataSync::LocationS3 NA NA
AWS::DataSync::LocationEFS NA NA
AWS::DataSync::LocationNFS NA NA
AWS::DataSync::LocationHDFS NA NA
AWS::DataSync::LocationObjectStorage NA NA
AWS::DataSync::Task NA NA

Amazon Elastic Beanstalk

Amazon Service Resource Type Value Relationship Related Resource
Amazon Elastic Beanstalk AWS::ElasticBeanstalk::Application contains Elastic Beanstalk Application Version
Elastic Beanstalk Environment
is associated with IAM role
AWS::ElasticBeanstalk::ApplicationVersion is contained in Elastic Beanstalk Application
is associated with Elastic Beanstalk Environment
S3 bucket
AWS::ElasticBeanstalk::Environment is contained in Elastic Beanstalk Application
is associated with Elastic Beanstalk Application Version
IAM role
contains CloudFormation Stack

Amazon Fault Injection Simulator

Amazon Service Resource Type Value Relationship Related Resource
Amazon Fault Injection Simulator AWS::FIS::ExperimentTemplate NA NA

Amazon Global Accelerator

Amazon Service Resource Type Value Relationship Related Resource
Amazon Global Accelerator AWS::GlobalAccelerator::Listener* NA NA
AWS::GlobalAccelerator::EndpointGroup* NA NA
AWS::GlobalAccelerator::Accelerator* NA NA

*This resource is only available in US West (Oregon) Region.

Amazon Glue

Amazon Service Resource Type Value Relationship Related Resource
Amazon Glue AWS::Glue::Job NA NA
AWS::Glue::Classifier NA NA

Amazon Identity and Access Management

Amazon Service Resource Type Value Relationship Related Resource
Amazon Identity and Access Management AWS::IAM::User is attached to IAM group
IAM customer managed policy
AWS::IAM::Group contains IAM user
is attached to IAM customer managed policy
AWS::IAM::Role is attached to IAM customer managed policy
AWS::IAM::Policy is attached to IAM user
IAM group
IAM role
Amazon Identity and Access Management Access Analyzer AWS::AccessAnalyzer::Analyzer NA NA

Amazon Config includes inline policies with the configuration details that it records. For more information on inline policies, see Managed policies and inline policies in the IAM User Guide.

Amazon IoT

Amazon Service Resource Type Value Relationship Related Resource
Amazon IoT AWS::IoT::Authorizer NA NA
AWS::IoT::SecurityProfile NA NA
AWS::IoT::RoleAlias NA NA
AWS::IoT::Dimension NA NA
Amazon IoT Analytics AWS::IoTAnalytics::Datastore NA NA
Amazon IoT Events AWS::IoTEvents::Input NA NA
AWS::IoTEvents::DetectorModel NA NA
AWS::IoTEvents::AlarmModel NA NA

Amazon Key Management Service

Amazon Service Resource Type Value Relationship Related Resource
Amazon Key Management Service AWS::KMS::Key NA NA
AWS::KMS::Alias NA NA

Amazon Lambda Function

Amazon Service Resource Type Value Relationship Related Resource
Amazon Lambda Function AWS::Lambda::Function is associated with IAM role
EC2 security group
is contained in EC2 subnet

Amazon Network Firewall

Amazon Service Resource Type Value Relationship Related Resource
Amazon Network Firewall AWS::NetworkFirewall::Firewall is attached to EC2 Subnet
is associated with NetworkFirewall FirewallPolicy
AWS::NetworkFirewall::FirewallPolicy is associated with NetworkFirewall RuleGroup
AWS::NetworkFirewall::RuleGroup NA NA

Amazon Resilience Hub

Amazon Service Resource Type Value Relationship Related Resource
Amazon Resilience Hub AWS::ResilienceHub::ResiliencyPolicy NA NA

Amazon Secrets Manager

Amazon Service Resource Type Value Relationship Related Resource
Amazon Secrets Manager AWS::SecretsManager::Secret is associated with Lambda function
is associated with KMS Key

Service Catalog

Amazon Service Resource Type Value Relationship Related Resource
Service Catalog AWS::ServiceCatalog::CloudFormationProduct is contained in Portfolio
is associated with CloudFormationProvisionedProduct
AWS::ServiceCatalog::CloudFormationProvisionedProduct is associated with Portfolio
CloudFormationProduct
CloudFormationStack
AWS::ServiceCatalog::Portfolio contains CloudFormationProduct

Amazon Shield

Amazon Service Resource Type Value Relationship Related Resource
Amazon Shield* AWS::Shield::Protection is associated with Amazon CloudFront distribution
AWS::ShieldRegional::Protection is associated with EC2 EIP
is associated with ElasticLoadBalancing Balancer
is associated with ElasticLoadBalancingV2 LoadBalancer

*Amazon Config support for AWS::Shield::Protection is available only in the US East (N. Virginia) Region. The AWS::ShieldRegional::Protection is available in all regions where Amazon Shield is supported.

Amazon Step Functions

Amazon Service Resource Type Value Relationship Related Resource
Amazon Step Functions AWS::StepFunctions::Activity NA NA
AWS::StepFunctions::StateMachine NA NA

Amazon Systems Manager

Amazon Service Resource Type Value Relationship Related Resource
Amazon Systems Manager AWS::SSM::ManagedInstanceInventory* is associated with EC2 instance
AWS::SSM::PatchCompliance is associated with Managed Instance Inventory
AWS::SSM::AssociationCompliance is associated with Managed Instance Inventory
AWS::SSM::FileData is associated with Managed Instance Inventory

*To learn more about managed instance inventory, see Recording Software Configuration for Managed Instances.

Amazon Transfer Family

Amazon Service Resource Type Value Relationship Related Resource
Amazon Transfer Family AWS::Transfer::Workflow NA NA

Amazon WAF

Amazon Service Resource Type Value Relationship Related Resource
Amazon WAF* AWS::WAF::RateBasedRule NA NA
AWS::WAF::Rule NA NA
AWS::WAF::WebACL is associated with WAF Rule
WAF rate based rule
WAF Rulegroup
AWS::WAF::RuleGroup is associated with WAF Rule
AWS::WAFRegional::RateBasedRule NA NA
AWS::WAFRegional::Rule NA NA
AWS::WAFRegional::WebACL is associated with ElasticLoadBalancingV2 LoadBalancer
WAFRegional Rule
WAFRegional rate based rule
WAFRegional Rulegroup
AWS::WAFRegional::RuleGroup is associated with WAFRegional Rule
Amazon WAF V2* AWS::WAFv2::WebACL is associated with ElasticLoadBalancingV2 LoadBalancer
ApiGateway Stage
WAFv2 IPSet
WAFv2 RegexPatternSet
WAFv2 RuleGroup
WAFv2 ManagedRuleSet
AWS::WAFv2::RuleGroup is associated with WAFv2 IPSet
WAFv2 RegexPatternSet
AWS::WAFv2::ManagedRuleSet is associated with WAFv2 RuleGroup
AWS::WAFv2::IPSet NA NA
AWS::WAFv2::RegexPatternSet NA NA

Amazon Config support for the Amazon WAF resource types are available only in the US East (N. Virginia) Region.

Amazon Config support for the Amazon WAF Regional and Amazon WAF V2 resource types are available in all the Amazon Web Services Regions where Amazon WAF and Amazon WAF V2 are supported, respectively.

Amazon X-Ray

Amazon Service Resource Type Value Relationship Related Resource
Amazon X-Ray AWS::XRay::EncryptionConfig NA NA

Elastic Load Balancing

Amazon Service Resource Type Value Relationship Related Resource
Elastic Load Balancing

Application Load Balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)

Application Load Balancer Listener

AWS::ElasticLoadBalancingV2::Listener

NA NA

Classic Load Balancer

AWS::ElasticLoadBalancing::LoadBalancer

is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)

Network Load Balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

NA NA

AWS Elemental MediaPackage

Amazon Service Resource Type Value Relationship Related Resource
AWS Elemental MediaPackage AWS::MediaPackage::PackagingGroup NA NA