Frequently Asked Questions - AWS Config

Frequently Asked Questions

Changes to AWS Config Resource Relationships

What is the new change in the AWS Config Resource Relationships?

To optimize the number of resource changes recorded, AWS Config will release an update to relationships modeled within Configuration Items (CI) for seven Amazon EC2 resource types. This update optimized CI models for Amazon EC2 instance, security group, network interface, subnet, VPC, VPN gateway, and customer gateway resource types to record direct relationships and deprecate indirect relationships.

What is a direct and an in-direct relationship with respect to a resource?

A direct relationship is defined as a one-way relationship (A->B) between a resource (A) and another resource (B), and is typically derived from the Describe API response of resource (A). An indirect relationship, on the other hand, is a relationship that AWS Config infers (B->A), in order to create a bidirectional relationship. For example, Amazon EC2 instance -> Security Group is a direct relationship, since security groups are returned as part of the describe API response for an Amazon EC2 instance. But Security Group -> Amazon EC2 instance is an indirect relationship, since Amazon EC2 instances are not returned when describing an Amazon EC2 Security group.

What is the benefit of this change to AWS Config subscribers?

By deprecating indirect relationships, there are fewer configuration items related to relationship changes. This could help in containing AWS Config costs especially in case of ephemeral workloads, where there is a high volume of configuration changes for Amazon EC2 resource types.

Which resource relationships are being removed?

The following resource relationships will be deprecated.

Resource Type Indirect Relationship With Resource Type
AWS::EC2::CustomerGateway AWS::VPN::Connection
AWS::EC2::Instance AWS::EC2::EIP, AWS::EC2::RouteTable
AWS::EC2::NetworkInterface AWS::EC2::EIP, AWS::EC2::RouteTable
AWS::EC2::SecurityGroup AWS::EC2::Instance, AWS::EC2::NetworkInterface
AWS::EC2::Subnet AWS::EC2::Instance, AWS::EC2::NetworkACL, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable
AWS::EC2::VPNGateway AWS::EC2::RouteTable, AWS::EC2::VPNConnection

How are the AWS Config managed rules affected?

AWS Config managed rules that trigger on one of the resources listed above, will be updated by the AWS Config team. If you have not defined tags for these rules, no action is needed on your part. If tags are defined, you might need to make updates to the tags of your managed rules.

Specifically, the AWS Config managed rule ec2-security-group-attached-to-eni is impacted as configuration items triggering this rule will no longer be created once indirect relationships are deprecated. If you use this rule, please remove it from evaluating the configuration of AWS resources and replace it with the new ec2-security-group-attached-to-eni-periodic rule. The ec2-security-group-attached-to-eni-periodic rule will not be impacted by this deprecation as it is triggered on a periodic basis rather than on configuration changes.

What is the exact impact for custom AWS Config rules that use configuration trigger for these resource types?

If you use a custom rule that is not triggered by the resources listed in the above table, then no further action is required on your part. If you have a rule that triggers on one of the resources from the above table, examine the rule to determine if the Compliant status requires information from another resource whose relationship is listed in table. The change to the resource relationship will result in fewer changes being triggered since indirect relationships (listed in above table) will no longer be tracked. Add the related resources as an additional configuration trigger or use advanced queries if the information is essential to the implementation logic of your rule.

Should I expect a delay in reporting evaluation results for a managed rule with configuration changes?

Any managed ruled affected by this change will be updated. You should not experience any delay in reporting evaluation results for a managed rule with configuration changes.

What is the impact on historical data? Would it still display details about indirect relationships?

Indirect relationships will be available in historical ConfigurationItems recorded before they are deprecated, but will not be available in ConfigurationItems recorded after deprecation.

Is there a change in the output generated by GetResourceConfigHistory API?

The models used in the GetResourceConfigHistory API are not changed and there is no change to the data returned for ConfigurationItems recorded prior to deprecation. ConfigurationItems recorded after deprecation no longer include the indirect relationships in the Relationships field.

Is there any change in the resource schema of a Configuration Item?

There is no change to the schema of the data in the configuration field in the Configuration Item. The only change is that the relationships field in the Configuration Item will no longer include the specified indirect relationships.

Are there other alternatives to retrieve indirect relationships?

With the launch of Advanced queries, you can run Structured Query Language (SQL) queries. For example, if you want to retrieve the list of EC2 instances related to a security group, use the following query:

SELECT resourceId, resourceType WHERE resourceType ='AWS::EC2::Instance' AND relationships.resourceId = 'sg-234213'

Sample relationships queries are available here: Example Queries