Menu
AWS Config
Developer Guide

Supported Resources, Configuration Items, and Relationships

AWS Config supports the following AWS resources, configuration items, and resource relationships.

Supported AWS Resource Types

AWS Config supports the following AWS resources.

AWS ServiceResource TyperesourceType Value
AWS Certificate ManagerCertificateAWS::ACM::Certificate
AWS CloudTrailTrailAWS::CloudTrail::Trail
Amazon Elastic Block StoreAmazon EBS volumeAWS::EC2::Volume
Amazon Elastic Compute CloudEC2 Dedicated host1AWS::EC2::Host
EC2 Elastic IP (VPC only)AWS::EC2::EIP
EC2 instanceAWS::EC2::Instance
EC2 network interfaceAWS::EC2::NetworkInterface
EC2 security groupAWS::EC2::SecurityGroup
Amazon EC2 Systems ManagerManaged instance inventory2AWS::SSM::ManagedInstanceInventory
Elastic Load BalancingApplication load balancerAWS::ElasticLoadBalancingV2::LoadBalancer
AWS Identity and Access Management3IAM user4AWS::IAM::User
IAM group4AWS::IAM::Group
IAM role4AWS::IAM::Role
IAM customer managed policyAWS::IAM::Policy
Amazon RedshiftClusterAWS::Redshift::Cluster
Cluster parameter groupAWS::Redshift::ClusterParameterGroup
Cluster security groupAWS::Redshift::ClusterSecurityGroup
Cluster snapshotAWS::Redshift::ClusterSnapshot
Cluster subnet groupAWS::Redshift::ClusterSubnetGroup
Event subscriptionAWS::Redshift::EventSubscription
Amazon Relational Database ServiceRDS DB instanceAWS::RDS::DBInstance
RDS DB security groupAWS::RDS::DBSecurityGroup
RDS DB snapshotAWS::RDS::DBSnapshot
RDS DB subnet groupAWS::RDS::DBSubnetGroup
Event subscriptionAWS::RDS::EventSubscription
Amazon Simple Storage ServiceAmazon S3 bucket5AWS::S3::Bucket
Amazon Virtual Private CloudCustomer gatewayAWS::EC2::CustomerGateway
Internet gatewayAWS::EC2::InternetGateway
Network access control list (ACL)AWS::EC2::NetworkAcl
Route tableAWS::EC2::RouteTable
SubnetAWS::EC2::Subnet
Virtual private cloud (VPC)AWS::EC2::VPC
VPN connectionAWS::EC2::VPNConnection
VPN gatewayAWS::EC2::VPNGateway

Notes

  1. AWS Config records the configuration details of Dedicated hosts and the instances that you launch on them. As a result, you can use AWS Config as a data source when you report compliance with your server-bound software licenses. For example, you can view the configuration history of an instance and determine which Amazon Machine Image (AMI) it is based on. Then, you can look up the configuration history of the host, which includes details such as the numbers of sockets and cores, to verify that the host complies with the license requirements of the AMI. For more information, see Tracking Configuration Changes with AWS Config in the Amazon EC2 User Guide for Linux Instances.

  2. To learn more about managed instance inventory, see Recording software configuration for managed instances.

  3. AWS Identity and Access Management (IAM) resources are global resources. Global resources are not tied to an individual region and can be used in all regions. The configuration details for a global resource are the same in all regions. For more information, see Selecting Which Resources AWS Config Records.

  4. AWS Config includes inline policies with the configuration details that it records.

  5. If you configured AWS Config to record your S3 buckets, and are not receiving configuration change notifications, verify your S3 bucket policies have the required permissions. For more information, see Troubleshooting for recording S3 buckets.

Recording software configuration for managed instances

You can use AWS Config to record software inventory changes on EC2 instances and on-premises servers. This enables you to see the historical changes to software configuration. For example, when a new Windows update is installed on a managed Windows instance, AWS Config records the changes and then sends the changes to your delivery channels, so that you are notified about the change. With AWS Config, you can see the history of when Windows updates were installed for the managed instance and how they changed over time.

You must complete the following steps to record software configuration changes:

  • Turn on recording for the managed instance inventory resource type in AWS Config

  • Configure EC2 and on-premises instances as managed instances

  • Initiate collection of software inventory from your managed instances

You can also use AWS Config rules to monitor software configuration changes and be notified whether the changes are compliant or noncompliant against your rules. For example, if you create a rule that checks whether your managed instances have a specified application, and an instance doesn't have that application installed, AWS Config flags that instance as noncompliant against your rule. For a list of AWS Config managed rules, see AWS Managed Rules.

To enable recording of software configuration changes in AWS Config:

  1. Turn on recording for all supported resource types or selectively record the managed instance inventory resource type in AWS Config. For more information, see Selecting Which Resources AWS Config Records.

  2. Launch an Amazon EC2 instance with an IAM role and the AmazonEC2RoleforSSM policy. You may also need to install an SSM Agent. For more information, see Systems Manager Prerequisites in the Amazon EC2 User Guide for Linux Instances or Systems Manager Prerequisites in the Amazon EC2 User Guide for Windows Instances.

  3. Initiate inventory collection as described in Configuring Inventory Collection in the Amazon EC2 User Guide for Linux Instances. The procedures are the same for Linux and Windows instances.

    AWS Config can record configuration changes for the following inventory types:

    • Applications – A list of applications for managed instances, such as antivirus software.

    • AWS components – A list of AWS components for managed instances, such as the AWS CLI and SDKs.

    • Instance information – Instance information such as OS name and version, domain, and firewall status.

    • Network configuration – Configuration information such as IP address, gateway, and subnet mask.

    • Windows Updates – A list of Windows updates for managed instances (Windows instances only).

    Note

    AWS Config doesn't support recording the custom inventory type at this time.

Inventory collection is one of many Amazon EC2 Systems Manager capabilities, which also includes applying operating system patches and configuring instances at scale. For more information, see Amazon EC2 Systems Manager in the Amazon EC2 User Guide for Linux Instances or Amazon EC2 Systems Manager in the Amazon EC2 User Guide for Windows Instances.

Components of a Configuration Item

A configuration item consists of the following components.

ComponentDescriptionContains
MetadataInformation about this configuration item
  • Version ID

  • Configuration item ID

  • Time when the configuration item was captured

  • Status of the configuration item indicating whether the item was captured successfully

  • State ID indicating the ordering of the configuration items of a resource

  • A unique MD5Hash representing the state of a configuration item that can be used to compare two states of two or more configuration items of the same resource

Attributes1Resource attributes
  • Resource ID

  • List of key–value tags for this resource

  • Resource type; see Supported AWS Resource Types

  • Amazon Resource Name (ARN)

  • Availability Zone that contains this resource, if applicable

  • Time the resource was created

RelationshipsHow the resource is related to other resources associated with the accountDescription of the relationship, such as Amazon EBS volume vol-1234567 is attached to an Amazon EC2 instance i-a1b2c3d4
Current configurationInformation returned through a call to the Describe or List API of the resourceFor example, DescribeVolumes API returns the following information about the volume:
  • Availability Zone the volume is in

  • Time the volume was attached

  • ID of the EC2 instance it is attached to

  • Current status of the volume

  • State of DeleteOnTermination flag

  • Device the volume is attached to

  • Type of volume, such as gp2, io1, or standard

Related eventsThe AWS CloudTrail events that is related to the current configuration of the resourceCloudTrail event ID

Notes

  1. A configuration item relationship does not include network flow or data flow dependencies. Configuration items cannot be customized to represent your application architecture.

  2. AWS Config also records the following attributes for the Amazon S3 bucket resource type. For more information about the attributes, see Bucket Configuration Options in the Amazon Simple Storage Service Developer Guide.

Amazon S3 Bucket Attributes

AttributesDescription
AccelerateConfigurationTransfer acceleration for data over long distances between your client and a bucket.
BucketAclAccess control list used to manage access to buckets and objects.
BucketPolicyPolicy that defines the permissions to the bucket.
CrossOriginConfigurationAllow cross-origin requests to the bucket.
LifecycleConfigurationRules that define the lifecycle for objects in your bucket.
LoggingConfigurationLogging used to track requests for access to the bucket.
NotificationConfigurationEvent notifications used to send alerts or trigger workflows for specified bucket events.
ReplicationConfigurationAutomatic, asynchronous copying of objects across buckets in different AWS Regions.
RequestPaymentConfigurationRequester pays is enabled.
TaggingConfigurationTags added to the bucket to categorize. You can also use tagging to track billing.
WebsiteConfigurationStatic website hosting is enabled for the bucket.
VersioningConfigurationVersioning is enabled for objects in the bucket.

Supported Resource Relationships

AWS Config supports the following relationships between different resources.

Note

AWS Config can create multiple configuration items when a resource is changed and that resource is related to other resources. For more information, see Configuration Items for Resources with Relationships.

ResourceRelationshipRelated Resource
Amazon EBS volumeis attached toEC2 instance
Amazon Redshift clusteris associated withCluster parameter group
Cluster security group
Cluster subnet group
Security group
Virtual private cloud (VPC)
Amazon Redshift cluster snapshotis associated withCluster
Virtual private cloud (VPC)
Amazon Redshift cluster subnet groupis associated withSubnet
Virtual private cloud (VPC)
Application load balancer is associated withEC2 security group
is attached toSubnet
is contained inVirtual private cloud (VPC)
Customer gatewayis attached toVPN connection
EC2 Dedicated hostcontainsEC2 instance
EC2 Elastic IP (EIP)is attached toEC2 instance
Network interface
EC2 instancecontainsEC2 network interface
is associated withEC2 security group
is attached toAmazon EBS volume
EC2 Elastic IP (EIP)
is contained inEC2 Dedicated host
Route table
Subnet
Virtual private cloud (VPC)
EC2 network interfaceis associated withEC2 security group
is attached toEC2 Elastic IP (EIP)
EC2 instance
is contained inRoute table
Subnet
Virtual private cloud (VPC)
EC2 security groupis associated withEC2 instance
EC2 network interface
Virtual private cloud (VPC)
IAM useris attached toIAM group
IAM customer managed policy
IAM groupcontainsIAM user
is attached toIAM customer managed policy
IAM roleis attached toIAM customer managed policy
IAM customer managed policyis attached toIAM user
IAM group
IAM role
Internet gatewayis attached toVirtual private cloud (VPC)
Managed instance inventoryis associated withEC2 instance
Network ACLis attached toSubnet
is contained inVirtual private cloud (VPC)
RDS DB instanceis associated with EC2 security group
RDS DB security group
RDS DB subnet group
RDS DB security groupis associated withEC2 security group
Virtual private cloud (VPC)
RDS DB snapshotis associated withVirtual private cloud (VPC)
RDS DB subnet groupis associated withEC2 subnet
Virtual private cloud (VPC)
Route tablecontainsEC2 instance
EC2 network interface
Subnet
VPN gateway
is contained inVirtual private cloud (VPC)
SubnetcontainsEC2 instance
EC2 network interface
is attached toNetwork ACL
is contained inRoute table
Virtual private cloud (VPC)
Virtual private cloud (VPC)containsEC2 instance
EC2 network interface
Network ACL
Route table
Subnet
is associated withSecurity group
is attached toInternet gateway
VPN gateway
VPN connectionis attached toCustomer gateway
VPN gateway
VPN gatewayis attached toVirtual private cloud (VPC)
VPN connection
is contained inRoute table