Menu
AWS Config
Developer Guide

Permissions for Accessing AWS Config

When you give permissions to IAM users to use the AWS Config console or the AWS CLI, you can (and should) restrict their permissions to the least amount of access that they need.

In most cases, permissions should cover these common uses:

  • Setting up and managing AWS Config (full-access permissions)

  • Using AWS Config (read-only permissions)

Users who set up and manage AWS Config must have full-access permissions. With full-access permissions, you can perform essential setup tasks such as:

  • Provide Amazon S3 and Amazon SNS endpoints that AWS Config delivers data to

  • Create the role that gets provided to AWS Config

  • Turn recording on and off

Users who use AWS Config but don't need to set it up should have read-only permissions. These permissions are useful for users who look up the configurations of resources or who search for resources by tags.

To give read-only permission for AWS Config access

  1. Sign in to the AWS Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the AWSConfigUserAccess policy. You can use the Filter menu and the Search box to find the policy.

  4. Choose Policy Actions, and then choose Attach.

  5. Select the users, groups, or roles and then choose Attach Policy. You can use the Filter menu and the Search box to filter the list.

  6. Choose Apply Policy.

To give full-access permission for AWS Config access

  1. Sign in to the AWS Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam.

  2. In the navigation pane, choose Policies, and then choose Create Policy.

  3. For Create Your Own Policy, choose Select.

  4. Type a policy name and description. For example: AWSConfigFullAccess.

  5. For Policy Document, type or paste the full-access policy into the editor. You can use the Example full-access permission.

  6. Choose Validate Policy and ensure that no errors display in a red box at the top of the screen. Correct any errors that are reported.

  7. Choose Create Policy to save your new policy.

  8. In the list of policies, select the policy that you created. You can use the Filter menu and the Search box to find the policy.

  9. Choose Policy Actions, and then choose Attach.

  10. Select the users, groups, or roles, and then choose Attach Policy. You can use the Filter menu and the Search box to filter the list.

  11. Choose Apply Policy.

Note

Instead of creating a managed policy, you can also create an inline policy from the IAM console and attach it to an IAM user, group, or role. For more information, see Working with Inline Policies in the IAM User Guide.

Example policies

Example read-only permission

The following AWS managed policy, AWSConfigUserAccess, grants read-only permissions for AWS Config.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "config:Get*", "config:Describe*", "config:Deliver*", "config:List*", "tag:GetResources", "tag:GetTagKeys", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents" ], "Resource": "*" } ] }

Example full-access permission

The following example policy grants full-access permissions for AWS Config.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:AddPermission", "sns:CreateTopic", "sns:DeleteTopic", "sns:GetTopicAttributes", "sns:ListPlatformApplications", "sns:ListTopics", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketNotification", "s3:GetBucketPolicy", "s3:GetBucketRequestPayment", "s3:GetBucketVersioning", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListRoles", "iam:PassRole", "iam:PutRolePolicy", "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "config:*", "tag:Get*" ], "Resource": "*" } ] }

On this page: