Managing the Configuration Recorder - Amazon Config
Managing the Configuration Recorder (Console)Managing the Configuration Recorder (Amazon CLI)Drift Detection for the Configuration Recorder
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing the Configuration Recorder

Amazon Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. You must create a configuration recorder before Amazon Config can track your resource configurations.

If you set up Amazon Config by using the console or the Amazon CLI, Amazon Config automatically creates and then starts the configuration recorder for you. For more information, see Getting Started with Amazon Config.

By default, the configuration recorder records all supported resources in the region where Amazon Config is running. You can create a customized configuration recorder that records only the resource types that you specify. For more information, see Selecting Which Resources Amazon Config Records.

You are charged service usage fees when Amazon Config starts recording configurations. For pricing information, see Amazon Config Pricing.

When you start the configuration recorder, Amazon Config takes an inventory of all Amazon resources in your account.

Managing the Configuration Recorder (Console)

You can use the Amazon Config console to stop or start the configuration recorder.

To stop or start the configuration recorder

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. Choose Settings in the navigation pane.

  3. Stop or start the configuration recorder:

    • If you want to stop recording, under Recording is on, choose Turn off. When prompted, choose Continue.

    • If you want to start recording, under Recording is off, choose Turn on. When prompted, choose Continue.

Managing the Configuration Recorder (Amazon CLI)

You can use the Amazon CLI to stop or start the configuration recorder. You can also rename or delete the configuration recorder using the Amazon CLI, the Amazon Config API, or one of the Amazon SDKs. The following steps help you use the Amazon CLI.

To stop the configuration recorder

  • Use the stop-configuration-recorder command:

    $ aws configservice stop-configuration-recorder --configuration-recorder-name configRecorderName
To start the configuration recorder

  • Use the start-configuration-recorder command:

    $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName
To delete the configuration recorder
To rename the configuration recorder

To change the configuration recorder name, you must delete it and create a new configuration recorder with the desired name.

  1. Use the describe-configuration-recorders command to look up the name of your current configuration recorder:

    $ aws configservice describe-configuration-recorders
{
    "ConfigurationRecorders": [
        {
            "roleARN": "arn:aws:iam::012345678912:role/myConfigRole",
            "name": "default"
        }
    ]
}

  2. Use the delete-configuration-recorder command to delete your current configuration recorder:

    $ aws configservice delete-configuration-recorder --configuration-recorder-name default

  3. Use the put-configuration-recorder command to create a configuration recorder with the desired name:

    $ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole

  4. Use the start-configuration-recorder command to resume recording:

    $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName

Drift Detection for the Configuration Recorder

The AWS::Config::ConfigurationRecorder resource type is a configuration item (CI) for the configuration recorder that tracks all changes to the state of configuration recorder. You can use this CI to check if the state of the configuration recorder differs, or has drifted, from its previous state. For example, this CI tracks if there are updates to resource types that you have enabled Amazon Config to track, if you have stopped or started the configuration recorder, or if you have deleted or uninstalled the configuration recorder. A drifted configuration recorder indicates that you are not accurately detecting changes to your intended resource types. If your configuration recorder has been drifted, this can result in false negative or false positive compliance results.

The AWS::Config::ConfigurationRecorder resource type is a system resource type of Amazon Config and recording of this resource type is enabled by default in all supported Regions. Recording for the AWS::Config::ConfigurationRecorder resource type comes with no additional charge.