Managing the Configuration Recorder - Amazon Config
Managing the Configuration Recorder (Console)Managing the Configuration Recorder (Amazon CLI)Drift Detection for the Configuration Recorder
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing the Configuration Recorder

Amazon Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. You must create a configuration recorder before Amazon Config can track your resource configurations.

If you set up Amazon Config by using the console or the Amazon CLI, Amazon Config automatically creates and then starts the configuration recorder for you. For more information, see Getting Started with Amazon Config.

By default, the configuration recorder records all supported resources in the region where Amazon Config is running. You can create a customized configuration recorder that records only the resource types that you specify. For more information, see Selecting Which Resources Amazon Config Records.

You are charged service usage fees when Amazon Config starts recording configurations. For pricing information, see Amazon Config Pricing.

When you start the configuration recorder, Amazon Config takes an inventory of all Amazon resources in your account.

Important

Evaluation Results for Deleted Resources Can Persist if the Configuration Recorder is Turned Off

If the configuration recorder is turned off, it disables the ability of Amazon Config to track changes to the configuration of your resources, including their deletions. This means you might see evaluation results for resources that have been previously deleted if you turn off the configuration recorder.

Managing the Configuration Recorder (Console)

You can use the Amazon Config console to stop or start the configuration recorder. You can also change the recording frequency of the configuration recorder.

To stop or start the configuration recorder

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. Choose Settings in the navigation pane.

  3. Stop or start the configuration recorder:

    • If you want to stop recording, under Recording is on, choose Turn off. When prompted, choose Continue.

    • If you want to start recording, under Recording is off, choose Turn on. When prompted, choose Continue.

To change the recording frequency

Amazon Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. For more information see, Recording Frequency.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. Choose Settings in the navigation pane.

  3. Choose Edit to view the options under "Recording frequency".

Managing the Configuration Recorder (Amazon CLI)

You can use the Amazon CLI to stop or start the configuration recorder. You can also rename or delete the configuration recorder using the Amazon CLI, the Amazon Config API, or one of the Amazon SDKs. The following steps help you use the Amazon CLI.

To stop the configuration recorder

Use the stop-configuration-recorder command:

$ aws configservice stop-configuration-recorder --configuration-recorder-name configRecorderName
To start the configuration recorder

Use the start-configuration-recorder command:

$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName
To change the recording frequency

Use the put-configuration-recorder command to change the recording frequency for the configuration recorder:

$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json

The configurationRecorder.json file specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

{
  "name": "default",
  "roleARN": "arn:aws:iam::123456789012:role/config-role",
  "recordingMode": {
    "recordingFrequency": CONTINUOUS or DAILY,
    "recordingModeOverrides": [ 
        { 
            "description": "Description you provide for the override",
            "recordingFrequency": CONTINUOUS or DAILY,
            "resourceTypes": [ Comma-separated list of resource types to include in the override ]
        }
    ]
  }
}

put-configuration-recorder uses the following fields for the --configuration-recorder parameter:

  • name – The name of the configuration recorder. Amazon Config automatically assigns the name of "default" when creating the configuration recorder.

  • roleARN – Amazon Resource Name (ARN) of the IAM role assumed by Amazon Config and used by the configuration recorder.

  • recordingMode – Specifies the default recording frequency that Amazon Config uses to record configuration changes. Amazon Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

    • recordingFrequency – The default recording frequency that Amazon Config uses to record configuration changes.

      Note

      Amazon Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

    • recordingModeOverrides – This field allows you to specify your overrides for the recording mode. It is an array of recordingModeOverride objects. Each recordingModeOverride object in the recordingModeOverrides array consists of three fields:

      • description – A description that you provide for the override.

      • recordingFrequency – The recording frequency that will be applied to all the resource types specified in the override.

      • resourceTypes – A comma-separated list that specifies which resource types Amazon Config includes in the override.

Note

Required and optional fields

The recordingMode field for put-configuration-recorder is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.

Note

Limits

Daily recording is not supported for the following resource types:

  • AWS::Config::ResourceCompliance

  • AWS::Config::ConformancePackCompliance

  • AWS::Config::ConfigurationRecorder

For the Record all current and future supported resource types (ALL_SUPPORTED_RESOURCE_TYPES) recording strategy, these resource types will be set to Continuous recording.

To delete the configuration recorder

Use the delete-configuration-recorder command:

$ aws configservice delete-configuration-recorder --configuration-recorder-name default
To rename the configuration recorder

To change the configuration recorder name, you must delete it and create a new configuration recorder with the desired name.

  1. Use the describe-configuration-recorders command to look up the name of your current configuration recorder:

    $ aws configservice describe-configuration-recorders
{
    "ConfigurationRecorders": [
        {
            "roleARN": "arn:aws:iam::012345678912:role/myConfigRole",
            "name": "default"
        }
    ]
}

  2. Use the delete-configuration-recorder command to delete your current configuration recorder:

    $ aws configservice delete-configuration-recorder --configuration-recorder-name default

  3. Use the put-configuration-recorder command to create a configuration recorder with the desired name:

    $ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole

  4. Use the start-configuration-recorder command to resume recording:

    $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName

Drift Detection for the Configuration Recorder

The AWS::Config::ConfigurationRecorder resource type is a configuration item (CI) for the configuration recorder that tracks all changes to the state of configuration recorder. You can use this CI to check if the state of the configuration recorder differs, or has drifted, from its previous state. For example, this CI tracks if there are updates to resource types that you have enabled Amazon Config to track, if you have stopped or started the configuration recorder, or if you have deleted or uninstalled the configuration recorder. A drifted configuration recorder indicates that you are not accurately detecting changes to your intended resource types. If your configuration recorder has been drifted, this can result in false negative or false positive compliance results.

The AWS::Config::ConfigurationRecorder resource type is a system resource type of Amazon Config and recording of this resource type is enabled by default in all supported Regions. Recording for the AWS::Config::ConfigurationRecorder resource type comes with no additional charge.