Granting Permissions for AWS Config Administration - AWS Config

Granting Permissions for AWS Config Administration

To allow users to administer AWS Config, you must grant explicit permissions to IAM users to perform the actions associated with AWS Config tasks. For most scenarios, you can do this using an AWS managed policy that contains predefined permissions.


The permissions you grant to users to perform AWS Config administration tasks are not the same as the permissions that AWS Config itself requires in order to deliver log files to Amazon S3 buckets or send notifications to Amazon SNS topics.

Users who set up and manage AWS Config must have full-access permissions. With full-access permissions, users can provide Amazon S3 and Amazon SNS endpoints that AWS Config delivers data to, create a role for AWS Config, and turn on and turn off recording.

Users who use AWS Config but don't need to set up AWS Config should have read-only permissions. With read-only permissions, users can look up the configurations of resources or search for resources by tags.

A typical approach is to create an IAM group that has the appropriate permissions and then add individual IAM users to that group. For example, you might create an IAM group for users who should have full access to AWS Config actions, and a separate group for users who should be able to view the configurations but not create or change a role.

Creating an IAM Group and Users for AWS Config Access

  1. Sign in to the AWS Identity and Access Management (IAM) console at

  2. From the dashboard, choose Groups in the navigation pane, and then choose Create New Group.

  3. Type a name, and then choose Next Step.

  4. On the Attach Policy page, find and choose AWSConfigUserAccess. This policy provides user access to use AWS Config, including searching by tags on resources, and reading all tags. This does not provide permission to configure AWS Config which requires administrative privileges.


    You can also create a custom policy that grants permissions to individual actions. For more information, see Granting Custom Permissions for AWS Config Users .

  5. Choose Next Step.

  6. Review the information for the group you are about to create.


    You can edit the group name, but you will need to choose the policy again.

  7. Choose Create Group. The group that you created appears in the list of groups.

  8. Choose the group name that you created, choose Group Actions, and then choose Add Users to Group.

  9. On the Add Users to Group page, choose the existing IAM users, and then choose Add Users. If you don't already have IAM users, choose Create New Users, enter user names, and then choose Create.

  10. If you created new users, choose Users in the navigation pane and complete the following for each user:

    1. Choose the user.

    2. If the user will use the console to manage AWS Config, in the Security Credentials tab, choose Manage Password, and then create a password for the user.

    3. If the user will use the AWS CLI or API to manage AWS Config, and if you didn't already create access keys, in the Security Credentials tab, choose Manage Access Keys and then create access keys. Store the keys in a secure location.

    4. Give each user his or her credentials (access keys or password).

Granting Full-Access Permission for AWS Config Access

  1. Sign in to the AWS Identity and Access Management (IAM) console at

  2. In the navigation pane, choose Policies, and then choose Create Policy. This will bring up the Policy Editor.

  3. You can use the visual editor tab or the JSON tab to create your own custom policy. You can select import managed policy to use the permissions from a policy created by yourself or one that is managed by AWS.

  4. Select Next:Tags.

  5. Add any tags you would like your policy to have.

  6. Select Next:Review.

  7. Type a policy name and optionally a description. Review the permissions provided by the policy.

  8. Select Create Policy.

  9. In the list of policies, select the policy that you created. You can use the Filter menu and the Search box to find the policy.

  10. Select the radio button next to the policy you created, and then select Actions in the top right hand side. In this dropdown list select Attach.

  11. Select the users, groups, or roles, and then choose Attach Policy. You can use the Filter menu and the Search box to filter the list.

  12. Select Attach policy.


Instead of creating a managed policy, you can also create an inline policy from the IAM console and attach it to an IAM user, group, or role. For more information, see Working with Inline Policies in the IAM User Guide.

Additional Resources

To learn more about creating IAM users, groups, policies, and permissions, see Creating an Admins Group Using the Console and Permissions and Policies in the IAM User Guide.