Menu
AWS Config
Developer Guide

Prerequisites

Follow this procedure to create an Amazon S3 bucket, an Amazon SNS topic, and an IAM role with attached policies. You can then use the AWS CLI to specify the bucket, topic, and role for AWS Config.

Creating an Amazon S3 Bucket

If you already have an Amazon S3 bucket in your account and want to use it, skip this step and go to Creating an Amazon SNS Topic.

To create an Amazon S3 bucket with the AWS CLI, use the create-bucket command.

To create an Amazon S3 bucket with the console

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose Actions and then choose Create Bucket.

  3. For the Bucket Name:, type a name for your Amazon S3 bucket, such as my-config-bucket.

    Note

    Make sure the bucket name you choose is unique across all existing bucket names in Amazon S3. You cannot change the name of a bucket after it is created. For more information on bucket naming rules and conventions, see Bucket restrictions and Limitations in the Amazon Simple Storage Service Developer Guide.

  4. Choose Create.

Note

You can also use an Amazon S3 bucket from a different account, but you may need to create a policy for the bucket that grants access permissions to AWS Config. For information on granting permissions to an Amazon S3 bucket, see Permissions for the Amazon S3 Bucket, and then go to Creating an Amazon SNS Topic.

Creating an Amazon SNS Topic

If you already have an Amazon SNS topic in your account and want to use it, skip this step and go to Creating an IAM Role.

To create an Amazon SNS topic with the AWS CLI, use the create-topic command.

To create an Amazon SNS topic with the console

  1. Sign in to the AWS Management Console and open the Amazon SNS console at https://console.aws.amazon.com/sns/v2/home.

  2. Choose Create New Topic.

  3. For Topic Name, type a name for your SNS topic, such as my-config-notice.

  4. Choose Create Topic.

    The new topic appears in the Topic Details page. Copy the Topic ARN for the next task.

    For more information, see ARN Format in the AWS General Reference.

To receive notifications from AWS Config, you must subscribe an email address to the topic.

To subscribe an email address to the SNS topic

  1. In the Amazon SNS console, choose Subscriptions in the navigation pane.

  2. On the Subscriptions page, choose Create Subscription.

  3. For Topic ARN, paste the topic ARN you copied in the previous task.

  4. For Protocol, choose Email.

  5. For Endpoint, type an email address that you can use to receive the notification and then choose Subscribe.

  6. Go to your email application and open the message from AWS Notifications. Choose the link to confirm your subscription.

    Your web browser displays a confirmation response from Amazon SNS. Amazon SNS is now configured to receive notifications and send the notification as an email to the specified email address.

Note

You can also use an Amazon SNS topic in a different account, but in that case you might need to create a policy for topic that grants access permissions to AWS Config. For information on granting permissions to an Amazon SNS topic, see Permissions for the Amazon SNS Topic and then go to Creating an IAM Role.

Creating an IAM Role

You can use the IAM console to create an IAM role that grants AWS Config permissions to access your Amazon S3 bucket, access your Amazon SNS topic, and get configuration details for supported AWS resources. After you create the IAM role, you will create and attach policies to the role.

To create an IAM role with the AWS CLI, use the create-role command. You can then attach a policy to the role with the attach-role-policy command.

To create an IAM role with the console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the IAM console, choose Roles in the navigation pane, and choose Create New Role.

  3. For Role Name, type a name that describes the purpose of this role. Role names must be unique within your AWS account. Because various entities might reference the role, you cannot edit the name of the role after you create it.

    Choose Next Step.

  4. Choose AWS Service Roles, and then choose Select for AWS Config .

  5. On the Attach Policy page, select AWSConfigRole. This AWS managed policy grants AWS Config permission to get configuration details for supported AWS resources. Then, choose Next Step.

  6. On the Review page, review the details about your role, and choose Create Role.

  7. On the Roles page, choose the role that you created to open its details page.

You will expand the permissions in the role by creating inline policies that allow AWS Config to access your Amazon S3 bucket and your Amazon SNS topic.

To create an inline policy that grants AWS Config permission to access your Amazon S3 bucket

  1. In the Permissions section, expand the Inline Policies section, and choose click here.

  2. Choose Custom Policy, and choose Select.

  3. For Policy Name, type a name for your inline policy.

  4. Copy the example Amazon S3 bucket policy in IAM Role Policy for Amazon S3 Bucket and paste it in the Policy Document editor.

    Important

    Before you proceed to the next step, replace the following values in the policy. If you do not replace the values, your policy will fail.

    • myBucketName – Replace with the name of your Amazon S3 bucket.

    • prefix – Replace with your own prefix or leave blank by removing the trailing '/'.

    • myAccountID-WithoutHyphens – Replace with your AWS account ID.

  5. Choose Apply Policy.

To create an inline policy that grants AWS Config permissions to deliver notifications to your Amazon SNS topic

  1. In the Permissions section, expand the Inline Policies section, and choose click here.

  2. Choose Custom Policy, and choose Select.

  3. For Policy Name, type a name for your inline policy.

  4. Copy the Amazon SNS topic example policy in IAM Role Policy for Amazon SNS Topic and paste it in the Policy Document editor.

    Important

    Before you proceed to the next step, replace arn:aws:sns:region:account-id:myTopic with the ARN you saved when you created your Amazon SNS topic.

  5. Choose Apply Policy.