Menu
AWS Config
Developer Guide

Setting up AWS Config with the Console

You can use the AWS Management Console to get started with AWS Config to do the following:

  • Specify the resource types you want AWS Config to record.

  • Set up Amazon SNS to notify you of configuration changes.

  • Specify an Amazon S3 bucket to receive configuration information.

  • Add AWS Config managed rules to evaluate the resource types.

If you are using AWS Config for the first time or configuring AWS Config for a new region, you can choose managed rules to evaluate resource configurations. For regions that support AWS Config and AWS Config Rules, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference.

To set up AWS Config with the console

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. If this is the first time you are opening the AWS Config console or you are setting up AWS Config in a new region, the AWS Config console page looks like the following:

    
            The AWS Config getting started page provides an overview of the service.
  3. Choose Get Started Now.

  4. On the Settings page, for Resource types to record, specify the AWS resource types you want AWS Config to record:

    • All resources – AWS Config records all supported resources with the following options:

      • Record all resources supported in this region – AWS Config records configuration changes for every supported type of regional resource. When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.

      • Include global resources – AWS Config includes supported types of global resources with the resources that it records (for example, IAM resources). When AWS Config adds support for a new global resource type, AWS Config automatically starts recording resources of that type.

    • Specific types – AWS Config records configuration changes for only the AWS resource types that you specify.

    For more information about these options, see Selecting Which Resources AWS Config Records.

  5. For Amazon S3 Bucket, choose the Amazon S3 bucket to which AWS Config sends configuration history and configuration snapshot files:

    • Create a new bucket – For Bucket Name, type a name for your Amazon S3 bucket.

      The name that you type must be unique across all existing bucket names in Amazon S3. One way to help ensure uniqueness is to include a prefix; for example, the name of your organization. You can't change the bucket name after it is created. For more information, see Bucket Restrictions and Limitations in the Amazon Simple Storage Service Developer Guide.

    • Choose a bucket from your account – For Bucket Name, choose your preferred bucket.

    • Choose a bucket from another account – For Bucket Name, type the bucket name.

      If you choose a bucket from another account, that bucket must have policies that grant access permissions to AWS Config. For more information, see Permissions for the Amazon S3 Bucket.

  6. For Amazon SNS Topic, choose whether AWS Config streams information by selecting the Stream configuration changes and notifications to an Amazon SNS topic. AWS Config sends notifications such as configuration history delivery, configuration snapshot delivery, and compliance.

  7. If you chose to have AWS Config stream to an Amazon SNS topic, choose the target topic:

    • Create a new topic – For Topic Name, type a name for your SNS topic.

    • Choose a topic from your account – For Topic Name, select your preferred topic.

    • Choose a topic from another account – For Topic ARN, type the Amazon Resource Name (ARN) of the topic. If you choose a topic from another account, the topic must have policies that grant access permissions to AWS Config. For more information, see Permissions for the Amazon SNS Topic.

    Note

    The Amazon SNS topic must exist in the same region as the region in which you set up AWS Config.

  8. For AWS Config role, choose the IAM role that grants AWS Config permission to record configuration information and send this information to Amazon S3 and Amazon SNS:

    • Create a role – AWS Config creates a role that has the required permissions. For Role name, you can customize the name that AWS Config creates.

    • Choose a role from your account – For Role name, choose an IAM role in your account. AWS Config will attach the required policies. For more information, see Permissions for the IAM Role Assigned to AWS Config.

      Note

      Check the box if you want to use the IAM role as it. AWS Config will not attach policies to the role.

  9. If you are setting up AWS Config in a region that supports rules, choose Next. See Setting Up AWS Config Rules with the Console.

    Otherwise, choose Save. AWS Config displays the Resource inventory page.

For information about looking up the existing resources in your account and understanding the configurations of your resources, see View, and Manage Your AWS Resources.

If you chose to have AWS Config stream information to an Amazon SNS topic, you can receive notifications by email. For more information, see Monitoring AWS Config Resource Changes by Email. You can also use Amazon Simple Queue Service to monitor AWS resources programmatically. For more information, see Monitoring AWS Resource Changes.