Turning on AWS Config - AWS Config

Turning on AWS Config

Note

Before setting up AWS Config with the AWS CLI, you need to create an Amazon S3 bucket, an Amazon SNS topic, and an IAM role with attached policies as prerequisites. You can then use the AWS CLI to specify the bucket, topic, and role for AWS Config. To set up your prerequisites for AWS Config, see put-configuration-recorder.

To turn on AWS Config with the AWS CLI, use the put-configuration-recorder, put-delivery-channel, and start-configuration-recorder commands.

The put-configuration-recorder command creates a new configuration recorder to record your selected resource configurations. The put-delivery-channel command creates a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic. You can have one configuration recorder and one delivery channel per region in your account. Once a delivery channel is created, the start-configuration-recorder starts recording your selected resource configurations which you can see in your AWS account.

You can specify the name of the recorder and the Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account. By default, AWS Config automatically assigns the name "default" when creating the configuration recorder. You cannot change the assigned name.

To set up AWS Config for Multi-Account Multi-Region Data Aggregation with the AWS CLI, see Setting Up an Aggregator Using the AWS Command Line Interface. A separate configuration recorder will need to be created for each region in each AWS account that you would want to record configuration items.

put-configuration-recorder

Your put-configuration-recorder command should look like the following example:

$ aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role --recording-group allSupported=true,includeGlobalResourceTypes=true

This command uses the following options for the --recording-group parameter:

  • allSupported=true – AWS Config records configuration changes for every supported type of regional resource. When AWS Config adds support for a new type of regional resource, it automatically starts recording resources of that type.

  • includeGlobalResourceTypes=true – AWS Config includes supported types of global resources with the resources that it records. When AWS Config adds support for a new type of global resource, it automatically starts recording resources of that type.

    Before you can set this option to true, you must set the allSupported option to true.

    If you do not want to include global resources, set this option to false, or omit it.

put-delivery-channel

To setup the delivery channel, use the put-delivery-channel command:

$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

The deliveryChannel.json file specifies the delivery channel attributes:

{ "name": "default", "s3BucketName": "config-bucket-123456789012", "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } }

This example sets the following attributes:

  • name – The name of the delivery channel. By default, AWS Config assigns the name default to a new delivery channel.

    You cannot update the delivery channel name with the put-delivery-channel command. For the steps to change the name, see Renaming the Delivery Channel.

  • s3BucketName – The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files.

    If you specify a bucket that belongs to another AWS account, that bucket must have policies that grant access permissions to AWS Config. For more information, see Permissions for the Amazon S3 Bucket.

  • snsTopicARN – The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes.

    If you choose a topic from another account, that topic must have policies that grant access permissions to AWS Config. For more information, see Permissions for the Amazon SNS Topic.

  • configSnapshotDeliveryProperties – Contains the deliveryFrequency attribute, which sets how often AWS Config delivers configuration snapshots.

start-configuration-recorder

To finish turning on AWS Config, use the start-configuration-recorder command:

$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName