Supported Resource Types - AWS Config

Supported Resource Types

AWS Config supports the following AWS resources types and resource relationships. Some regions support a subset of these resource types. What is available in the AWS Config Console in a given region is the source of truth regarding what is, or is not, supported in a given region.

Advanced Queries for AWS Config supports a subset of these resource types. For a list of those supported resource types, see Supported Resource Types for Advanced Queries.

Note

Periodic rules can run on resources that AWS Config recording does not support and can be run without the configuration recorder being enabled. Periodic rules do not depend on configuration items. For more information on the difference between change–triggered rules and periodic rules, see Specifying Triggers for AWS Config Rules.

When AWS Config onboards new resource types, the default resources for the new resource types will be discovered during the account baselining process. If you have the configuration recorder set up to record all supported resource types, you may receive notifications for default resources while a new resource type is in the process of onboarding. The public documentation will be updated once the onboarding process is complete.

Amazon API Gateway

AWS ServiceResource Type ValueRelationshipRelated Resource
API Gateway AWS::ApiGateway::Stage is contained in ApiGateway Rest Api
is associated with WAFRegional WebACL
AWS::ApiGatewayV2::Stage is contained in ApiGatewayV2 Api
AWS::ApiGateway::RestApi contains ApiGateway Stage
AWS::ApiGatewayV2::Api contains ApiGatewayV2 Stage

To learn more about how AWS Config integrates with Amazon API Gateway, see Monitoring API Gateway API Configuration with AWS Config.

Amazon CloudFront

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon CloudFront* AWS::CloudFront::Distribution is associated with AWS WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate
AWS::CloudFront::StreamingDistribution is associated with AWS WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate

*AWS Config support for Amazon CloudFront is available only in the US East (N. Virginia) region.

Amazon CloudWatch

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon CloudWatch AWS::CloudWatch::Alarm NA NA

Amazon DynamoDB

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon DynamoDB AWS::DynamoDB::Table NA NA

Amazon Elastic Block Store

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Elastic Block Store AWS::EC2::Volume is attached to EC2 instance

Amazon Elastic Compute Cloud

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Elastic Compute Cloud AWS::EC2::Host* contains EC2 instance
AWS::EC2::EIP is attached to EC2 instance
Network interface
AWS::EC2::Instance contains EC2 network interface
is associated with EC2 security group
is attached to Amazon EBS volume
EC2 Elastic IP (EIP)
is contained in EC2 Dedicated host
Route table
Subnet
Virtual private cloud (VPC)
AWS::EC2::NetworkInterface is associated with EC2 security group
is attached to EC2 Elastic IP (EIP)
EC2 instance
is contained in Route table
Subnet
Virtual private cloud (VPC)
AWS::EC2::SecurityGroup* is associated with EC2 instance
EC2 network interface
Virtual private cloud (VPC)
AWS::EC2::NatGateway is contained in Virtual private cloud (VPC)
is contained in Subnet
AWS::EC2::EgressOnlyInternetGateway is attached to Virtual private cloud (VPC)
AWS::EC2::FlowLog NA NA
AWS::EC2::TransitGateway NA NA
AWS::EC2::TransitGatewayAttachment NA NA
AWS::EC2::TransitGatewayRouteTable NA NA
AWS::EC2::VPCEndpoint is contained in Virtual private cloud (VPC)
is attached to Network interface
is contained in Subnet
is contained in Route table
AWS::EC2::VPCEndpointService is associated with ElasticLoadBalancingV2 LoadBalancer
AWS::EC2::VPCPeeringConnection is associated with Virtual private cloud (VPC)
AWS::EC2::RegisteredHAInstance is associated with EC2 instance
AWS::EC2::LaunchTemplate NA NA

*AWS Config records the configuration details of Dedicated hosts and the instances that you launch on them. As a result, you can use AWS Config as a data source when you report compliance with your server-bound software licenses. For example, you can view the configuration history of an instance and determine which Amazon Machine Image (AMI) it is based on. Then, you can look up the configuration history of the host, which includes details such as the numbers of sockets and cores, to verify that the host complies with the license requirements of the AMI. For more information, see Tracking Configuration Changes with AWS Config in the Amazon EC2 User Guide for Linux Instances.

*The EC2 SecurityGroup Properties definition contains IP CIDR blocks, which are converted to IP ranges internally, and may return unexpected results when trying to find a specific IP range. For workarounds to search for specific IP ranges, see Limitations for Advanced Queries.

Amazon Elastic Container Registry

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Elastic Container Registry AWS::ECR::Repository NA NA

Amazon Elastic Container Registry Public

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Elastic Container Registry Public* AWS::ECR::PublicRepository NA NA

*AWS Config support for Amazon Elastic Container Registry Public is available only in the US East (N. Virginia) Region.

Amazon Elastic Container Service

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Elastic Container Service AWS::ECS::Cluster NA NA
AWS::ECS::TaskDefinition NA NA
AWS::ECS::Service* NA NA

*This service currently only support the new Amazon Resource Name (ARN) format. For more information, see Amazon Resource Names (ARNs) and IDs in the ECS developer guide.

Old (not supported): arn:aws:ecs:region:aws_account_id:service/service-name

New (supported): arn:aws:ecs:region:aws_account_id:service/cluster-name/service-name

Amazon Elastic File System

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Elastic File System AWS::EFS::FileSystem NA NA
AWS::EFS::AccessPoint NA NA

Amazon Elastic Kubernetes Service

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Elastic Kubernetes Service AWS::EKS::Cluster NA NA

Amazon EMR

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon EMR AWS::EMR::SecurityConfiguration NA NA

Amazon GuardDuty

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon GuardDuty AWS::GuardDuty::Detector NA NA

Amazon OpenSearch Service

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon OpenSearch Service AWS::Elasticsearch::Domain is associated with KMS Key
EC2 security group
EC2 subnet
Virtual private cloud (VPC)
AWS::OpenSearch::Domain NA NA

Amazon Quantum Ledger Database (Amazon QLDB)

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon QLDB AWS::QLDB::Ledger NA NA

Amazon Kinesis

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Kinesis AWS::Kinesis::Stream NA NA
AWS::Kinesis::StreamConsumer NA NA

Amazon Managed Streaming for Apache Kafka

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Managed Streaming for Apache Kafka AWS::MSK::Cluster NA NA

Amazon Redshift

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Redshift AWS::Redshift::Cluster is associated with Cluster parameter group
Cluster security group
Cluster subnet group
Security group
Virtual private cloud (VPC)
AWS::Redshift::ClusterParameterGroup NA NA
AWS::Redshift::ClusterSecurityGroup NA NA
AWS::Redshift::ClusterSnapshot is associated with Cluster
Virtual private cloud (VPC)
AWS::Redshift::ClusterSubnetGroup is associated with Subnet
Virtual private cloud (VPC)
AWS::Redshift::EventSubscription NA NA

Amazon Relational Database Service

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Relational Database Service AWS::RDS::DBInstance is associated with EC2 security group
RDS DB security group
RDS DB subnet group
AWS::RDS::DBSecurityGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::DBSnapshot is associated with Virtual private cloud (VPC)
AWS::RDS::DBSubnetGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::EventSubscription NA NA
AWS::RDS::DBCluster contains RDS DB instance
is associated with RDS DB subnet group
EC2 security group
AWS::RDS::DBClusterSnapshot Is associated with RDS DB cluster
Virtual private cloud (VPC)

Amazon Route 53

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Route 53 AWS::Route53Resolver::ResolverEndpoint NA NA
AWS::Route53Resolver::ResolverRule NA NA
AWS::Route53Resolver::ResolverRuleAssociation NA NA

Amazon S3 Bucket Attributes

AWS Config also records the following attributes for the Amazon S3 bucket resource type.

Attributes Description
AccelerateConfiguration Transfer acceleration for data over long distances between your client and a bucket.
BucketAcl Access control list used to manage access to buckets and objects.
BucketPolicy Policy that defines the permissions to the bucket.
CrossOriginConfiguration Allow cross-origin requests to the bucket.
LifecycleConfiguration Rules that define the lifecycle for objects in your bucket.
LoggingConfiguration Logging used to track requests for access to the bucket.
NotificationConfiguration Event notifications used to send alerts or trigger workflows for specified bucket events.
ReplicationConfiguration Automatic, asynchronous copying of objects across buckets in different AWS Regions.
RequestPaymentConfiguration Requester pays is enabled.
TaggingConfiguration Tags added to the bucket to categorize. You can also use tagging to track billing.
WebsiteConfiguration Static website hosting is enabled for the bucket.
VersioningConfiguration Versioning is enabled for objects in the bucket.

For more information about the attributes, see Bucket Configuration Options in the Amazon Simple Storage Service User Guide.

Amazon SageMaker

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon SageMaker AWS::SageMaker::CodeRepository NA NA
AWS::SageMaker::Model NA NA
AWS::SageMaker::NotebookInstance NA NA

Amazon Simple Notification Service

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Simple Notification Service AWS::SNS::Topic NA NA

Amazon Simple Queue Service

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Simple Queue Service AWS::SQS::Queue NA NA

Amazon Simple Storage Service

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Simple Storage Service AWS::S3::Bucket* NA NA
AWS::S3::AccountPublicAccessBlock NA NA

*If you configured AWS Config to record your S3 buckets, and are not receiving configuration change notifications, verify your S3 bucket policies have the required permissions. For more information, see Managing Permissions for S3 Bucket Recording.

Amazon Virtual Private Cloud

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon Virtual Private Cloud AWS::EC2::CustomerGateway is attached to VPN connection
AWS::EC2::InternetGateway is attached to Virtual private cloud (VPC)
AWS::EC2::NetworkAcl NA NA
AWS::EC2::RouteTable contains EC2 instance
EC2 network interface
Subnet
VPN gateway
is contained in Virtual private cloud (VPC)
AWS::EC2::Subnet contains EC2 instance
EC2 network interface
is attached to Network ACL
is contained in Route table
Virtual private cloud (VPC)
AWS::EC2::VPC contains EC2 instance
EC2 network interface
Network ACL
Route table
Subnet
is associated with Security group
is attached to Internet gateway
VPN gateway
AWS::EC2::VPNConnection is attached to Customer gateway
VPN gateway
AWS::EC2::VPNGateway is attached to Virtual private cloud (VPC)
VPN connection
is contained in Route table

AWS Auto Scaling

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Auto Scaling AWS::AutoScaling::AutoScalingGroup containsAmazon EC2 instance
is associated with Classic Load Balancer
Auto Scaling launch configuration
Subnet
AWS::AutoScaling::LaunchConfiguration is associated with Amazon EC2 security group
AWS::AutoScaling::ScalingPolicy is associated with Auto Scaling group
Alarm
AWS::AutoScaling::ScheduledAction is associated with Auto Scaling group

Amazon WorkSpaces

AWS ServiceResource Type ValueRelationshipRelated Resource
Amazon WorkSpaces AWS::WorkSpaces::ConnectionAlias NA NA
AWS::WorkSpaces::Workspace NA NA

AWS Backup

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Backup AWS::Backup::BackupPlan NA NA*
AWS::Backup::BackupSelection NA NA
AWS::Backup::BackupVault NA NA*
AWS::Backup::RecoveryPoint NA NA

Due to how AWS Backup works, some of these resource types relate to the other AWS Backup resource types in this table.

AWS::Backup::BackupPlan is related to AWS::Backup::BackupSelection where a Backup Plan has many selections, and AWS::Backup::BackupVault is related to AWS::Backup::RecoveryPoint where an AWS Backup Vault has multiple recovery points.

For more information, see Managing backups using backup plans and Working with backup vaults.

AWS Batch

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Batch AWS::Batch::JobQueue NA NA
AWS::Batch::ComputeEnvironment NA NA

AWS Certificate Manager

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Certificate Manager AWS::ACM::Certificate NA NA

AWS CloudFormation

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS CloudFormation AWS::CloudFormation::Stack* contains Supported AWS resource types

*AWS Config records configuration changes to AWS CloudFormation stacks and supported resource types in the stacks. AWS Config does not record configuration changes for resource types in the stack that are not yet supported. Unsupported resource types appear in the supplementary configuration section of the configuration item for the stack.

AWS CloudTrail

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS CloudTrail AWS::CloudTrail::Trail NA NA

AWS CodeBuild

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS CodeBuild AWS::CodeBuild::Project* is associated with S3 bucket
IAM role

*To learn more about how AWS Config integrates with AWS CodeBuild, see Use AWS Config with AWS CodeBuild Sample.

AWS CodeDeploy

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS CodeDeploy AWS::CodeDeploy::Application contains DeploymentGroup
AWS::CodeDeploy::DeploymentConfig NA NA
AWS::CodeDeploy::DeploymentGroup is contained in Application

AWS CodePipeline

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS CodePipeline AWS::CodePipeline::Pipeline* is attached to S3 bucket
is associated with IAM role
Code project
Lambda function
Cloudformation stack
ElasticBeanstalk application

*AWS Config records configuration changes to CodePipeline pipelines and supported resource types in the pipelines. AWS Config does not record configuration changes for resource types in the pipelines that are not yet supported. Unsupported resource types such as CodeCommit repository, CodeDeploy application, ECS cluster, and ECS service appear in the supplementary configuration section of the configuration item for the stack.

AWS Config

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Config AWS::Config::ResourceCompliance* is associated with All resources*
AWS::Config::ConformancePackCompliance NA NA

*The relationship between AWS::Config::ResourceCompliance and a related resource depends on how AWS::Config::ResourceCompliance reports compliance for that specific resource type.

Note

Recording for the AWS::Config::ConformancePackCompliance resource type is available at no additional charge.

AWS Database Migration Service

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Database Migration Service AWS::DMS::EventSubscription NA NA
AWS::DMS::ReplicationSubnetGroup NA NA

AWS Elastic Beanstalk

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Elastic Beanstalk AWS::ElasticBeanstalk::Application contains Elastic Beanstalk Application Version
Elastic Beanstalk Environment
is associated with IAM role
AWS::ElasticBeanstalk::ApplicationVersion is contained in Elastic Beanstalk Application
is associated with Elastic Beanstalk Environment
S3 bucket
AWS::ElasticBeanstalk::Environment is contained in Elastic Beanstalk Application
is associated with Elastic Beanstalk Application Version
IAM role
contains CloudFormation Stack

AWS Global Accelerator

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Global Accelerator AWS::GlobalAccelerator::Listener* NA NA
AWS::GlobalAccelerator::EndpointGroup* NA NA
AWS::GlobalAccelerator::Accelerator* NA NA

*This resource is only available in US West (Oregon) Region.

AWS Identity and Access Management

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Identity and Access Management AWS::IAM::User is attached to IAM group
IAM customer managed policy
AWS::IAM::Group contains IAM user
is attached to IAM customer managed policy
AWS::IAM::Role is attached to IAM customer managed policy
AWS::IAM::Policy is attached to IAM user
IAM group
IAM role
AWS Identity and Access Management Access Analyzer AWS::AccessAnalyzer::Analyzer NA NA

AWS Config includes inline policies with the configuration details that it records. For more information on inline policies, see Managed policies and inline policies in the IAM User Guide.

AWS Key Management Service

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Key Management Service AWS::KMS::Key NA NA

AWS Lambda Function

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Lambda Function AWS::Lambda::Function is associated with IAM role
EC2 security group
is contained in EC2 subnet

AWS Network Firewall

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Network Firewall AWS::NetworkFirewall::Firewall is attached to EC2 Subnet
is associated with NetworkFirewall FirewallPolicy
AWS::NetworkFirewall::FirewallPolicy is associated with NetworkFirewall RuleGroup
AWS::NetworkFirewall::RuleGroup NA NA

AWS Secrets Manager

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Secrets Manager AWS::SecretsManager::Secret is associated with Lambda function
is associated with KMS Key

AWS Service Catalog

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Service Catalog AWS::ServiceCatalog::CloudFormationProduct is contained in Portfolio
is associated with CloudFormationProvisionedProduct
AWS::ServiceCatalog::CloudFormationProvisionedProduct is associated with Portfolio
CloudFormationProduct
CloudFormationStack
AWS::ServiceCatalog::Portfolio contains CloudFormationProduct

AWS Shield

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Shield* AWS::Shield::Protection is associated with Amazon CloudFront distribution
AWS::ShieldRegional::Protection is associated with EC2 EIP
is associated with ElasticLoadBalancing Balancer
is associated with ElasticLoadBalancingV2 LoadBalancer

*AWS Config support for AWS::Shield::Protection is available only in the US East (N. Virginia) region. The AWS::ShieldRegional::Protection is available in all regions where AWS Shield is supported.

AWS Step Functions

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Step Functions AWS::StepFunctions::Activity NA NA
AWS::StepFunctions::StateMachine NA NA

AWS Systems Manager

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS Systems Manager AWS::SSM::ManagedInstanceInventory* is associated with EC2 instance
AWS::SSM::PatchCompliance is associated with Managed Instance Inventory
AWS::SSM::AssociationCompliance is associated with Managed Instance Inventory
AWS::SSM::FileData is associated with Managed Instance Inventory

*To learn more about managed instance inventory, see Recording Software Configuration for Managed Instances.

AWS WAF

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS WAF* AWS::WAF::RateBasedRule NA NA
AWS::WAF::Rule NA NA
AWS::WAF::WebACL is associated with WAF Rule
WAF rate based rule
WAF Rulegroup
AWS::WAF::RuleGroup is associated with WAF Rule
AWS::WAFRegional::RateBasedRule NA NA
AWS::WAFRegional::Rule NA NA
AWS::WAFRegional::WebACL is associated with ElasticLoadBalancingV2 LoadBalancer
WAFRegional Rule
WAFRegional rate based rule
WAFRegional Rulegroup
AWS::WAFRegional::RuleGroup is associated with WAFRegional Rule

*The AWS WAF resource type values are available only in the US East (N. Virginia) Region. The AWS::WAFRegional::RateBasedRule, AWS::WAFRegional::Rule, AWS::WAFRegional::WebACL, and AWS::WAFRegional::RuleGroup are available in all regions where AWS WAF is supported.

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS WAFv2* AWS::WAFv2::WebACL is associated with ElasticLoadBalancingV2 LoadBalancer
ApiGateway Stage
WAFv2 IPSet
WAFv2 RegexPatternSet
WAFv2 RuleGroup
WAFv2 ManagedRuleSet
AWS::WAFv2::RuleGroup is associated with WAFv2 IPSet
WAFv2 RegexPatternSet
AWS::WAFv2::ManagedRuleSet is associated with WAFv2 RuleGroup
AWS::WAFv2::IPSet NA NA
AWS::WAFv2::RegexPatternSet NA NA

*The AWS WAFv2 resource type values are available in all the AWS Regions where AWS WAFv2 is supported.

AWS X-Ray

AWS ServiceResource Type ValueRelationshipRelated Resource
AWS X-Ray AWS::XRay::EncryptionConfig NA NA

Elastic Load Balancing

AWS ServiceResource Type ValueRelationshipRelated Resource
Elastic Load Balancing

Application Load Balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)

Application Load Balancer Listener

AWS::ElasticLoadBalancingV2::Listener

NA NA

Classic Load Balancer

AWS::ElasticLoadBalancing::LoadBalancer

is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)

Network Load Balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

NA NA