Permissions for the IAM Role Assigned to AWS Config
An IAM role lets you define a set of permissions. AWS Config assumes the role that you assign to
it to write to your S3 bucket, publish to your SNS topic, and make Describe
or
List
API requests to get configuration details for your AWS resources. For more
information about IAM roles, see IAM
Roles in the IAM User Guide.
When you use the AWS Config console to create or update an IAM role, AWS Config automatically attaches the required permissions for you. For more information, see Setting Up AWS Config with the Console.
Contents
Creating IAM Role Policies
When you use the AWS Config console to create an IAM role, AWS Config automatically attaches the required permissions to the role for you.
If you are using the AWS CLI to set up AWS Config or you are updating an existing IAM role, you must manually update the policy to allow AWS Config to access your S3 bucket, publish to your SNS topic, and get configuration details about your resources.
Adding an IAM Trust Policy to your Role
You can create an IAM trust policy that enables AWS Config to assume a role and use it to track your resources. For more information about trust policies, see Roles terms and concepts in the IAM User Guide.
The following is an example trust policy for AWS Config roles:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "AWS:SourceAccount": "
sourceAccountID
" } } } ] }
You can use the AWS:SourceAccount
condition in the IAM Role Trust
relationship above to restrict the Config service principal to only interact with the AWS
IAM Role when performing operations on behalf of specific accounts.
AWS Config also supports the AWS:SourceArn
condition which restricts the Config
service principal to only assume the IAM Role when performing operations on behalf of the
owning account. When using the AWS Config service principal, the AWS:SourceArn
property will always be set to arn:aws:config:sourceRegion:sourceAccountID:*
where sourceRegion
is the region of the configuration recorder and
sourceAccountID
is the ID of the account containing the configuration
recorder. For more information on the AWS Config Configuration Recorder see Managing the Configuration Recorder.
For example, add the following condition restrict the Config service principal to only
assume the IAM Role only on behalf of a configuration recorder in the
us-east-1
region in the account 123456789012
: "ArnLike":
{"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}
.
IAM Role Policy for your S3 Bucket
The following example policy grants AWS Config permission to access your S3 bucket:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::
amzn-s3-demo-bucket
/prefix
/AWSLogs/myAccountID
/*" ], "Condition":{ "StringLike":{ "s3:x-amz-acl":"bucket-owner-full-control" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketAcl" ], "Resource":"arn:aws:s3:::amzn-s3-demo-bucket
" } ] }
IAM Role Policy for KMS Key
The following example policy grants AWS Config permission to use KMS-based encryption on new objects for S3 bucket delivery:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "
myKMSKeyARN
" } ] }
IAM Role Policy for Amazon SNS Topic
The following example policy grants AWS Config permission to access your SNS topic:
{ "Version": "2012-10-17", "Statement": [ { "Effect":"Allow", "Action":"sns:Publish", "Resource":"
mySNStopicARN
" } ] }
If your SNS topic is encrypted for additional setup instructions, see Configuring AWS KMS Permissions in the Amazon Simple Notification Service Developer Guide.
IAM Role Policy for Getting Configuration Details
To record your AWS resource configurations, AWS Config requires IAM permissions to get the configuration details about your resources.
Use the AWS managed policy AWS_ConfigRole and attach it to the IAM role that you assign to AWS Config. AWS updates this policy each time AWS Config adds support for an AWS resource type, which means AWS Config will continue to have the required permissions to get configuration details as long as the role has this managed policy attached.
If you create or update a role with the console, AWS Config attaches the AWS_ConfigRole for you.
If you use the AWS CLI, use the attach-role-policy
command and specify the
Amazon Resource Name (ARN) for AWS_ConfigRole:
$
aws iam attach-role-policy --role-name
myConfigRole
--policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole
Managing Permissions for S3 Bucket Recording
AWS Config records and delivers notifications when an S3 bucket is created, updated, or deleted.
It's recommended that you use either the AWSServiceRoleForConfig
(see Using Service-Linked Roles for
AWS Config) or a custom IAM role utilizing the AWS_ConfigRole
managed
policy. For more information on best practices for configuration recording, see AWS Config Best
Practices
If you need to manage object-level permissions for your bucket recording, make sure in the
S3 bucket policy to provide config.amazonaws.com
(the AWS Config service principal
name) access to all S3 related permissions from the AWS_ConfigRole
managed
policy. For more information, see Permissions
for the Amazon S3 Bucket.