Menu
AWS Config
Developer Guide

Supported Resources, Configuration Items, and Relationships

AWS Config supports the following AWS resources, configuration items, and resource relationships.

Supported AWS Resource Types

AWS Config supports the following AWS resource types.

AWS Service Resource Type Resource Type Value
Auto Scaling Auto Scaling group AWS::AutoScaling::AutoScalingGroup
Auto Scaling launch configuration AWS::AutoScaling::LaunchConfiguration
Auto Scaling scaling policy AWS::AutoScaling::ScalingPolicy
Auto Scaling scheduled action AWS::AutoScaling::ScheduledAction
AWS Certificate Manager Certificate AWS::ACM::Certificate
AWS CloudFormation Stack1 AWS::CloudFormation::Stack
Amazon CloudFront2 Distribution AWS::CloudFront::Distribution
Streaming Distribution AWS::CloudFront::StreamingDistribution
AWS CloudTrail Trail AWS::CloudTrail::Trail
AWS CodeBuild Project3 AWS::CodeBuild::Project
Amazon CloudWatch Alarm AWS::CloudWatch::Alarm
Amazon DynamoDB Table AWS::DynamoDB::Table
Amazon Elastic Block Store Amazon EBS volume AWS::EC2::Volume
Amazon Elastic Compute Cloud EC2 Dedicated host4 AWS::EC2::Host
EC2 Elastic IP (VPC only) AWS::EC2::EIP
EC2 instance AWS::EC2::Instance
EC2 network interface AWS::EC2::NetworkInterface
EC2 security group AWS::EC2::SecurityGroup
Amazon EC2 Systems Manager Managed instance inventory5 AWS::SSM::ManagedInstanceInventory
Elastic Load Balancing Application Load Balancer AWS::ElasticLoadBalancingV2::LoadBalancer
Classic Load Balancer AWS::ElasticLoadBalancing::LoadBalancer
AWS Identity and Access Management6 IAM user7 AWS::IAM::User
IAM group7 AWS::IAM::Group
IAM role7 AWS::IAM::Role
IAM customer managed policy AWS::IAM::Policy
Amazon Redshift Cluster AWS::Redshift::Cluster
Cluster parameter group AWS::Redshift::ClusterParameterGroup
Cluster security group AWS::Redshift::ClusterSecurityGroup
Cluster snapshot AWS::Redshift::ClusterSnapshot
Cluster subnet group AWS::Redshift::ClusterSubnetGroup
Event subscription AWS::Redshift::EventSubscription
Amazon Relational Database Service RDS DB instance AWS::RDS::DBInstance
RDS DB security group AWS::RDS::DBSecurityGroup
RDS DB snapshot AWS::RDS::DBSnapshot
RDS DB subnet group AWS::RDS::DBSubnetGroup
Event subscription AWS::RDS::EventSubscription
Amazon Simple Storage Service Amazon S3 bucket8 AWS::S3::Bucket
Amazon Virtual Private Cloud Customer gateway AWS::EC2::CustomerGateway
Internet gateway AWS::EC2::InternetGateway
Network access control list (ACL) AWS::EC2::NetworkAcl
Route table AWS::EC2::RouteTable
Subnet AWS::EC2::Subnet
Virtual private cloud (VPC) AWS::EC2::VPC
VPN connection AWS::EC2::VPNConnection
VPN gateway AWS::EC2::VPNGateway
AWS WAF9 Rate based rule AWS::WAF::RateBasedRule
Rule AWS::WAF::Rule
Web ACL AWS::WAF::WebACL
Rate based rule AWS::WAFRegional::RateBasedRule
Rule AWS::WAFRegional::Rule
Web ACL AWS::WAFRegional::WebACL

Notes

  1. AWS Config records configuration changes to CloudFormation stacks and supported resource types in the stacks. AWS Config does not record configuration changes for resource types in the stack that are not yet supported. Unsupported resource types appear in the supplementary configuration section of the configuration item for the stack.

  2. AWS Config support for Amazon CloudFront is available only in the US East (N. Virginia) region.

  3. To learn more about how AWS Config integrates with AWS CodeBuild, see Use AWS Config with AWS CodeBuild Sample.

  4. AWS Config records the configuration details of Dedicated hosts and the instances that you launch on them. As a result, you can use AWS Config as a data source when you report compliance with your server-bound software licenses. For example, you can view the configuration history of an instance and determine which Amazon Machine Image (AMI) it is based on. Then, you can look up the configuration history of the host, which includes details such as the numbers of sockets and cores, to verify that the host complies with the license requirements of the AMI. For more information, see Tracking Configuration Changes with AWS Config in the Amazon EC2 User Guide for Linux Instances.

  5. To learn more about managed instance inventory, see Recording software configuration for managed instances.

  6. AWS Identity and Access Management (IAM) resources are global resources. Global resources are not tied to an individual region and can be used in all regions. The configuration details for a global resource are the same in all regions. For more information, see Selecting Which Resources AWS Config Records.

  7. AWS Config includes inline policies with the configuration details that it records.

  8. If you configured AWS Config to record your S3 buckets, and are not receiving configuration change notifications, verify your S3 bucket policies have the required permissions. For more information, see Troubleshooting for recording S3 buckets.

  9. The AWS WAF resource type values are available only in the US East (N. Virginia) Region. The AWS::WAFRegional::RateBasedRule, AWS::WAFRegional::Rule, and AWS::WAFRegional::WebACL are available in all regions where AWS WAF is supported.

Recording software configuration for managed instances

You can use AWS Config to record software inventory changes on EC2 instances and on-premises servers. This enables you to see the historical changes to software configuration. For example, when a new Windows update is installed on a managed Windows instance, AWS Config records the changes and then sends the changes to your delivery channels, so that you are notified about the change. With AWS Config, you can see the history of when Windows updates were installed for the managed instance and how they changed over time.

You must complete the following steps to record software configuration changes:

  • Turn on recording for the managed instance inventory resource type in AWS Config

  • Configure EC2 and on-premises instances as managed instances

  • Initiate collection of software inventory from your managed instances

You can also use AWS Config rules to monitor software configuration changes and be notified whether the changes are compliant or noncompliant against your rules. For example, if you create a rule that checks whether your managed instances have a specified application, and an instance doesn't have that application installed, AWS Config flags that instance as noncompliant against your rule. For a list of AWS Config managed rules, see AWS Managed Config Rules.

To enable recording of software configuration changes in AWS Config:

  1. Turn on recording for all supported resource types or selectively record the managed instance inventory resource type in AWS Config. For more information, see Selecting Which Resources AWS Config Records.

  2. Launch an Amazon EC2 instance with an IAM role and the AmazonEC2RoleforSSM policy. You may also need to install an SSM Agent. For more information, see Systems Manager Prerequisites in the Amazon EC2 User Guide for Linux Instances or Systems Manager Prerequisites in the Amazon EC2 User Guide for Windows Instances.

  3. Initiate inventory collection as described in Configuring Inventory Collection in the Amazon EC2 User Guide for Linux Instances. The procedures are the same for Linux and Windows instances.

    AWS Config can record configuration changes for the following inventory types:

    • Applications – A list of applications for managed instances, such as antivirus software.

    • AWS components – A list of AWS components for managed instances, such as the AWS CLI and SDKs.

    • Instance information – Instance information such as OS name and version, domain, and firewall status.

    • Network configuration – Configuration information such as IP address, gateway, and subnet mask.

    • Windows Updates – A list of Windows updates for managed instances (Windows instances only).

    Note

    AWS Config doesn't support recording the custom inventory type at this time.

Inventory collection is one of many Amazon EC2 Systems Manager capabilities, which also includes applying operating system patches and configuring instances at scale. For more information, see Amazon EC2 Systems Manager in the Amazon EC2 User Guide for Linux Instances or Amazon EC2 Systems Manager in the Amazon EC2 User Guide for Windows Instances.

Components of a Configuration Item

A configuration item consists of the following components.

Component Description Contains
Metadata Information about this configuration item
  • Version ID

  • Configuration item ID

  • Time when the configuration item was captured

  • Status of the configuration item indicating whether the item was captured successfully

  • State ID indicating the ordering of the configuration items of a resource

  • A unique MD5Hash representing the state of a configuration item that can be used to compare two states of two or more configuration items of the same resource

Attributes1 Resource attributes
  • Resource ID

  • List of key–value tags3 for this resource

  • Resource type; see Supported AWS Resource Types

  • Amazon Resource Name (ARN)

  • Availability Zone that contains this resource, if applicable

  • Time the resource was created

Relationships How the resource is related to other resources associated with the account Description of the relationship, such as Amazon EBS volume vol-1234567 is attached to an Amazon EC2 instance i-a1b2c3d4
Current configuration Information returned through a call to the Describe or List API of the resource For example, DescribeVolumes API returns the following information about the volume:
  • Availability Zone the volume is in

  • Time the volume was attached

  • ID of the EC2 instance it is attached to

  • Current status of the volume

  • State of DeleteOnTermination flag

  • Device the volume is attached to

  • Type of volume, such as gp2, io1, or standard

Related events The AWS CloudTrail events that is related to the current configuration of the resource CloudTrail event ID

Notes

  1. A configuration item relationship does not include network flow or data flow dependencies. Configuration items cannot be customized to represent your application architecture.

  2. AWS Config also records the following attributes for the Amazon S3 bucket resource type. For more information about the attributes, see Bucket Configuration Options in the Amazon Simple Storage Service Developer Guide.

  3. AWS Config does not record key–value tags for CloudTrail trail, CloudFront distribution, and CloudFront streaming distribution.

Amazon S3 Bucket Attributes

Attributes Description
AccelerateConfiguration Transfer acceleration for data over long distances between your client and a bucket.
BucketAcl Access control list used to manage access to buckets and objects.
BucketPolicy Policy that defines the permissions to the bucket.
CrossOriginConfiguration Allow cross-origin requests to the bucket.
LifecycleConfiguration Rules that define the lifecycle for objects in your bucket.
LoggingConfiguration Logging used to track requests for access to the bucket.
NotificationConfiguration Event notifications used to send alerts or trigger workflows for specified bucket events.
ReplicationConfiguration Automatic, asynchronous copying of objects across buckets in different AWS Regions.
RequestPaymentConfiguration Requester pays is enabled.
TaggingConfiguration Tags added to the bucket to categorize. You can also use tagging to track billing.
WebsiteConfiguration Static website hosting is enabled for the bucket.
VersioningConfiguration Versioning is enabled for objects in the bucket.

Supported Resource Relationships

AWS Config supports the following relationships between different resources.

Note

AWS Config can create multiple configuration items when a resource is changed and that resource is related to other resources. For more information, see Configuration Items for Resources with Relationships.

Resource Relationship Related Resource
Auto Scaling group contains Amazon EC2 instance
is associated with Classic Load Balancer
Auto Scaling launch configuration
Subnet
Auto Scaling launch configuration is associated with Amazon EC2 security group
Auto Scaling scaling policy is associated with Auto Scaling group
Alarm
Auto Scaling scheduled action is associated with Auto Scaling group
Amazon EBS volume is attached to EC2 instance
Amazon Redshift cluster is associated with Cluster parameter group
Cluster security group
Cluster subnet group
Security group
Virtual private cloud (VPC)
Amazon Redshift cluster snapshot is associated with Cluster
Virtual private cloud (VPC)
Amazon Redshift cluster subnet group is associated with Subnet
Virtual private cloud (VPC)
AWS CloudFormation stack contains Supported AWS resource types
Amazon CloudFront distribution is associated with AWS WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate
Amazon CloudFront streaming distribution is associated with AWS WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate
AWS CodeBuild project is associated with S3 Bucket
IAM Role
Customer gateway is attached to VPN connection
EC2 Dedicated host contains EC2 instance
EC2 Elastic IP (EIP) is attached to EC2 instance
Network interface
EC2 instance contains EC2 network interface
is associated with EC2 security group
is attached to Amazon EBS volume
EC2 Elastic IP (EIP)
is contained in EC2 Dedicated host
Route table
Subnet
Virtual private cloud (VPC)
EC2 managed instance inventory is associated with EC2 instance
EC2 network interface is associated with EC2 security group
is attached to EC2 Elastic IP (EIP)
EC2 instance
is contained in Route table
Subnet
Virtual private cloud (VPC)
EC2 security group is associated with EC2 instance
EC2 network interface
Virtual private cloud (VPC)
Elastic Load Balancing application load balancer is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)
Elastic Load Balancing classic load balancer is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)
IAM customer managed policy is attached to IAM user
IAM group
IAM role
IAM group contains IAM user
is attached to IAM customer managed policy
IAM role is attached to IAM customer managed policy
IAM user is attached to IAM group
IAM customer managed policy
Internet gateway is attached to Virtual private cloud (VPC)
Network ACL is attached to Subnet
is contained in Virtual private cloud (VPC)
RDS DB instance is associated with EC2 security group
RDS DB security group
RDS DB subnet group
RDS DB security group is associated with EC2 security group
Virtual private cloud (VPC)
RDS DB snapshot is associated with Virtual private cloud (VPC)
RDS DB subnet group is associated with EC2 subnet
Virtual private cloud (VPC)
Route table contains EC2 instance
EC2 network interface
Subnet
VPN gateway
is contained in Virtual private cloud (VPC)
Subnet contains EC2 instance
EC2 network interface
is attached to Network ACL
is contained in Route table
Virtual private cloud (VPC)
Virtual private cloud (VPC) contains EC2 instance
EC2 network interface
Network ACL
Route table
Subnet
is associated with Security group
is attached to Internet gateway
VPN gateway
VPN connection is attached to Customer gateway
VPN gateway
VPN gateway is attached to Virtual private cloud (VPC)
VPN connection
is contained in Route table
WAF WebACL is associated with WAF Rule
WAF Rate Based Rule
WAFRegional WebACL is associated with ElasticLoadBalancingV2 LoadBalancer
WAFRegional Rule
WAFRegional Rate Based Rule