Menu
AWS Config
Developer Guide

Permissions for the Amazon S3 Bucket

By default, all Amazon S3 buckets and objects are private. Only the resource owner and the AWS account that created the bucket can access that bucket and any objects it contains. The resource owner can, however, choose to grant access permissions to other resources and users. One way to do this is to write an access policy.

If AWS Config creates an S3 bucket for you automatically (for example, if you use the AWS Config console or use the aws config subscribe command to set up your delivery channel) or you choose an existing S3 bucket already existing in your account, these permissions are automatically added to the S3 bucket. However, if you specify an existing S3 bucket from another account, you must ensure that the S3 bucket has the correct permissions.

Required Permissions for the Amazon S3 Bucket When Using IAM Roles

When AWS Config sends configuration information (history files and snapshots) to the Amazon S3 bucket in your account, it assumes the IAM role that you assigned when you set up AWS Config. When AWS Config sends to an Amazon S3 bucket in another account, it first attempts to use the IAM role, but this attempt fails if the access policy for the bucket does not grant WRITE access to the IAM role. In this event, AWS Config sends the information again, this time as the AWS Config service principal. Before the delivery can succeed, the access policy must grant WRITE access to the config.amazonaws.com principal name. AWS Config is then the owner of the objects it delivers to the S3 bucket. You must attach an access policy, mentioned in step 6 below to the Amazon S3 bucket in another account to grant AWS Config access to the Amazon S3 bucket.

Required Permissions for the Amazon S3 Bucket When Using Service-Linked Roles

If you set up AWS Config using a service-linked role, you need to attach an access policy, mentioned in step 6 below to the Amazon S3 bucket in your own account or another account to grant AWS Config access to the Amazon S3 bucket.

Granting AWS Config access to the Amazon S3 Bucket

Follow these steps to add an access policy to the Amazon S3 bucket in your own account or another account. The access policy allows AWS Config to send configuration information to the Amazon S3 bucket.

  1. Sign in to the AWS Management Console using the account that has the S3 bucket.

  2. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  3. Select the bucket that you want AWS Config to use to deliver configuration items, and then choose Properties.

  4. Choose Permissions.

  5. Choose Edit Bucket Policy.

  6. Copy the following policy into the Bucket Policy Editor window:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::targetBucketName" }, { "Sid": " AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID-WithoutHyphens/Config/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }
  7. Substitute the following values in the bucket policy:

    • targetBucketName – The name of the Amazon S3 bucket to which AWS Config will deliver configuration items.

    • [optional] prefix – An optional addition to the Amazon S3 object key that helps create a folder-like organization in the bucket.

    • sourceAccountID-WithoutHyphens – The ID of the account for which AWS Config will deliver configuration items to the target bucket.

  8. Choose Save and then Close.