Frequently Asked Questions - AWS Config

Frequently Asked Questions

Changes to AWS Config Resource Relationships

What is the new change in the AWS Config Resource Relationships?

To optimize the number of resource changes recorded, AWS Config will release an update to relationships modeled within ConfigurationItems (CI) for seven Amazon EC2 resource types on December 15, 2021 This update optimized CI models for Amazon EC2 instance, security group, network interface, subnet, VPC, VPN gateway, and customer gateway resource types to record direct relationships and deprecate indirect relationships.

What is a direct and an in-direct relationship with respect to a resource?

A direct relationship is defined as a one-way relationship (A->B) between a resource (A) and another resource (B), and is typically derived from the Describe API response of resource (A). An indirect relationship, on the other hand, is a relationship that AWS Config infers (B->A), in order to create a bidirectional relationship. For example, Amazon EC2 instance -> Security Group is a direct relationship, since security groups are returned as part of the describe API response for an Amazon EC2 instance. But Security Group -> Amazon EC2 instance is an indirect relationship, since Amazon EC2 instances are not returned when describing an Amazon EC2 Security group.

What is the benefit of this change to AWS Config subscribers?

By deprecating indirect relationships, there are fewer configuration items related to relationship changes. This could help in containing AWS Config costs especially in case of ephemeral workloads, where there is a high volume of configuration changes for Amazon EC2 resource types.

Which resource relationships are being removed?

The following resource relationships will be deprecated.

Resource Type Indirect Relationship With Resource Type
AWS::EC2::CustomerGateway AWS::VPN::Connection
AWS::EC2::Instance AWS::EC2::EIP, AWS::EC2::RouteTable
AWS::EC2::NetworkInterface AWS::EC2::EIP, AWS::EC2::RouteTable
AWS::EC2::SecurityGroup AWS::EC2::Instance, AWS::EC2::NetworkInterface
AWS::EC2::Subnet AWS::EC2::Instance, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable
AWS::EC2::VPC AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::Subnet, AWS::EC2::VPNGateway, AWS::EC2::SecurityGroup
AWS::EC2::VPNGateway AWS::EC2::RouteTable, AWS::EC2::VPNConnection

How are the AWS Config managed rules affected?

AWS Config managed rules that trigger on one of the resources listed above, will be updated by the AWS Config team. If you have not defined tags for these rules, no action is needed on your part. If tags are defined, you might need to make updates to the tags of your managed rules.

What is the exact impact for custom AWS Config rules that use configuration trigger for these resource types?

If you use a custom rule that is not triggered by the resources listed in the above table, then no further action is required on your part. If you have a rule that triggers on one of the resources from the above table, examine the rule to determine if the Compliant status requires information from another resource whose relationship is listed in table. The change to the resource relationship will result in fewer changes being triggered since indirect relationships (listed in above table) will no longer be tracked. Add the related resources as an additional configuration trigger or use advanced queries if the information is essential to the implementation logic of your rule.

Should I expect a delay in reporting evaluation results for a managed rule with configuration changes?

Any managed ruled affected by this change will be updated. You should not experience any delay in reporting evaluation results for a managed rule with configuration changes.

What is the impact on AWS Firewall Management Service Rules?

There are three AWS Firewall Management Service rules that are impacted due to this change and are expected to be updated by the AWS Firewall Management Service team. The impacted rules are:

  • FMS_SECURITY_GROUP_CONTENT_CHECK

  • FMS_SECURITY_GROUP_AUDIT_POLICY_CHECK

  • FMS_SECURITY_GROUP_RESOURCE_ASSOCIATION_CHECK

What is the impact on historical data? Would it still display details about indirect relationships?

Indirect relationships will be available in historical ConfigurationItems recorded before they are deprecated, but will not be available in ConfigurationItems recorded after deprecation.

Is there a change in the output generated by GetResourceConfigHistory API?

The models used in the GetResourceConfigHistory API are not changed and there is no change to the data returned for ConfigurationItems recorded prior to deprecation. ConfigurationItems recorded after deprecation no longer include the indirect relationships in the Relationships field.

Is there any change in the resource schema of a Configuration Item?

There is no change to the schema of the data in the configuration field in the Configuration Item. The only change is that the relationships field in the Configuration Item will no longer include the specified indirect relationships.

Are there other alternatives to retrieve indirect relationships?

With the launch of Advanced queries, you can run Structured Query Language (SQL) queries. For example, if you want to retrieve the list of EC2 instances related to a security group, use the following query:

SELECT resourceId, resourceType WHERE resourceType ='AWS::EC2::Instance' AND relationships.resourceId = 'sg-234213'

Sample relationships queries are available here: Example Queries