Managing the Delivery Channel
As AWS Config continually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the delivery channel. You can manage the delivery channel to control where AWS Config sends configuration updates.
You can have only one delivery channel per AWS Region region per AWS account, and the delivery channel is required to use AWS Config.
When AWS Config detects a configuration change for a resource and the notification exceeds the
maximum size allowed by Amazon SNS, the notification includes a brief summary of the
configuration item. You can view the complete notification in the Amazon S3 bucket location
specified in the s3BucketLocation field. For more information, see Example Oversized Configuration
Item Change Notification.
Note
AWS Config supports AWS KMS encryption for Amazon S3 buckets used by AWS Config
You can provide an AWS Key Management Service (AWS KMS) key or alias Amazon Resource Name (ARN) to encrypt the data delivered to your Amazon Simple Storage Service (Amazon S3) bucket. By default, AWS Config delivers configuration history and snapshot files to your Amazon S3 bucket and encrypts the data at rest using S3 AES-256 server-side encryption, SSE-S3. However, if you provide AWS Config with your KMS key or alias ARN, AWS Config uses that KMS key instead of AES-256 encryption.
AWS Config does not support the delivery channel to an Amazon S3 bucket where object lock is enabled with default retention enabled. For more information, see How S3 Object Lock works.
Topics
Terminology
A configuration item represents a point-in-time view of the various attributes of a supported AWS resource that exists in your account. The components of a configuration item include metadata, attributes, relationships, current configuration, and related events. AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording. For example, if AWS Config is recording Amazon S3 buckets, AWS Config creates a configuration item whenever a bucket is created, updated, or deleted. You can also select for AWS Config to create a configuration item at the recording frequency that you set.
A configuration history is a collection of the configuration items for a given resource over any time period. A configuration history can help you answer questions about, for example, when the resource was first created, how the resource has been configured over the last month, and what configuration changes were introduced yesterday at 9 AM. The configuration history is available to you in multiple formats. AWS Config automatically delivers a configuration history file for each resource type that is being recorded to an Amazon S3 bucket that you specify. You can select a given resource in the AWS Config console and navigate to all previous configuration items for that resource using the timeline. Additionally, you can access the historical configuration items for a resource from the API.
A configuration snapshot is a collection of the configuration items for the supported resources that exist in your account. This configuration snapshot is a complete picture of the resources that are being recorded and their configurations. The configuration snapshot can be a useful tool for validating your configuration. For example, you may want to examine the configuration snapshot regularly for resources that are configured incorrectly or that potentially should not exist. The configuration snapshot is available in multiple formats. You can have the configuration snapshot delivered to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. Additionally, you can select a point in time in the AWS Config console and navigate through the snapshot of configuration items using the relationships between the resources.
A configuration stream is an automatically updated list of all configuration items for the resources that AWS Config is recording. Every time a resource is created, modified, or deleted, AWS Config creates a configuration item and adds to the configuration stream. The configuration stream works by using an Amazon Simple Notification Service (Amazon SNS) topic of your choice. The configuration stream is helpful for observing configuration changes as they occur so that you can spot potential problems, generating notifications if certain resources are changed, or updating external systems that need to reflect the configuration of your AWS resources.
Updating the Delivery Channel
When you update the delivery channel, you can set the following options:
-
The Amazon S3 bucket to which AWS Config sends configuration snapshots and configuration history files.
-
How often AWS Config delivers configuration snapshots to your Amazon S3 bucket.
-
The Amazon SNS topic to which AWS Config sends notifications about configuration changes.
You can use the AWS Config console to set the Amazon S3 bucket and the Amazon SNS topic for your delivery channel. For steps to manage these settings, see Setting Up AWS Config with the Console.
The console does not provide options to rename the delivery channel, set the frequency for configuration snapshots, or delete the delivery channel. To do these tasks, you must use the AWS CLI, the AWS Config API, or one of the AWS SDKs.
The following code examples show how to use PutDeliveryChannel.
(Optional) You can use the describe-delivery-channels
command to verify that the delivery channel settings are updated:
$ aws configservice describe-delivery-channels { "DeliveryChannels": [ { "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" }, "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic", "name": "default", "s3BucketName": "config-bucket-123456789012" } ] }
The following code examples show how to use DescribeDeliveryChannels.
Renaming the Delivery Channel
To change the delivery channel name, you must delete it and create a new delivery channel with the desired name. Before you can delete the delivery channel, you must temporarily stop the configuration recorder.
The AWS Config console does not provide the option to delete the delivery channel, so you must use the AWS CLI, the AWS Config API, or one of the AWS SDKs.
Renaming the delivery channel using the AWS CLI
-
Use the
stop-configuration-recordercommand to stop the configuration recorder:$ aws configservice stop-configuration-recorder --configuration-recorder-nameconfigRecorderName -
Use the
describe-delivery-channelscommand, and take note of your delivery channel's attributes:$ aws configservice describe-delivery-channels { "DeliveryChannels": [ { "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" }, "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic", "name": "default", "s3BucketName": "config-bucket-123456789012" } ] } -
Use the
delete-delivery-channelcommand to delete the delivery channel:$ aws configservice delete-delivery-channel --delivery-channel-namedefault -
Use the
put-delivery-channelcommand to create a delivery channel with the desired name:$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.jsonThe deliveryChannel.json file specifies the delivery channel attributes:
{ "name": "myCustomDeliveryChannelName", "s3BucketName": "config-bucket-123456789012", "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } } -
Use the
start-configuration-recordercommand to resume recording:$ aws configservice start-configuration-recorder --configuration-recorder-nameconfigRecorderName
