Updating the IAM Role Assigned to Amazon Config - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Updating the IAM Role Assigned to Amazon Config

You can update the IAM role assumed by Amazon Config any time. Before you update the IAM role, ensure that you have created a new role to replace the old one. You must attach policies to the new role that grant permissions to Amazon Config to record configurations and deliver them to your delivery channel. In addition, make sure to copy the Amazon Resource Name (ARN) of your new IAM role. You will need it to update the IAM role. For information about creating an IAM role and attaching the required policies to the IAM role, see Creating an IAM Role.

Note

To find the ARN of an existing IAM role, go to the IAM console at https://console.amazonaws.cn/iam/. Choose Roles in the navigation pane. Then choose the name of the desired role and find the ARN at the top of the Summary page.

Updating the IAM Role

You can update your IAM role using the Amazon Web Services Management Console or the Amazon CLI.

To update the IAM role in a region where rules are supported (console)

If you are using Amazon Config in a region that supports Amazon Config rules, complete the following steps. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. Choose Settings in the navigation pane.

  3. In the Amazon Config role, section, choose the IAM role:

    • Create a role – Amazon Config creates a role that has the required permissions. For Role name, you can customize the name that Amazon Config creates.

    • Choose a role from your account – For Role name, choose an IAM role in your account. Amazon Config will attach the required policies. For more information, see Permissions for the IAM Role Assigned to Amazon Config.

      Note

      Check the box if you want to use the IAM role as it. Amazon Config will not attach policies to the role.

  4. Choose Save.

To update the IAM role in a region where rules are not supported (console)

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. On the Resource inventory page, choose the settings icon ( 
            settings icon
          ).

  3. Choose Continue.

  4. In the Amazon Config is requesting permissions to read your resources' configuration page, choose View Details.

  5. In the Role Summary section, choose the IAM role:

    • If you want to create a role, for IAM Role, choose Create a new IAM Role. Then type a name for Role Name.

    • If you want to use an existing role, select it for IAM Role. Then, for Policy Name, select an available policy or create one by selecting Create a new Role Policy.

  6. Choose Allow.

To update the IAM role (Amazon CLI)

  • Use the put-configuration-recorder command and specify the Amazon Resource Name (ARN) of the new role:

    $ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole