# What Is AWS Config? AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. An AWS *resource* is an entity you can work with in AWS, such as an Amazon Elastic Compute Cloud (EC2) instance, an Amazon Elastic Block Store (EBS) volume, a security group, or an Amazon Virtual Private Cloud (VPC). For a complete list of AWS resources supported by AWS Config, see [Supported Resource Types for AWS Config](resource-config-reference.md). ## Considerations + **AWS account**: You need an active AWS account. For more information, see [Signing up for AWS](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html#getting-started-signing-up). + **Amazon S3 Bucket**: You need an S3 bucket to receive data for your configuration snapshots and history. For more information, see [Permissions for the Amazon S3 Bucket](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html). + **Amazon SNS Topic**: You need an Amazon SNS to receive notifications when there are changes to your configuration snapshots and history. For more information, see [Permissions for the Amazon SNS Topic](https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html). + **IAM Role**: You need an IAM role that has the necessary permissions to access AWS Config. For more information, see [Permissions for the IAM Role](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html). + **Resource types**: You can decide which resource types you want AWS Config to record. For more information, see [Recording AWS Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html). ## Ways to Use AWS Config When you run your applications on AWS, you usually use AWS resources, which you must create and manage collectively. As the demand for your application keeps growing, so does your need to keep track of your AWS resources. AWS Config is designed to help you oversee your application resources in the following scenarios: ### Resource Administration To exercise better governance over your resource configurations and to detect resource misconfigurations, you need fine-grained visibility into what resources exist and how these resources are configured at any time. You can use AWS Config to notify you whenever resources are created, modified, or deleted without having to monitor these changes by polling the calls made to each resource. You can use AWS Config rules to evaluate the configuration settings of your AWS resources. When AWS Config detects that a resource violates the conditions in one of your rules, AWS Config flags the resource as noncompliant and sends a notification. AWS Config continuously evaluates your resources as they are created, changed, or deleted. ### Auditing and Compliance You might be working with data that requires frequent audits to ensure compliance with internal policies and best practices. To demonstrate compliance, you need access to the historical configurations of your resources. This information is provided by AWS Config. ### Managing and Troubleshooting Configuration Changes When you use multiple AWS resources that depend on one another, a change in the configuration of one resource might have unintended consequences on related resources. With AWS Config, you can view how the resource you intend to modify is related to other resources and assess the impact of your change. You can also use the historical configurations of your resources provided by AWS Config to troubleshoot issues and to access the last known good configuration of a problem resource. ### Security Analysis To analyze potential security weaknesses, you need detailed historical information about your AWS resource configurations, such as the AWS Identity and Access Management (IAM) permissions that are granted to your users, or the Amazon EC2 security group rules that control access to your resources. You can use AWS Config to view the IAM policy that was assigned to a user, group, or role at any time in which AWS Config was recording. This information can help you determine the permissions that belonged to a user at a specific time: for example, you can view whether the user `John Doe` had permission to modify Amazon VPC settings on Jan 1, 2015. You can also use AWS Config to view the configuration of your EC2 security groups, including the port rules that were open at a specific time. This information can help you determine whether a security group blocked incoming TCP traffic to a specific port. ### Partner Solutions AWS partners with third-party specialists in logging and analysis to provide solutions that use AWS Config output. For more information, visit the AWS Config detail page at [AWS Config](https://aws.amazon.com/config). ## Features When you set up AWS Config, you can complete the following: **Resource management** + Specify the resource types you want AWS Config to record. + Set up an Amazon S3 bucket to receive a configuration snapshot on request and configuration history. + Set up Amazon SNS to send configuration stream notifications. + Grant AWS Config the permissions it needs to access the Amazon S3 bucket and the Amazon SNS topic. For more information, see [Viewing AWS Resource Configurations and History](https://docs.aws.amazon.com/config/latest/developerguide/view-manage-resource-console.html) and [Managing AWS Resource Configurations and History](https://docs.aws.amazon.com/config/latest/developerguide/aws-config-landing-page.html). **Rules and conformance packs** + Specify the rules that you want AWS Config to use to evaluate compliance information for the recorded resource types. + Use conformance packs, or a collection of rules that can be deployed and monitored as a single entity in your AWS account. For more information, see [Evaluating Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) and [Conformance Packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html). **Remediation** + Remediate noncompliant resources that are evaluated by AWS Config Rules. For more information, see [Remediation](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html). **Aggregators** + Use an aggregator to get a centralized view of your resource inventory and compliance. An aggregator collects AWS Config configuration and compliance data from multiple AWS accounts and AWS Regions into a single account and Region. For more information, see [Multi-Account Multi-Region Data Aggregation](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html). **Advanced queries** + Use one of the sample queries or write your own query by referring to the configuration schema of the AWS resource. For more information, see [Querying the Current Configuration State of AWS Resources ](https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html). # How AWS Config Works AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. An AWS *resource* is an entity you can work with in AWS, such as an Amazon Elastic Compute Cloud (EC2) instance, an Amazon Elastic Block Store (EBS) volume, a security group, or an Amazon Virtual Private Cloud (VPC). For a complete list of AWS resources supported by AWS Config, see [Supported Resource Types for AWS Config](resource-config-reference.md). ![\[The image depicts a high-level overview of how AWS Config works. It illustrates the flow of information from various AWS resources to AWS Config, which then stores configuration data in an Amazon S3 bucket. The process involves the configuration recorder, AWS Config rules, and the delivery channel. The goal is to track and manage resource configurations within an AWS environment.\]](http://docs.aws.amazon.com/config/latest/developerguide/images/how-AWSconfig-works-2.png) ## Resource Discovery When you turn on AWS Config, it first discovers the supported AWS resources that exist in your account and generates a [configuration item](config-concepts.md#config-items) for each resource. AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track. Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you are setting up AWS Config. If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config, even if the specified resource type is not supported the AWS Region where you are setting up AWS Config. ## Resource Tracking AWS Config keeps track of all changes to your resources by invoking the Describe or the List API call for each resource in your account. The service uses those same API calls to capture configuration details for all related resources. For example, removing an egress rule from a VPC security group causes AWS Config to invoke a Describe API call on the security group. AWS Config then invokes a Describe API call on all of the instances associated with the security group. The updated configurations of the security group (the resource) and of each instance (the related resources) are recorded as configuration items and delivered in a configuration stream to an Amazon Simple Storage Service (Amazon S3) bucket. AWS Config also tracks the configuration changes that were not initiated by the API. AWS Config examines the resource configurations periodically and generates configuration items for the configurations that have changed. If you are using AWS Config rules, AWS Config continuously evaluates your AWS resource configurations for desired settings. Depending on the rule, AWS Config will evaluate your resources either in response to configuration changes or periodically. Each rule is associated with an AWS Lambda function, which contains the evaluation logic for the rule. When AWS Config evaluates your resources, it invokes the rule's AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of a resource changes, AWS Config sends a notification to your Amazon SNS topic. ## Delivery of Configuration Items AWS Config can deliver configuration items through one of the following channels: ### Amazon S3 Bucket AWS Config tracks changes in the configuration of your AWS resources, and it regularly sends updated configuration details to an Amazon S3 bucket that you specify. For each resource type that AWS Config records, it sends a *configuration history file* every six hours. Each configuration history file contains details about the resources that changed in that six-hour period. Each file includes resources of one type, such as Amazon EC2 instances or Amazon EBS volumes. If no configuration changes occur, AWS Config does not send a file. AWS Config sends a *configuration snapshot* to your Amazon S3 bucket when you use the [deliver-config-snapshot](https://docs.aws.amazon.com/cli/latest/reference/configservice/deliver-config-snapshot.html) command with the AWS CLI, or when you use the [DeliverConfigSnapshot](https://docs.aws.amazon.com/config/latest/APIReference/API_DeliverConfigSnapshot.html) action with the AWS Config API. A configuration snapshot contains configuration details for all resources that AWS Config records in your AWS account. The configuration history file and configuration snapshot are in JSON format. **Note** AWS Config only delivers the configuration history files and configuration snapshots to the specified S3 bucket; AWS Config doesn't modify the lifecycle policies for objects in the S3 bucket. You can use lifecycle policies to specify whether you want to delete or archive objects to Amazon Glacier. For more information, see [Managing Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/LifecycleConfiguration.html) in the *Amazon Simple Storage Service User Guide*. You can also see the [Archiving Amazon S3 Data to Amazon Glacier](https://aws.amazon.com/blogs/aws/archive-s3-to-glacier/) blog post. ### Amazon SNS Topic An Amazon Simple Notification Service (Amazon SNS) topic is a communication channel that Amazon SNS uses to deliver messages (or *notifications*) to subscribing endpoints such as an email address or clients. Other types of Amazon SNS notifications include push notification messages to apps on mobile phones, Short Message Service (SMS) notifications to SMS-enabled mobile phones and smart phones, and HTTP POST requests. For best results, use Amazon SQS as the notification endpoint for the SNS topic and then process the information in the notification programmatically. AWS Config uses the Amazon SNS topic that you specify to send you notifications. The type of notification that you are receiving is indicated by the value for the `messageType` key in the message body, as in the following example: ``` "messageType": "ConfigurationHistoryDeliveryCompleted" ``` The notifications can be any of the following message types. | **Message type** | **Description** | | --- | --- | | ComplianceChangeNotification | The compliance type of a resource that AWS Config evaluates has changed. The compliance type indicates whether the resource complies with a specific AWS Config rule, and it is represented by the ComplianceType key in the message. The message includes newEvaluationResult and oldEvaluationResult objects for comparison. | | ConfigRulesEvaluationStarted | AWS Config started evaluating your rule against the specified resources. | | ConfigurationSnapshotDeliveryStarted | AWS Config started delivering the configuration snapshot to your Amazon S3 bucket. The name of the Amazon S3 bucket is provided for the s3Bucket key in the message. | | ConfigurationSnapshotDeliveryCompleted | AWS Config successfully delivered the configuration snapshot to your Amazon S3 bucket. | | ConfigurationSnapshotDeliveryFailed | AWS Config failed to deliver the configuration snapshot to your Amazon S3 bucket. | | ConfigurationHistoryDeliveryCompleted | AWS Config successfully delivered the configuration history to your Amazon S3 bucket. | | ConfigurationItemChangeNotification | A resource has been created, deleted, or changed in configuration. This message includes the details of the configuration item that AWS Config creates for this change, and it includes the type of change. These notifications are delivered within minutes of a change and are collectively known as the configuration stream. | | OversizedConfigurationItemChangeNotification | This message type is delivered when a configuration item change notification exceeded the maximum size allowed by Amazon SNS. The message includes a summary of the configuration item. With the exception of SMS messages, Amazon SNS messages can contain up to 256 KB of text data, including XML, JSON, and unformatted text. You can view the complete notification in the specified Amazon S3 bucket location. | | OversizedConfigurationItemChangeDeliveryFailed | AWS Config failed to deliver the oversized configuration item change notification to your Amazon S3 bucket. | For example notifications, see [Notifications that AWS Config Sends to an Amazon SNS topic](notifications-for-AWS-Config.md). For more information about Amazon SNS, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/). **Note** **Why can't I see my latest configuration changes?** AWS Config usually records configuration changes to your resources right after a change is detected, or at the frequency that you specify. However, this is on a best effort basis and can take longer at times. If issues persist after sometime, contact [Support](https://aws.amazon.com/contact-us/) and provide your AWS Config metrics that are supported by Amazon CloudWatch. For information about these metrics, see [AWS Config Usage and Success Metrics](https://docs.aws.amazon.com/config/latest/developerguide/viewing-the-aws-config-dashboard.html). ## Control Access to AWS Config AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions. To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. # AWS Config terminology and concepts Terminology and concepts To help you understand AWS Config, this topic explains some of the key concepts. **Contents** + [ ## AWS Config Interfaces ](#config-concepts-manage) + [ ### AWS Config Console ](#config-concepts-console) + [ ### AWS Config CLI ](#config-concepts-cli) + [ ### AWS Config APIs ](#config-concepts-api) + [ ### AWS Config SDKs ](#config-concepts-sdk) + [ ## Resource Management ](#config-platform-concept) + [ ### AWS Resources ](#aws-resources) + [ ### Resource Relationship ](#resource-relationship) + [ ## Configuration Recorder ](#config-recorder) + [ ## Delivery Channel ](#delivery-channel) + [ ### Configuration Items ](#config-items) + [ ### Configuration History ](#config-history) + [ ### Configuration Snapshot ](#config-snapshot) + [ ### Configuration Stream ](#config-stream) + [ ## AWS Config Rules ](#aws-config-rules) + [ ### Evaluation Results ](#aws-config-managed-rules-evaluation-results) + [ ### Rule Types ](#aws-config-managed-rules-type) + [ ### Trigger Types ](#aws-config-rules-trigger) + [ ### Evaluation modes ](#aws-config-rules-proactive-detective) + [ ## Conformance Packs ](#aws-config-conformance-packs) + [ ## Multi-Account Multi-Region Data Aggregation ](#multi-account-multi-region-data-aggregation) + [ ### Source Account ](#source-accounts) + [ ### Source Region ](#source-region) + [ ### Aggregator ](#aggregator) + [ ### Service-linked aggregator ](#aggregator-service-linked) + [ ### Aggregator Account ](#aggregator-accounts) + [ ### Authorization ](#authorization) ## AWS Config Interfaces ### AWS Config Console You can manage the service using the AWS Config console. For more information about the AWS Management Console, see [AWS Management Console](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html). ### AWS Config CLI The AWS Command Line Interface is a unified tool that you can use to interact with AWS Config from the command line. For more information, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/). For a complete list of AWS Config CLI commands, see [Available Commands](https://docs.aws.amazon.com/cli/latest/reference/configservice/index.html). ### AWS Config APIs In addition to the console and the CLI, you can also use the AWS Config RESTful APIs to program AWS Config directly. For more information, see the [AWS Config API Reference](https://docs.aws.amazon.com/config/latest/APIReference/). ### AWS Config SDKs As an alternative to using the AWS Config API, you can use one of the AWS SDKs. Each SDK consists of libraries and sample code for various programming languages and platforms. The SDKs provide a convenient way to create programmatic access to AWS Config. For example, you can use the SDKs to sign requests cryptographically, manage errors, and retry requests automatically. For more information, see the [Tools for Amazon Web Services](https://aws.amazon.com/tools/) page. ## Resource Management Understanding the basic components of AWS Config will help you track resource inventory and changes and evaluate configurations of your AWS resources. ### AWS Resources *AWS resources* are entities that you create and manage using the AWS Management Console, the AWS Command Line Interface (CLI), the AWS SDKs, or AWS partner tools. Examples of AWS resources include Amazon EC2 instances, security groups, Amazon VPCs, and Amazon Elastic Block Store. AWS Config refers to each resource using its unique identifier, such as the resource ID or an [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#ARN). For a list of resource types that AWS Config supports, see [Supported Resource Types for AWS Config](resource-config-reference.md). ### Resource Relationship AWS Config discovers AWS resources in your account and then creates a map of relationships between AWS resources. For example, a relationship might include an Amazon EBS volume `vol-123ab45d` attached to an Amazon EC2 instance `i-a1b2c3d4` that is associated with security group `sg-ef678hk`. For more information, see [Supported Resource Types for AWS Config](resource-config-reference.md). ## Configuration Recorder The *configuration recorder* stores the configuration changes to the resource types in scope as configuration items. For more information, see [Working with the configuration recorder](stop-start-recorder.md). There are two types of configuration recorders. | **Type** | **Description** | | --- | --- | | Customer managed configuration recorder | A configuration recorder that you managed. The resource types in scope are set by you. By default, a customer managed configuration recorder records all supported resources in the AWS Region where AWS Config is running. | | Service-linked configuration recorder | A configuration recorder that is linked to a specific AWS service. The resource types in scope are set by the linked service. | ## Delivery Channel As AWS Config continually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the *delivery channel*. You can manage the delivery channel to control where AWS Config sends configuration updates. ### Configuration Items A *configuration item* represents a point-in-time view of the various attributes of a supported AWS resource that exists in your account. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events. AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording. For example, if AWS Config is recording Amazon S3 buckets, AWS Config creates a configuration item whenever a bucket is created, updated, or deleted. You can also select for AWS Config to create a configuration item at the recording frequency that you set. For more information, see [Components of a Configuration Item](config-item-table.md) and [Recording Frequency](https://docs.aws.amazon.com/config/latest/developerguide/select-resources-recording-frequency.html). ### Configuration History A *configuration history* is a collection of the configuration items for a given resource over any time period. A configuration history can help you answer questions about, for example, when the resource was first created, how the resource has been configured over the last month, and what configuration changes were introduced yesterday at 9 AM. The configuration history is available to you in multiple formats. AWS Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. You can select a given resource in the AWS Config console and navigate to all previous configuration items for that resource using the timeline. Additionally, you can access the historical configuration items for a resource from the API. For more information, see [Viewing Compliance History](https://docs.aws.amazon.com/config/latest/developerguide/view-manage-resource-console.html) and [Querying Compliance History](https://docs.aws.amazon.com/config/latest/developerguide/quering-resource-compliance-history.html). ### Configuration Snapshot A *configuration snapshot* is a collection of the configuration items for the supported resources that exist in your account. This configuration snapshot is a complete picture of the resources that are being recorded and their configurations. The configuration snapshot can be a useful tool for validating your configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly or that potentially should not exist. The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. Additionally, you can select a point in time in the AWS Config console and navigate through the snapshot of configuration items using the relationships between the resources. For more information, see [Delivering Configuration Snapshots](https://docs.aws.amazon.com/config/latest/developerguide/deliver-snapshot-cli.html), [Viewing Configuration Snapshots](https://docs.aws.amazon.com/config/latest/developerguide/view-configuration-snapshot.html), and [Example Configuration Snapshot](https://docs.aws.amazon.com/config/latest/developerguide/example-s3-snapshot.html). ### Configuration Stream A *configuration stream* is an automatically updated list of all configuration items for the resources that AWS Config is recording. Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds to the configuration stream. The configuration stream works by using an Amazon Simple Notification Service (Amazon SNS) topic of your choice. The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems, generating notifications if certain resources are changed, or updating external systems that need to reflect the configuration of your AWS resources. ## AWS Config Rules An AWS Config rule is a compliance check that helps you manage your ideal configuration settings for specific AWS resources. AWS Config evaluates whether your resource configurations comply with relevant rules and displays the compliance results. ### Evaluation Results There are four possible evaluation results for an AWS Config rule. | **Evaluation result** | **Description** | | --- | --- | | COMPLIANT | The rule passes the conditions of the compliance check. | | NON\$1COMPLIANT | The rule fails the conditions of the compliance check. | | ERROR | The one of the required/optional parameters is not valid, not of the correct type, or is formatted incorrectly. | | NOT\$1APPLICABLE | Used to filter out resources that the logic of the rule cannot be applied to. For example, the [alb-desync-mode-check](https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html) rule only checks Application Load Balancers, and ignores Network Load Balancers and Gateway Load Balancers. | ### Rule Types There are two types of rules. For more information about the structure of rule definitions and rule metadata, see [Components of an AWS Config Rule](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_components.html). | **Type** | **Description** | **More information** | | --- | --- | --- | | Managed rules | Predefined, customizable rules created by AWS Config. | For a list of managed rules, see [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). | | Custom rules | Rules that you create from scratch. There are two ways to create AWS Config custom rules: Lambda functions ([AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-function)) and Guard ([Guard GitHub Repository](https://github.com/aws-cloudformation/cloudformation-guard)) | For more information, see [Creating AWS Config Custom Policy Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_cfn-guard.html) and [Creating AWS Config Custom Lambda Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_lambda-functions.html). | ### Trigger Types After you add a rule to your account, AWS Config compares your resources to the conditions of the rule. After this initial evaluation, AWS Config continues to run evaluations each time one is triggered. The evaluation triggers are defined as part of the rule, and they can include the following types. | **Trigger type** | **Description** | | --- | --- | | Configuration changes | AWS Config runs evaluations for the rule when there is a resource that matches the rule's scope and there is a change in configuration of the resource. The evaluation runs after AWS Config sends a configuration item change notification. You choose which resources initiate the evaluation by defining the rule's *scope*. The scope can include the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html) AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to define which resources initiate evaluations. | | Periodic | AWS Config runs evaluations for the rule at a frequency that you choose; for example, every 24 hours. | | Hybrid | Some rules have both configuration change and periodic triggers. For these rules, AWS Config evaluates your resources when it detects a configuration change and also at the frequency that you specify. | ### Evaluation modes There are two evaluation modes for AWS Config rules. | **Evaluation mode** | **Description** | | --- | --- | | Proactive | Use proactive evaluation to evaluate resources before they have been deployed. This allows you to evaluate whether a set of resource properties, if used to define an AWS resource, would be COMPLIANT or NON\$1COMPLIANT given the set of proactive rules that you have in your account in your Region. For more information, see [Evaluation modes](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_components.html#evaluate-config_use-managed-rules-proactive-detective). For a list of managed rules that support proactive evaluation, see [List of AWS Config Managed Rules by Evaluation Mode](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html). | | Detective | Use detective evaluation to evaluate resources that have already been deployed. This allows you to evaluate the configuration settings of your existing resources. | **Note** Proactive rules do not remediate resources that are flagged as NON\$1COMPLIANT or prevent them from being deployed. ## Conformance Packs A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations. Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions. You can deploy the template by using the AWS Config console or the AWS CLI. To quickly get started and to evaluate your AWS environment, use one of the [sample conformance pack templates](https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html). You can also create a conformance pack YAML file from scratch based on [Custom Conformance Pack](https://docs.aws.amazon.com/config/latest/developerguide/custom-conformance-pack.html). A custom conformance pack is a unique collection of AWS Config rules and remediation actions that you can deploy together in an account and an AWS Region, or across an organization in AWS Organizations. **Process checks** is a type of AWS Config rule that allows you to track your external and internal tasks that require verification as part of the conformance packs. These checks can be added to an existing conformance pack or a new conformance pack. You can track all compliance that includes AWS Configurations and manual checks in a single location. ## Multi-Account Multi-Region Data Aggregation Aggregators Multi-account multi-region data aggregation in AWS Config allows you to aggregate AWS Config configuration and compliance data from multiple accounts and regions into a single account. Multi-account multi-region data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise. Using aggregators does not incur any additional costs. ### Source Account A source account is the AWS account from which you want to aggregate AWS Config resource configuration and compliance data. A source account can be an individual account or an organization in AWS Organizations. You can provide source accounts individually or you can retrieve them through AWS Organizations. ### Source Region A source region is the AWS Region from which you want to aggregate AWS Config configuration and compliance data. ### Aggregator An aggregator collects AWS Config configuration and compliance data from multiple source accounts and regions. Create an aggregator in the region where you want to see the aggregated AWS Config configuration and compliance data. **Note** Aggregators provide a *read-only view* into the source accounts and regions that the aggregator is authorized to view by replicating data from the source accounts into the aggregator account. Aggregators do not provide mutating access into a source account or region. For example, this means that you cannot deploy rules through an aggregator or push snapshot files to a source account or region through an aggregator. ### Service-linked aggregator A service-linked aggregator is linked to a specific AWS service. The configuration and compliance data in scope are set by the linked service. ### Aggregator Account An aggregator account is an account where you create an aggregator. ### Authorization As a source account owner, authorization refers to the permissions you grant to an aggregator account and region to collect your AWS Config configuration and compliance data. Authorization is not required if you are aggregating source accounts that are part of AWS Organizations. # AWS Service Integrations with AWS Config AWS Service Integrations AWS Config supports integrations with several other AWS services. This list is non-exhaustive. ## AWS Organizations You can use AWS Organizations to define the accounts to use for AWS Config’s multi-account, multi-Region data aggregation capability. AWS Organizations is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage. By providing your AWS Organizations details, you can monitor the compliance status across your organization. For more information, [AWS Config and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html) in the *AWS Organizations User Guide*. ## AWS Control Tower AWS Control Tower enables AWS Config on all enrolled accounts, so that it can monitor compliance through detective controls, record resource changes, and deliver resource change logs to the log archive account. For more information, see [Monitor resource changes with AWS Config](https://docs.aws.amazon.com/controltower/latest/userguide/monitoring-with-config.html) in the *AWS Control Tower User Guide*. ## AWS CloudTrail AWS Config integrates with AWS CloudTrail to correlate configuration changes to particular events in your account. You can use the CloudTrail logs to obtain the details of the event that invoked the change, including who made the request, at what time, and from which IP address. You can navigate to the AWS Config timeline from the CloudTrail console to view the configuration changes related to your AWS API activities. For more information, see [Logging AWS Config API Calls with AWS CloudTrail](https://docs.aws.amazon.com/config/latest/developerguide/log-api-calls.html) in the *AWS Config Developer Guide* and [Create an event data store for AWS Config configuration items with the console](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-config.html) in the *AWS CloudTrail User Guide*. ## AWS Security Hub CSPM AWS Security Hub CSPM centralizes security checks from other AWS services, including AWS Config rules. Security Hub enables and controls AWS Config rules to verify your resource configurations are aligned to best practices. Enable AWS Config on all accounts in all Regions where Security Hub CSPM is to run security checks on your environment’s resources. For more information, see [AWS services that send findings to Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integrations-internal-send) in the *AWS Security Hub CSPM User Guide*. **Some Security Hub CSPM-related rules are periodic and do not depend on configuration items** Some Security Hub CSPM-related rules are periodic. These rule can run without the configuration recorder being enabled and do not depend on configuration items (CI). This means that if you view the rule page, there is no listed CI or supported resource. If you select the resource ID, you will see the following error: `The provided resource ID and resource type cannot be found`. This is expected behavior. ## AWS Trusted Advisor AWS Config managed rules power a set of Trusted Advisor checks across all categories. When you enable certain managed rules, the corresponding Trusted Advisor checks are automatically enabled. To see which Trusted Advisor checks are powered by specific AWS Config managed rules, see [AWS Trusted Advisor check reference](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html) in the *AWS Support User Guide*. The AWS Config powered checks are available to customers with [AWS Business Support](https://aws.amazon.com/premiumsupport/plans/business/), [AWS Enterprise On-Ramp](https://aws.amazon.com/premiumsupport/plans/enterprise-onramp/), and [AWS Enterprise Support](https://aws.amazon.com/premiumsupport/plans/enterprise/) plans. If you enable AWS Config and you have one of these AWS Support plans, then you automatically see recommendations powered by corresponding deployed AWS Config managed rules. **Refresh requests are not allowed and resources cannot be excluded** Results for these checks are automatically refreshed based on change-triggered updates to AWS Config managed rules. Refresh requests are not allowed. Currently, you can’t exclude resources from these checks. For more information, see [View Trusted Advisor checks powered by AWS Config](https://docs.aws.amazon.com/systems-manager/latest/userguide/integrations-aws.html#integrations-aws-management-governance) in the *AWS Support User Guide*. ## AWS Audit Manager You can use Audit Manager to capture AWS Config evaluations as evidence for audits. When you create or edit a custom control, you can specify one or more AWS Config rules as a data source mapping for evidence collection. AWS Config performs compliance checks based on these rules, and Audit Manager reports the results as compliance check evidence. For more information, see [AWS Config Rules supported by AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-config.html) in the *AWS Audit Manager User Guide*. ## AWS Systems Manager AWS Config integrates with Systems Manager to record configuration changes to software on your Amazon EC2 instances and servers in your on-premises environment. With this integration, you can gain visibility into operating system (OS) configurations, system-level updates, installed applications, network configuration, and more. AWS Config also provides a history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for Amazon EC2 instances. You can navigate to the AWS Config timeline from the Systems Manager console to view the configuration changes of your managed Amazon EC2 instances. You can use AWS Config to view Systems Manager inventory history and track changes for all your managed instances. For more information, see [Integration with AWS services \$1 Management and Governance](https://docs.aws.amazon.com/systems-manager/latest/userguide/integrations-aws.html#integrations-aws-management-governance), [AWS Config configuration recorder](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-config.html), and [AWS Config conformance pack deployment](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-cpack.html) in the *AWS Systems Manager User Guide*. ## AWS Firewall Manager To use Firewall Manager, you must enable AWS Config for each of your AWS Organizations member accounts. When new applications are created, Firewall Manager is the single service to build firewall rules, create security policies, and enforce them consistently. For more information, see [Enable AWS Config](https://docs.aws.amazon.com/waf/latest/developerguide/enable-config.html) in the *AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide*. **Note** Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. For more information on continuous recording and daily recording, see [Recording Frequency](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-recording-frequency). ## Amazon EC2 Dedicated Hosts AWS Config integrates with Amazon EC2 Dedicated Hosts to assess license compliance. AWS Config records when instances are launched, stopped, or shut down on a Dedicated Host, and pairs this information with host and instance level information relevant to software licensing, such as Host ID, Amazon Machine Image (AMI) IDs, number of sockets, and physical cores. This helps you use AWS Config as a data source for your license reporting. You can navigate to the AWS Config timeline from the Amazon EC2 Dedicated Hosts console to view the configuration changes of your Amazon EC2 Dedicated Hosts. For more information, see [Track configuration changes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-aws-config.html) in the *Amazon Elastic Compute Cloud User Guide for Linux Instances* or [Track configuration changes](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/dedicated-hosts-aws-config.html) in the *Amazon Elastic Compute Cloud User Guide for Windows Instances*. ## Application Load Balancers AWS Config integrates with the Elastic Load Balancing (ELB) service to record configuration changes to Application Load Balancers. AWS Config also includes relationships with associated Amazon EC2 security groups, VPCs, and subnets. You can use this information for security analysis and troubleshooting. For example, you can check which security groups are associated with your Application Load Balancer at any point in time. You can navigate to the AWS Config timeline from the ELB console to view the configuration changes of your Application Load Balancers. ## AWS CodeBuild AWS Configprovides an inventory of your AWS resources and a history of configuration changes to these resources. AWS Config supports AWS CodeBuild; as an AWS resource, which means the service can track your CodeBuild projects. For more information, see [Use AWS Config with CodeBuild sample](https://docs.aws.amazon.com/codebuild/latest/userguide/how-to-integrate-config.html) in the *AWS CodeBuild User Guide*. ## AWS X-Ray AWS X-Ray integrates with AWS Config to record configuration changes made to your X-Ray encryption resources. You can use AWS Config to inventory X-Ray encryption resources, audit the X-Ray configuration history, and send notifications based on resource changes. For more information, see [Tracking X-Ray encryption configuration changes with AWS Config](https://docs.aws.amazon.com/xray/latest/devguide/xray-api-config.html) in the *AWS X-Ray Developer Guide*. ## AWS Service Management Connector The AWS Service Management Connector for ServiceNow can synchronize AWS Config data from multiple accounts and Regions using an Aggregator. For more information, see [Integrating AWS Config in ServiceNow](https://docs.aws.amazon.com/smc/latest/ag/sn-configue-config.html) in the *AWS Service Management Connector Administrator Guide*. ## Amazon API Gateway You can use AWS Config to record configuration changes made to your API Gateway API resources and send notifications based on resource changes. Maintaining a configuration change history for API Gateway resources is useful for operational troubleshooting, audit, and compliance use cases. For more information, see [Monitoring API Gateway API configuration with AWS Config](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-config.html) in the *API Gateway Developer Guide*. # Region Support for AWS Config Region Support ## Considerations Some features of AWS Config are only supported in a subset of the AWS Regions where AWS Config is supported. **Resource Management** + For a list of which AWS resource types are supported in which Regions, see [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html). **AWS Config Rules** + For a list of which AWS Config rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html ). + For a list of Regions which support the organizational deployment of AWS Config rules, see [Organizational Rules \$1 Region Support](https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html#region-support-org-config-rules). **Conformance Packs** + For a list of Regions which support conformance packs and the organizational deployment of conformance packs, see [Conformance Packs \$1 Region Support](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html#conformance-packs-regions). **Remediation** + For a list of Regions which support remediation actions for AWS Config rules, see [Remediation Actions \$1 Region Support](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html#region-support-config-remediation ). **Aggregators** + For a list of Regions which support the aggregators, see [Aggregators \$1 Region Support](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html#aggregation-regions ). **Advanced Queries** + For a list of Regions which support advanced queries, see [Advanced Queries \$1 Region Support](https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html#query-regionsupport). + For a list of Regions which support the natural language query processor for advanced queries, see [Natural language query processor for advanced queries \$1 Region Support](https://docs.aws.amazon.com/config/latest/developerguide/query-assistant.html#query-assistant-region-support). ## List of Supported Regions The following table lists the AWS Regions where you can enable AWS Config. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/config-region-support.html) # Service Limits for AWS Config Service Limits The following table describes limits within AWS Config. Unless noted otherwise, the quotas can be increased upon request. You can [request a quota increase](https://console.aws.amazon.com/servicequotas/home). For information about other limits in AWS, see [AWS Service Limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). **Resource tags** | Description | Limit Value | Can be increased | | --- | --- | --- | | Maximum number of tags per resource | 50 | No | **AWS Config rules** | Description | Limit Value | Can be increased | | --- | --- | --- | | Maximum number of AWS Config Rules per Region per account | 1000 | No | **Single Account Conformance Packs** | Description | Limit Value | Can be increased | | --- | --- | --- | | Maximum number of conformance packs per account | 50 | No | | Maximum number of AWS Config Rules per conformance pack | 130 | No | **Note** AWS Config rules in conformance packs count in the limit for the Maximum number of AWS Config Rules per Region per account. **Organization Conformance Packs** | Description | Limit Value | Can be increased | | --- | --- | --- | | Maximum number of conformance packs per organization | 50 | No | | Maximum number of AWS Config Rules per organization conformance pack | 130 | No | **Note** Deploying at the organization level counts in the limit for child accounts. AWS Config rules in conformance packs count in the limit for the Maximum number of AWS Config Rules per Region per account. **Aggregators** | Description | Limit Value | Can be increased | | --- | --- | --- | | Maximum number of configuration aggregators | 50 | Yes | | Maximum number of accounts in an aggregator | 10000 | No | | Maximum number of accounts added or deleted per week for all aggregators | 1000 | Yes | **Note** Organization level aggregators and individual account aggregators both count in the limit for the Maximum number of configuration aggregators. **Advanced queries** | Description | Limit Value | Can be increased | | --- | --- | --- | | Maximum number of saved queries in a single account and a Region | 300 | Yes | # Supplemental Information and Related Resources for AWS Config Supplemental Information The following related resources can help you as you work with this service. + **[AWS Config](https://aws.amazon.com/config/)** – The primary web page for information about AWS Config. + **[AWS Config Pricing](https://aws.amazon.com/config/pricing)** + **[Technical FAQ](https://aws.amazon.com/config/faq/)** + **[AWS Config Rule Development Kit (RDK)](https://rdk.readthedocs.io/en/latest/)** – An open-source tool that helps you set up AWS Config, author rules, and then test them using a variety of AWS resource types. + **[Partners](https://aws.amazon.com/config/partners/)** – Links to partner products that are fully integrated with AWS Config to help you visualize, monitor, and manage the data from your configuration stream, configuration snapshots, or configuration history. + [Classes & Workshops](https://aws.amazon.com/training/course-descriptions/) – Links to role-based and specialty courses, in addition to self-paced labs to help sharpen your AWS skills and gain practical experience. + [AWS Developer Center](https://aws.amazon.com/developer/?ref=docs_id=res1) – Explore tutorials, download tools, and learn about AWS developer events. + [AWS Developer Tools](https://aws.amazon.com/developer/tools/?ref=docs_id=res1) – Links to developer tools, SDKs, IDE toolkits, and command line tools for developing and managing AWS applications. + [Getting Started Resource Center](https://aws.amazon.com/getting-started/?ref=docs_id=res1) – Learn how to set up your AWS account, join the AWS community, and launch your first application. + [Hands-On Tutorials](https://aws.amazon.com/getting-started/hands-on/?ref=docs_id=res1) – Follow step-by-step tutorials to launch your first application on AWS. + [AWS Whitepapers](https://aws.amazon.com/whitepapers/) – Links to a comprehensive list of technical AWS whitepapers, covering topics such as architecture, security, and economics and authored by AWS Solutions Architects or other technical experts. + [AWS Support Center](https://console.aws.amazon.com/support/home#/) – The hub for creating and managing your AWS Support cases. Also includes links to other helpful resources, such as forums, technical FAQs, service health status, and AWS Trusted Advisor. + [Support](https://aws.amazon.com/premiumsupport/) – The primary webpage for information about Support, a one-on-one, fast-response support channel to help you build and run applications in the cloud. + [Contact Us](https://aws.amazon.com/contact-us/) – A central contact point for inquiries concerning AWS billing, account, events, abuse, and other issues. + [AWS Site Terms](https://aws.amazon.com/terms/) – Detailed information about our copyright and trademark; your account, license, and site access; and other topics. ## AWS Software Development Kits for AWS Config An AWS software development kit (SDK) makes it easier to build applications that access cost-effective, scalable, and reliable AWS infrastructure services. With AWS SDKs, you can get started in minutes with a single, downloadable package that includes the library, code samples, and reference documentation. The following table lists the available SDKs and third-party libraries you can use to access AWS Config programmatically. **** | Type of Access | Description | | --- | --- | | AWS SDKs | AWS provides the following SDKs: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/cloudconfig-resources.html) | | Third-party libraries | Developers in the AWS developer community also provide their own libraries, which you can find at the following AWS developer centers: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/cloudconfig-resources.html) |