Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Config

AWS Config (service prefix: config) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Config

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
DeleteConfigRule Deletes the specified AWS Config rule and all of its evaluation results

Write

DeleteConfigurationRecorder Deletes the configuration recorder

Write

DeleteDeliveryChannel Deletes the delivery channel

Write

DeleteEvaluationResults Deletes the evaluation results for the specified Config rule

Write

DeliverConfigSnapshot Schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel

Read

DescribeComplianceByConfigRule Indicates whether the specified AWS Config rules are compliant

List

DescribeComplianceByResource Indicates whether the specified AWS resources are compliant

List

DescribeConfigRuleEvaluationStatus Returns status information for each of your AWS managed Config rules

List

DescribeConfigRules Returns details about your AWS Config rules

List

DescribeConfigurationRecorderStatus Returns the current status of the specified configuration recorder

List

DescribeConfigurationRecorders Returns the name of one or more specified configuration recorders

List

DescribeDeliveryChannelStatus Returns the current status of the specified delivery channel

List

DescribeDeliveryChannels Returns details about the specified delivery channel

List

GetComplianceDetailsByConfigRule Returns the evaluation results for the specified AWS Config rule

Read

GetComplianceDetailsByResource Returns the evaluation results for the specified AWS resource

Read

GetComplianceSummaryByConfigRule Returns the number of AWS Config rules that are compliant and noncompliant, up to a maximum of 25 for each

Read

GetComplianceSummaryByResourceType Returns the number of resources that are compliant and the number that are noncompliant

Read

GetResourceConfigHistory Returns a list of configuration items for the specified resource

Read

ListDiscoveredResources Accepts a resource type and returns a list of resource identifiers for the resources of that type

List

PutConfigRule Adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations

Write

PutConfigurationRecorder Creates a new configuration recorder to record the selected resource configurations

Write

PutDeliveryChannel Creates a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic

Write

PutEvaluations Used by an AWS Lambda function to deliver evaluation results to AWS Config

Write

StartConfigRulesEvaluation Evaluates your resources against the specified Config rules

Write

StartConfigurationRecorder Starts recording configurations of the AWS resources you have selected to record in your AWS account

Write

StopConfigurationRecorder Stops recording configurations of the AWS resources you have selected to record in your AWS account

Write

Resources Defined by Config

Config has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for AWS Config

Config has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.