Selecting Which Resources Amazon Config Records - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Selecting Which Resources Amazon Config Records

Amazon Config continuously detects when any resource of a supported type is created, changed, or deleted. Amazon Config records these events as configuration items. You can customize Amazon Config to record changes for all supported types of resources or for only those types that are relevant to you. To learn which types of resources Amazon Config can record, see Supported Resource Types.

Recording All Supported Resource Types

By default, Amazon Config records the configuration changes for all supported types of regional resources that Amazon Config discovers in the region in which it is running. Regional resources are tied to a region and can be used only in that region. Examples of regional resources are EC2 instances and EBS volumes.

You can also have Amazon Config record supported types of global resources. Global resources are not tied to a specific region and can be used in all regions. The global resource types that Amazon Config supports include IAM users, groups, roles, and customer managed policies.

Important

Global resource types onboarded to Amazon Config recording after February 2022 will only be recorded in the service's home region for the commercial partition and Amazon GovCloud (US-West) for the GovCloud partition. You can view the Configuration Items for these new global resource types only in their home region and Amazon GovCloud (US-West).

Supported global resource types onboarded before February 2022 such as AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User remain unchanged, and they will continue to deliver Configuration Items in all supported regions in Amazon Config. The change will only affect new global resource types onboarded after February 2022.

Home Regions for Global Resource Types Onboarded after February 2022
Amazon Service Resource Type Value Home Region
Amazon Elastic Container Registry Public AWS::ECR::PublicRepository US East (N. Virginia) Region
Amazon Global Accelerator AWS::GlobalAccelerator::Listener US West (Oregon) Region
AWS::GlobalAccelerator::EndpointGroup US West (Oregon) Region
AWS::GlobalAccelerator::Accelerator US West (Oregon) Region
Amazon Route 53 AWS::Route53::HostedZone US East (N. Virginia) Region
AWS::Route53::HealthCheck US East (N. Virginia) Region

Recording Specific Resource Types

If you don't want Amazon Config to record the changes for all supported resources, you can customize it to record changes for only specific types. Amazon Config records configuration changes for the types of resources that you specify, including the creation and deletion of such resources.

If a resource is not recorded, Amazon Config captures only the creation and deletion of that resource, and no other details, at no cost to you. When a nonrecorded resource is created or deleted, Amazon Config sends a notification, and it displays the event on the resource details page. The details page for a nonrecorded resource provides null values for most configuration details, and it does not provide information about relationships and configuration changes.

The relationship information that Amazon Config provides for recorded resources is not limited because of missing data for nonrecorded resources. If a recorded resource is related to a nonrecorded resource, that relationship is provided in the details page of the recorded resource.

You can stop Amazon Config from recording a type of resource any time. After Amazon Config stops recording a resource, it retains the configuration information that was previously captured, and you can continue to access this information.

Amazon Config rules can be used to evaluate compliance for only those resources that Amazon Config records.

Amazon Config Rules and Global Resource Types

Global resource types onboarded before February 2022 (AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User) are recorded by Amazon Config in all supported regions. This means that periodic rules that report compliance on these global resources will continue running evaluations in all supported regions, even in regions where you have not enabled the recording of global resources.

Note

Periodic rules can run on resources that Amazon Config recording does not support and can be run without the configuration recorder being enabled. Periodic rules do not depend on configuration items. For more information on the difference between change–triggered rules and periodic rules, see Specifying Triggers for Amazon Config Rules.

If you are not recording global resource types onboarded before February 2022, it is recommended that you do not enable the following periodic rules in order to avoid unnecessary costs:

Best Practices for reporting compliance on global resources

If you are recording global resource types onboarded before February 2022 (AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User), you should only deploy Amazon Config rules and conformance packs that have these global resources in scope in one of the supported regions in order to avoid costs and API throttling. This applies to regular Amazon Config rules, organizational Amazon Config rules, as well as rules created by other Amazon services (like Security Hub and Control Tower).

Global resource types onboarded to Amazon Config recording after February 2022 will only be recorded in the service's home region for the commercial partition and Amazon GovCloud (US-West) for the GovCloud partition. You should only deploy Amazon Config rules and conformance packs that have these global resources in scope in the resource type's home region. For more information, see Home Regions for Global Resource Types Onboarded after February 2022.

Selecting Resources (Console)

You can use the Amazon Config console to select the types of resources that Amazon Config records.

To select resources

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. Open the Settings page:

    • If you are using Amazon Config in a region that supports Amazon Config rules, choose Settings in the navigation pane. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

    • Otherwise, choose the settings icon ( 
            settings icon
          ) on the Resource inventory page.

  3. In the Resource types to record section, specify which types of Amazon resources you want Amazon Config to record:

    • All resources – Amazon Config records all supported resources with the following options:

      • Record all resources supported in this region – Amazon Config records configuration changes for every supported type of regional resource. When Amazon Config adds support for a new type of regional resource, it automatically starts recording resources of that type.

      • Include global resources – Amazon Config includes supported types of global resources with the resources that it records (for example, IAM resources). When Amazon Config adds support for a new type of global resource, it automatically starts recording resources of that type.

    • Specific types – Amazon Config records configuration changes for only those types of Amazon resources that you specify.

  4. Save your changes:

    • If you are using Amazon Config in a region that supports Amazon Config rules, choose Save.

    • Otherwise, choose Continue. In the Amazon Config Config is requesting permissions to read your resources' configuration page, choose Allow.

Selecting Resources (Amazon CLI)

You can use the Amazon CLI to select the types of resources that you want Amazon Config to record. You do this by creating a configuration recorder, which records the types of resources that you specify in a recording group. In the recording group, you specify whether all supported types or specific types of resources are recorded.

To select all supported resources

  1. Use the following put-configuration-recorder command:

    $ aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role --recording-group allSupported=true,includeGlobalResourceTypes=true

    This command uses the following options for the --recording-group parameter:

    • allSupported=true – Amazon Config records configuration changes for every supported type of regional resource. When Amazon Config adds support for a new type of regional resource, it automatically starts recording resources of that type.

    • includeGlobalResourceTypes=true – Amazon Config includes supported types of global resources with the resources that it records. When Amazon Config adds support for a new type of global resource, it automatically starts recording resources of that type.

      Before you can set this option to true, you must set the allSupported option to true.

      If you do not want to include global resources, set this option to false, or omit it.

  2. (Optional) To verify that your configuration recorder has the settings that you want, use the following describe-configuration-recorders command:

    $ aws configservice describe-configuration-recorders

    The following is an example response:

    { "ConfigurationRecorders": [ { "recordingGroup": { "allSupported": true, "resourceTypes": [], "includeGlobalResourceTypes": true }, "roleARN": "arn:aws:iam::123456789012:role/config-role", "name": "default" } ] }

To select specific types of resources

  1. Use the Amazon Configservice put-configuration-recorder command, and pass one or more resource types through the --recording-group option, as shown in the following example:

    $ aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::012345678912:role/myConfigRole --recording-group file://recordingGroup.json

    The recordingGroup.json file specifies which types of resources Amazon Config will record:

    { "allSupported": false, "includeGlobalResourceTypes": false, "resourceTypes": [ "AWS::EC2::EIP", "AWS::EC2::Instance", "AWS::EC2::NetworkAcl", "AWS::EC2::SecurityGroup", "AWS::CloudTrail::Trail", "AWS::EC2::Volume", "AWS::EC2::VPC", "AWS::IAM::User", "AWS::IAM::Policy" ] }

    Before you can specify resource types for the resourceTypes key, you must set the allSupported and includeGlobalResourceTypes options to false or omit them.

  2. (Optional) To verify that your configuration recorder has the settings that you want, use the following describe-configuration-recorders command:

    $ aws configservice describe-configuration-recorders

    The following is an example response:

    { "ConfigurationRecorders": [ { "recordingGroup": { "allSupported": false, "resourceTypes": [ "AWS::EC2::EIP", "AWS::EC2::Instance", "AWS::EC2::NetworkAcl", "AWS::EC2::SecurityGroup", "AWS::CloudTrail::Trail", "AWS::EC2::Volume", "AWS::EC2::VPC", "AWS::IAM::User", "AWS::IAM::Policy" ], "includeGlobalResourceTypes": false }, "roleARN": "arn:aws:iam::123456789012:role/config-role", "name": "default" } ] }