AWS Config
Developer Guide

AWS Config Supported AWS Resource Types and Resource Relationships

AWS Config supports the following AWS resources types and resource relationships.

Amazon CloudFront

AWS Service Resource Type Value Relationship Related Resource
Amazon CloudFront * AWS::CloudFront::Distribution is associated with AWS WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate
AWS::CloudFront::StreamingDistribution is associated with AWS WAF WebACL
ACM Certificate
S3 Bucket
IAM Server Certificate

*AWS Config support for Amazon CloudFront is available only in the US East (N. Virginia) region.

Amazon CloudWatch

AWS Service Resource Type Value Relationship Related Resource
Amazon CloudWatch AWS::CloudWatch::Alarm NA NA

Amazon DynamoDB

AWS Service Resource Type Value Relationship Related Resource
Amazon DynamoDB AWS::DynamoDB::Table NA NA

Amazon Elastic Compute Cloud

AWS Service Resource Type Value Relationship Related Resource
Amazon Elastic Compute Cloud AWS::EC2::Host* contains EC2 instance
AWS::EC2::EIP is attached to EC2 instance
Network interface
AWS::EC2::Instance contains EC2 network interface
is associated with EC2 security group
is attached to Amazon EBS volume
EC2 Elastic IP (EIP)
is contained in EC2 Dedicated host
Route table
Subnet
Virtual private cloud (VPC)
AWS::EC2::NetworkInterface is associated with EC2 security group
is attached to EC2 Elastic IP (EIP)
EC2 instance
is contained in Route table
Subnet
Virtual private cloud (VPC)
AWS::EC2::SecurityGroup is associated with EC2 instance
EC2 network interface
Virtual private cloud (VPC)

*AWS Config records the configuration details of Dedicated hosts and the instances that you launch on them. As a result, you can use AWS Config as a data source when you report compliance with your server-bound software licenses. For example, you can view the configuration history of an instance and determine which Amazon Machine Image (AMI) it is based on. Then, you can look up the configuration history of the host, which includes details such as the numbers of sockets and cores, to verify that the host complies with the license requirements of the AMI. For more information, see Tracking Configuration Changes with AWS Config in the Amazon EC2 User Guide for Linux Instances.

Amazon Elastic Block Store

AWS Service Resource Type Value Relationship Related Resource
Amazon Elastic Block Store AWS::EC2::Volume is attached to EC2 instance

Amazon Redshift

AWS Service Resource Type Value Relationship Related Resource
Amazon Redshift AWS::Redshift::Cluster is associated with Cluster parameter group
Cluster security group
Cluster subnet group
Security group
Virtual private cloud (VPC)
AWS::Redshift::ClusterParameterGroup NA NA
AWS::Redshift::ClusterSecurityGroup NA NA
AWS::Redshift::ClusterSnapshot is associated with Cluster
Virtual private cloud (VPC)
AWS::Redshift::ClusterSubnetGroup is associated with Subnet
Virtual private cloud (VPC)
AWS::Redshift::EventSubscription NA NA

Amazon Relational Database Service

AWS Service Resource Type Value Relationship Related Resource
Amazon Relational Database Service AWS::RDS::DBInstance is associated with EC2 security group
RDS DB security group
RDS DB subnet group
AWS::RDS::DBSecurityGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::DBSnapshot is associated with Virtual private cloud (VPC)
AWS::RDS::DBSubnetGroup is associated with EC2 security group
Virtual private cloud (VPC)
AWS::RDS::EventSubscription NA NA

Amazon Simple Storage Service

AWS Service Resource Type Value Relationship Related Resource
Amazon Simple Storage Service AWS::S3::Bucket* NA NA

*If you configured AWS Config to record your S3 buckets, and are not receiving configuration change notifications, verify your S3 bucket policies have the required permissions. For more information, see Troubleshooting for recording S3 buckets.

Amazon S3 Bucket Attributes

AWS Config also records the following attributes for the Amazon S3 bucket resource type.

Attributes Description
AccelerateConfiguration Transfer acceleration for data over long distances between your client and a bucket.
BucketAcl Access control list used to manage access to buckets and objects.
BucketPolicy Policy that defines the permissions to the bucket.
CrossOriginConfiguration Allow cross-origin requests to the bucket.
LifecycleConfiguration Rules that define the lifecycle for objects in your bucket.
LoggingConfiguration Logging used to track requests for access to the bucket.
NotificationConfiguration Event notifications used to send alerts or trigger workflows for specified bucket events.
ReplicationConfiguration Automatic, asynchronous copying of objects across buckets in different AWS Regions.
RequestPaymentConfiguration Requester pays is enabled.
TaggingConfiguration Tags added to the bucket to categorize. You can also use tagging to track billing.
WebsiteConfiguration Static website hosting is enabled for the bucket.
VersioningConfiguration Versioning is enabled for objects in the bucket.

For more information about the attributes, see Bucket Configuration Options in the Amazon Simple Storage Service Developer Guide.

Amazon Virtual Private Cloud

AWS Service Resource Type Value Relationship Related Resource
Amazon Virtual Private Cloud AWS::EC2::CustomerGateway is attached to VPN connection
AWS::EC2::InternetGateway is attached to Virtual private cloud (VPC)
AWS::EC2::NetworkAcl NA NA
AWS::EC2::RouteTable contains EC2 instance
EC2 network interface
Subnet
VPN gateway
is contained in Virtual private cloud (VPC)
AWS::EC2::Subnet contains EC2 instance
EC2 network interface
is attached to Network ACL
is contained in Route table
Virtual private cloud (VPC)
AWS::EC2::VPC contains EC2 instance
EC2 network interface
Network ACL
Route table
Subnet
is associated with Security group
is attached to Internet gateway
VPN gateway
AWS::EC2::VPNConnection is attached to Customer gateway
VPN gateway
AWS::EC2::VPNGateway is attached to Virtual private cloud (VPC)
VPN connection
is contained in Route table

AWS Auto Scaling

AWS Service Resource Type Value Relationship Related Resource
Auto Scaling AWS::AutoScaling::AutoScalingGroup contains Amazon EC2 instance
is associated with Classic Load Balancer
Auto Scaling launch configuration
Subnet
AWS::AutoScaling::LaunchConfiguration is associated with Amazon EC2 security group
AWS::AutoScaling::ScalingPolicy is associated with Auto Scaling group
Alarm
AWS::AutoScaling::ScheduledAction is associated with Auto Scaling group

AWS Certificate Manager

AWS Service Resource Type Value Relationship Related Resource
AWS Certificate Manager AWS::ACM::Certificate NA NA

AWS CloudFormation

AWS Service Resource Type Value Relationship Related Resource
AWS CloudFormation AWS::CloudFormation::Stack* contains Supported AWS resource types

*AWS Config records configuration changes to AWS CloudFormation stacks and supported resource types in the stacks. AWS Config does not record configuration changes for resource types in the stack that are not yet supported. Unsupported resource types appear in the supplementary configuration section of the configuration item for the stack.

AWS CloudTrail

AWS Service Resource Type Value Relationship Related Resource
AWS CloudTrail AWS::CloudTrail::Trail NA NA

AWS CodeBuild

AWS Service Resource Type Value Relationship Related Resource
AWS CloudBuild AWS::CodeBuild::Project* is associated with S3 bucket
IAM role

*To learn more about how AWS Config integrates with AWS CodeBuild, see Use AWS Config with AWS CodeBuild Sample.

AWS CodePipeline

AWS Service Resource Type Value Relationship Related Resource
AWS CodePipeline AWS::CodePipeline::Pipeline* is attached to S3 bucket
is associated with IAM role
Code project
Lambda function
Cloudformation stack
ElasticBeanstalk application

*AWS Config records configuration changes to AWS CodePipeline pipelines and supported resource types in the pipelines. AWS Config does not record configuration changes for resource types in the pipelines that are not yet supported. Unsupported resource types such as CodeCommit repository, CodeDeploy applicaiton, ECS cluster, and ECS service appear in the supplementary configuration section of the configuration item for the stack.

AWS Elastic Beanstalk

AWS Service Resource Type Value Relationship Related Resource
AWS Elastic Beanstalk AWS::ElasticBeanstalk::Application contains Elastic Beanstalk Application Version
Elastic Beanstalk Environment
is associated with IAM role
AWS::ElasticBeanstalk::ApplicationVersion is contained in Elastic Beanstalk Application
is associated with Elastic Beanstalk Environment
S3 bucket
AWS::ElasticBeanstalk::Environment is contained in Elastic Beanstalk Application
is associated with Elastic Beanstalk Application Version
IAM role
contains CloudFormation Stack

AWS Identity and Access Management

AWS Service Resource Type Value Relationship Related Resource
AWS Identity and Access Management AWS::IAM::User* is attached to IAM group
IAM customer managed policy
AWS::IAM::Group* contains IAM user
is attached to IAM customer managed policy
AWS::IAM::Role* is attached to IAM customer managed policy
AWS::IAM::Policy is attached to IAM user
IAM group
IAM role

*AWS Identity and Access Management (IAM) resources are global resources. Global resources are not tied to an individual region and can be used in all regions. The configuration details for a global resource are the same in all regions. For more information, see Selecting Which Resources AWS Config Records.

AWS Config includes inline policies with the configuration details that it records.

AWS Lambda Function

AWS Service Resource Type Value Relationship Related Resource
AWS Lambda Function AWS::Lambda::Function is associated with IAM role
EC2 security group
contains EC2 subnet

AWS Shield

AWS Service Resource Type Value Relationship Related Resource
AWS Shield* AWS::Shield::Protection is associated with Amazon CloudFront distribution
AWS::ShieldRegional::Protection is associated with EC2 EIP
is associated with ElasticLoadBalancing Balancer
is associated with ElasticLoadBalancingV2 LoadBalancer

*AWS Config support for AWS::Shield::Protection is available only in the US East (N. Virginia) region. The AWS::ShieldRegional::Protection is available in all regions where AWS Shield is supported.

AWS Systems Manager

AWS Service Resource Type Value Relationship Related Resource
AWS Systems Manager AWS::SSM::ManagedInstanceInventory* is associated with EC2 instance
AWS::SSM::PatchCompliance is associated with Managed Instance Inventory
AWS::SSM::AssociationCompliance is associated with Managed Instance Inventory

*To learn more about managed instance inventory, see Recording Software Configuration for Managed Instances.

AWS WAF

AWS Service Resource Type Value Relationship Related Resource
AWS WAF* AWS::WAF::RateBasedRule NA NA
AWS::WAF::Rule NA NA
AWS::WAF::WebACL is associated with WAF rule
WAF rate based rule
WAF rulegroup
AWS::WAF::RuleGroup is associated with WAF rule
AWS::WAFRegional::RateBasedRule NA NA
AWS::WAFRegional::Rule NA NA
AWS::WAFRegional::WebACL is associated with ElasticLoadBalancingV2 LoadBalancer
WAFRegional rule
WAFRegional rate based rule
WAFRegional rulegroup
AWS::WAFRegional::RuleGroup is associated with WAFRegional rule

*The AWS WAF resource type values are available only in the US East (N. Virginia) Region. The AWS::WAFRegional::RateBasedRule, AWS::WAFRegional::Rule, AWS::WAFRegional::WebACL, and AWS::WAFRegional::RuleGroup are available in all regions where AWS WAF is supported.

AWS X-Ray

AWS Service Resource Type Value Relationship Related Resource
AWS X-Ray AWS::XRay::EncryptionConfig NA NA

Elastic Load Balancing

AWS Service Resource Type Value Relationship Related Resource
Elastic Load Balancing

Application Load Balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)

Classic Load Balancer

AWS::ElasticLoadBalancing::LoadBalancer

is associated with EC2 security group
is attached to Subnet
is contained in Virtual private cloud (VPC)

Network Load Balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

NA NA