AWSConfigServiceRolePolicy AWS_ConfigRole Policy updates

AWS managed policies for AWS Config

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AWSConfigServiceRolePolicy

AWS Config uses the service-linked role named AWSServiceRoleForConfig to call other AWS services on your behalf. When you use AWS Management Console to set up AWS Config, this SLR is automatically created by AWS Config if you select the option to use the AWS Config SLR instead of your own AWS Identity and Access Management (IAM) service role.

The AWSServiceRoleForConfig SLR contains the managed policy AWSConfigServiceRolePolicy. This managed policy contains read-only and write-only permissions for AWS Config resources and read-only permissions for resources in other services that AWS Config supports. For more information, see Supported Resource Types and Using Service-Linked Roles for AWS Config.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"access-analyzer:GetAnalyzer",
				"access-analyzer:GetArchiveRule",
				"access-analyzer:ListAnalyzers",
				"access-analyzer:ListArchiveRules",
				"access-analyzer:ListTagsForResource",
				"account:GetAlternateContact",
				"acm:DescribeCertificate",
				"acm:ListCertificates",
				"acm:ListTagsForCertificate",
				"apigateway:GET",
				"application-autoscaling:DescribeScalableTargets",
				"application-autoscaling:DescribeScalingPolicies",
				"autoscaling:DescribeAutoScalingGroups",
				"autoscaling:DescribeLaunchConfigurations",
				"autoscaling:DescribeLifecycleHooks",
				"autoscaling:DescribePolicies",
				"autoscaling:DescribeScheduledActions",
				"autoscaling:DescribeTags",
				"backup-gateway:ListTagsForResource",
				"backup-gateway:ListVirtualMachines",
				"backup:DescribeBackupVault",
				"backup:DescribeRecoveryPoint",
				"backup:GetBackupPlan",
				"backup:GetBackupSelection",
				"backup:GetBackupVaultAccessPolicy",
				"backup:GetBackupVaultNotifications",
				"backup:ListBackupPlans",
				"backup:ListBackupSelections",
				"backup:ListBackupVaults",
				"backup:ListRecoveryPointsByBackupVault",
				"backup:ListTags",
				"batch:DescribeComputeEnvironments",
				"batch:DescribeJobQueues",
				"batch:ListTagsForResource",
				"cloudformation:DescribeType",
				"cloudformation:GetResource",
				"cloudformation:ListResources", 
				"cloudformation:ListTypes",
				"cloudfront:ListDistributions",
				"cloudfront:ListTagsForResource",
				"cloudtrail:DescribeTrails",
				"cloudtrail:GetEventDataStore",
				"cloudtrail:GetEventSelectors",
				"cloudtrail:GetTrailStatus",
				"cloudtrail:ListEventDataStores",
				"cloudtrail:ListTags",
				"cloudwatch:DescribeAlarms",
				"codedeploy:GetDeploymentConfig",
				"codepipeline:GetPipeline",
				"codepipeline:GetPipelineState",
				"codepipeline:ListPipelines",
				"config:BatchGet*",
				"config:Describe*",
				"config:Get*",
				"config:List*",
				"config:Put*",
				"config:Select*",
				"dax:DescribeClusters",
				"dax:DescribeParameterGroups",
				"dax:DescribeParameters",
				"dax:DescribeSubnetGroups",
				"dax:ListTags",
				"dms:DescribeCertificates",
				"dms:DescribeEventSubscriptions",
				"dms:DescribeReplicationInstances",
				"dms:DescribeReplicationTasks",
				"dms:DescribeReplicationSubnetGroups",
				"dms:ListTagsForResource",
				"dynamodb:DescribeContinuousBackups",
				"dynamodb:DescribeGlobalTable",
				"dynamodb:DescribeGlobalTableSettings",
				"dynamodb:DescribeLimits",
				"dynamodb:DescribeTable",
				"dynamodb:ListTables",
				"dynamodb:ListTagsOfResource",
				"ec2:Describe*",
				"ec2:DescribeClientVpnAuthorizationRules",
				"ec2:DescribeClientVpnEndpoints",
				"ec2:DescribeDhcpOptions",
				"ec2:DescribeFleets",
				"ec2:DescribeNetworkAcls",
				"ec2:DescribePlacementGroups",
				"ec2:DescribeSpotFleetRequests",
				"ec2:DescribeVolumeAttribute",
				"ec2:DescribeVolumes",
				"ec2:GetEbsEncryptionByDefault",
				"ecr-public:DescribeRepositories",
				"ecr-public:GetRepositoryCatalogData",
				"ecr-public:GetRepositoryPolicy",
				"ecr-public:ListTagsForResource",
				"ecr:DescribeRepositories",
				"ecr:GetLifecyclePolicy",
				"ecr:GetRepositoryPolicy",
				"ecr:ListTagsForResource",
				"ecs:DescribeClusters",
				"ecs:DescribeServices",
				"ecs:DescribeTaskDefinition",
				"ecs:DescribeTaskSets",
				"ecs:ListClusters",
				"ecs:ListServices",
				"ecs:ListTagsForResource",
				"ecs:ListTaskDefinitionFamilies",
				"ecs:ListTaskDefinitions",
				"eks:DescribeCluster",
				"eks:DescribeFargateProfile",
				"eks:DescribeNodegroup",
				"eks:ListClusters",
				"eks:ListFargateProfiles",
				"eks:ListNodegroups",
				"eks:ListTagsForResource",
				"elasticache:DescribeCacheClusters",
				"elasticache:DescribeCacheParameterGroups",
				"elasticache:DescribeCacheSubnetGroups",
				"elasticache:DescribeReplicationGroups",
				"elasticache:DescribeSnapshots",
				"elasticache:ListTagsForResource",
				"elasticbeanstalk:DescribeConfigurationSettings",
				"elasticbeanstalk:DescribeEnvironments",
				"elasticfilesystem:DescribeAccessPoints",
				"elasticfilesystem:DescribeBackupPolicy",
				"elasticfilesystem:DescribeFileSystemPolicy",
				"elasticfilesystem:DescribeFileSystems",
				"elasticfilesystem:DescribeLifecycleConfiguration",
				"elasticfilesystem:DescribeMountTargets",
				"elasticfilesystem:DescribeMountTargetSecurityGroups",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeLoadBalancerPolicies",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeRules",
				"elasticloadbalancing:DescribeTags",
				"elasticmapreduce:DescribeCluster",
				"elasticmapreduce:DescribeSecurityConfiguration",
				"elasticmapreduce:DescribeStep",
				"elasticmapreduce:GetBlockPublicAccessConfiguration",
				"elasticmapreduce:GetManagedScalingPolicy",
				"elasticmapreduce:ListClusters",
				"elasticmapreduce:ListInstanceFleets",
				"elasticmapreduce:ListInstanceGroups",
				"elasticmapreduce:ListInstances",
				"elasticmapreduce:ListSecurityConfigurations",
				"elasticmapreduce:ListSteps",
				"es:DescribeDomain",
				"es:DescribeDomains",
				"es:DescribeElasticsearchDomain",
				"es:DescribeElasticsearchDomains",
				"es:GetCompatibleElasticsearchVersions",
				"es:GetCompatibleVersions",
				"es:ListDomainNames",
				"es:ListTags",
				"firehose:DescribeDeliveryStream",
				"firehose:ListDeliveryStreams",
				"firehose:ListTagsForDeliveryStream",
				"fsx:DescribeFileSystems",
				"fsx:ListTagsForResource",
				"globalaccelerator:DescribeAccelerator",
				"globalaccelerator:DescribeEndpointGroup",
				"globalaccelerator:DescribeListener",
				"globalaccelerator:ListAccelerators",
				"globalaccelerator:ListEndpointGroups",
				"globalaccelerator:ListListeners",
				"globalaccelerator:ListTagsForResource",
				"guardduty:GetDetector",
				"guardduty:GetFindings",
				"guardduty:GetMasterAccount",
				"guardduty:ListDetectors",
				"guardduty:ListFindings",
				"guardduty:ListOrganizationAdminAccounts",
				"iam:GenerateCredentialReport",
				"iam:GetAccountAuthorizationDetails",
				"iam:GetAccountPasswordPolicy",
				"iam:GetAccountSummary",
				"iam:GetCredentialReport",
				"iam:GetGroup",
				"iam:GetGroupPolicy",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:GetUser",
				"iam:GetUserPolicy",
				"iam:ListAttachedGroupPolicies",
				"iam:ListAttachedRolePolicies",
				"iam:ListAttachedUserPolicies",
				"iam:ListEntitiesForPolicy",
				"iam:ListGroupPolicies",
				"iam:ListGroupsForUser",
				"iam:ListInstanceProfilesForRole",
				"iam:ListPolicyVersions",
				"iam:ListRolePolicies",
				"iam:ListUserPolicies",
				"iam:ListVirtualMFADevices",
				"kafka:DescribeCluster",
				"kafka:ListClusters",
				"kinesis:DescribeStreamConsumer",
				"kinesis:DescribeStreamSummary",
				"kinesis:ListStreamConsumers",
				"kinesis:ListStreams",
				"kinesis:ListTagsForStream",
				"kms:DescribeKey",
				"kms:GetKeyPolicy",
				"kms:GetKeyRotationStatus",
				"kms:ListAliases",
				"kms:ListKeys",
				"kms:ListResourceTags",
				"lambda:GetAlias",
				"lambda:GetFunction",
				"lambda:GetFunctionCodeSigningConfig",
				"lambda:GetPolicy",
				"lambda:ListAliases",
				"lambda:ListFunctions",
				"lambda:ListVersionsByFunction",
				"logs:DescribeLogGroups",
				"logs:ListTagsLogGroup",
				"network-firewall:DescribeLoggingConfiguration",
				"network-firewall:ListFirewalls",
				"opsworks:DescribeLayers",
				"opsworks:ListTags",
				"organizations:DescribeOrganization",
				"organizations:DescribePolicy",
				"organizations:ListParents",
				"organizations:ListPolicies",
				"organizations:ListPoliciesForTarget",
				"rds:DescribeDBClusterParameterGroups",
				"rds:DescribeDBClusterParameters",
				"rds:DescribeDBClusters",
				"rds:DescribeDBClusterSnapshotAttributes",
				"rds:DescribeDBClusterSnapshots",
				"rds:DescribeDBEngineVersions",
				"rds:DescribeDBInstances",
				"rds:DescribeDBParameterGroups",
				"rds:DescribeDBParameterGroups",
				"rds:DescribeDBParameters",
				"rds:DescribeDBSecurityGroups",
				"rds:DescribeDBSnapshotAttributes",
				"rds:DescribeDBSnapshots",
				"rds:DescribeDBSubnetGroups",
				"rds:DescribeEventSubscriptions",
				"rds:DescribeOptionGroups",
				"rds:ListTagsForResource",
				"redshift:DescribeClusterParameterGroups",
				"redshift:DescribeClusterParameters",
				"redshift:DescribeClusters",
				"redshift:DescribeClusterSecurityGroups",
				"redshift:DescribeClusterSnapshots",
				"redshift:DescribeClusterSubnetGroups",
				"redshift:DescribeEventSubscriptions",
				"redshift:DescribeLoggingStatus",
				"route53:GetHealthCheck",
				"route53:GetHostedZone",
				"route53:ListHealthChecks",
				"route53:ListHostedZones",
				"route53:ListHostedZonesByName",
				"route53:ListQueryLoggingConfigs",
				"route53:ListResourceRecordSets",
				"route53:ListTagsForResource",
				"route53resolver:GetResolverEndpoint",
				"route53resolver:GetResolverRule",
				"route53resolver:GetResolverRuleAssociation",
				"route53resolver:ListResolverEndpointIpAddresses",
				"route53resolver:ListResolverEndpoints",
				"route53resolver:ListResolverRuleAssociations",
				"route53resolver:ListResolverRules",
				"route53resolver:ListTagsForResource",
				"s3:GetAccelerateConfiguration",
				"s3:GetAccessPoint",
				"s3:GetAccessPointPolicy",
				"s3:GetAccessPointPolicyStatus",
				"s3:GetAccountPublicAccessBlock",
				"s3:GetBucketAcl",
				"s3:GetBucketCORS",
				"s3:GetBucketLocation",
				"s3:GetBucketLogging",
				"s3:GetBucketNotification",
				"s3:GetBucketObjectLockConfiguration",
				"s3:GetBucketPolicy",
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketRequestPayment",
				"s3:GetBucketTagging",
				"s3:GetBucketVersioning",
				"s3:GetBucketWebsite",
				"s3:GetEncryptionConfiguration",
				"s3:GetLifecycleConfiguration",
				"s3:GetReplicationConfiguration",
				"s3:ListAccessPoints",
				"s3:ListAllMyBuckets",
				"s3:ListBucket",
				"sagemaker:DescribeCodeRepository",
				"sagemaker:DescribeEndpoint",
				"sagemaker:DescribeEndpointConfig",
				"sagemaker:DescribeModel",
				"sagemaker:DescribeMonitoringSchedule",
				"sagemaker:DescribeNotebookInstance",
				"sagemaker:DescribeNotebookInstanceLifecycleConfig",
				"sagemaker:DescribeWorkteam",
				"sagemaker:ListCodeRepositories",
				"sagemaker:ListEndpointConfigs",
				"sagemaker:ListEndpoints",
				"sagemaker:ListModels",
				"sagemaker:ListMonitoringSchedules",
				"sagemaker:ListNotebookInstanceLifecycleConfigs",
				"sagemaker:ListNotebookInstances",
				"sagemaker:ListTags",
				"sagemaker:ListWorkteams",
				"secretsmanager:ListSecrets",
				"secretsmanager:ListSecretVersionIds",
				"securityhub:DescribeHub",
				"shield:DescribeDRTAccess",
				"shield:DescribeProtection",
				"shield:DescribeSubscription",
				"sns:GetSubscriptionAttributes",
				"sns:GetTopicAttributes",
				"sns:ListSubscriptions",
				"sns:ListSubscriptionsByTopic",
				"sns:ListTagsForResource",
				"sns:ListTopics",
				"sqs:GetQueueAttributes",
				"sqs:ListQueues",
				"sqs:ListQueueTags",
				"ssm:DescribeAutomationExecutions",
				"ssm:DescribeDocument",
				"ssm:DescribeDocumentPermission",
				"ssm:GetAutomationExecution",
				"ssm:GetDocument",
				"ssm:ListDocuments",
				"states:DescribeActivity",
				"states:DescribeStateMachine",
				"states:ListActivities",
				"states:ListStateMachines",
				"states:ListTagsForResource",
				"storagegateway:ListGateways",
				"storagegateway:ListTagsForResource",
				"storagegateway:ListVolumes",
				"support:DescribeCases",
				"tag:GetResources",
				"waf-regional:GetLoggingConfiguration",
				"waf-regional:GetWebACL",
				"waf-regional:GetWebACLForResource",
				"waf:GetLoggingConfiguration",
				"waf:GetWebACL",
				"wafv2:GetLoggingConfiguration",
				"wafv2:GetRuleGroup",
				"wafv2:ListRuleGroups",
				"wafv2:ListTagsForResource",
				"workspaces:DescribeConnectionAliases",
				"workspaces:DescribeTags",
				"workspaces:DescribeWorkspaces"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogStream",
				"logs:CreateLogGroup"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/config/*"
		},
		{
			"Effect": "Allow",
			"Action": "logs:PutLogEvents",
			"Resource": "arn:aws:logs:*:*:log-group:/aws/config/*:log-stream:config-rule-evaluation/*"
		}
	]
}

AWS managed policy: AWS_ConfigRole

To record your AWS resource configurations, AWS Config requires IAM permissions to get the configuration details about your resources. If you want to create an IAM role for AWS Config, you can use the managed policy AWS_ConfigRole and attach it to your IAM role.

This IAM policy is updated each time AWS Config adds support for an AWS resource type. This means that AWS Config will continue to have the required permissions to record configuration data of supported resource types as long as the AWS_ConfigRole role has this managed policy attached. For more information, see Supported Resource Types and Permissions for the IAM Role Assigned to AWS Config.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"access-analyzer:GetAnalyzer",
				"access-analyzer:GetArchiveRule",
				"access-analyzer:ListAnalyzers",
				"access-analyzer:ListArchiveRules",
				"access-analyzer:ListTagsForResource",
				"account:GetAlternateContact",
				"acm:DescribeCertificate",
				"acm:ListCertificates",
				"acm:ListTagsForCertificate",
				"apigateway:GET",
				"application-autoscaling:DescribeScalableTargets",
				"application-autoscaling:DescribeScalingPolicies",
				"autoscaling:DescribeAutoScalingGroups",
				"autoscaling:DescribeLaunchConfigurations",
				"autoscaling:DescribeLifecycleHooks",
				"autoscaling:DescribePolicies",
				"autoscaling:DescribeScheduledActions",
				"autoscaling:DescribeTags",
				"backup-gateway:ListTagsForResource",
				"backup-gateway:ListVirtualMachines",
				"backup:DescribeBackupVault",
				"backup:DescribeRecoveryPoint",
				"backup:GetBackupPlan",
				"backup:GetBackupSelection",
				"backup:GetBackupVaultAccessPolicy",
				"backup:GetBackupVaultNotifications",
				"backup:ListBackupPlans",
				"backup:ListBackupSelections",
				"backup:ListBackupVaults",
				"backup:ListRecoveryPointsByBackupVault",
				"backup:ListTags",
				"batch:DescribeComputeEnvironments",
				"batch:DescribeJobQueues",
				"batch:ListTagsForResource",
				"cloudformation:DescribeType",
				"cloudformation:GetResource",
				"cloudformation:ListResources", 
				"cloudformation:ListTypes",
				"cloudfront:ListDistributions",
				"cloudfront:ListTagsForResource",
				"cloudtrail:DescribeTrails",
				"cloudtrail:GetEventDataStore",
				"cloudtrail:GetEventSelectors",
				"cloudtrail:GetTrailStatus",
				"cloudtrail:ListEventDataStores",
				"cloudtrail:ListTags",
				"cloudwatch:DescribeAlarms",
				"codedeploy:GetDeploymentConfig",
				"codepipeline:GetPipeline",
				"codepipeline:GetPipelineState",
				"codepipeline:ListPipelines",
				"config:BatchGet*",
				"config:Describe*",
				"config:Get*",
				"config:List*",
				"config:Put*",
				"config:Select*",
				"dax:DescribeClusters",
				"dax:DescribeParameterGroups",
				"dax:DescribeParameters",
				"dax:DescribeSubnetGroups",
				"dax:ListTags",
				"dms:DescribeCertificates",
				"dms:DescribeEventSubscriptions",
				"dms:DescribeReplicationInstances",
				"dms:DescribeReplicationTasks",
				"dms:DescribeReplicationSubnetGroups",
				"dms:ListTagsForResource",
				"dynamodb:DescribeContinuousBackups",
				"dynamodb:DescribeGlobalTable",
				"dynamodb:DescribeGlobalTableSettings",
				"dynamodb:DescribeLimits",
				"dynamodb:DescribeTable",
				"dynamodb:ListTables",
				"dynamodb:ListTagsOfResource",
				"ec2:Describe*",
				"ec2:DescribeClientVpnAuthorizationRules",
				"ec2:DescribeClientVpnEndpoints",
				"ec2:DescribeDhcpOptions",
				"ec2:DescribeFleets",
				"ec2:DescribeNetworkAcls",
				"ec2:DescribePlacementGroups",
				"ec2:DescribeSpotFleetRequests",
				"ec2:DescribeVolumeAttribute",
				"ec2:DescribeVolumes",
				"ec2:GetEbsEncryptionByDefault",
				"ecr-public:DescribeRepositories",
				"ecr-public:GetRepositoryCatalogData",
				"ecr-public:GetRepositoryPolicy",
				"ecr-public:ListTagsForResource",
				"ecr:DescribeRepositories",
				"ecr:GetLifecyclePolicy",
				"ecr:GetRepositoryPolicy",
				"ecr:ListTagsForResource",
				"ecs:DescribeClusters",
				"ecs:DescribeServices",
				"ecs:DescribeTaskDefinition",
				"ecs:DescribeTaskSets",
				"ecs:ListClusters",
				"ecs:ListServices",
				"ecs:ListTagsForResource",
				"ecs:ListTaskDefinitionFamilies",
				"ecs:ListTaskDefinitions",
				"eks:DescribeCluster",
				"eks:DescribeFargateProfile",
				"eks:DescribeNodegroup",
				"eks:ListClusters",
				"eks:ListFargateProfiles",
				"eks:ListNodegroups",
				"eks:ListTagsForResource",
				"elasticache:DescribeCacheClusters",
				"elasticache:DescribeCacheParameterGroups",
				"elasticache:DescribeCacheSubnetGroups",
				"elasticache:DescribeReplicationGroups",
				"elasticache:DescribeSnapshots",
				"elasticache:ListTagsForResource",
				"elasticbeanstalk:DescribeConfigurationSettings",
				"elasticbeanstalk:DescribeEnvironments",
				"elasticfilesystem:DescribeAccessPoints",
				"elasticfilesystem:DescribeBackupPolicy",
				"elasticfilesystem:DescribeFileSystemPolicy",
				"elasticfilesystem:DescribeFileSystems",
				"elasticfilesystem:DescribeLifecycleConfiguration",
				"elasticfilesystem:DescribeMountTargets",
				"elasticfilesystem:DescribeMountTargetSecurityGroups",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeLoadBalancerPolicies",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeRules",
				"elasticloadbalancing:DescribeTags",
				"elasticmapreduce:DescribeCluster",
				"elasticmapreduce:DescribeSecurityConfiguration",
				"elasticmapreduce:DescribeStep",
				"elasticmapreduce:GetBlockPublicAccessConfiguration",
				"elasticmapreduce:GetManagedScalingPolicy",
				"elasticmapreduce:ListClusters",
				"elasticmapreduce:ListInstanceFleets",
				"elasticmapreduce:ListInstanceGroups",
				"elasticmapreduce:ListInstances",
				"elasticmapreduce:ListSecurityConfigurations",
				"elasticmapreduce:ListSteps",
				"es:DescribeDomain",
				"es:DescribeDomains",
				"es:DescribeElasticsearchDomain",
				"es:DescribeElasticsearchDomains",
				"es:GetCompatibleElasticsearchVersions",
				"es:GetCompatibleVersions",
				"es:ListDomainNames",
				"es:ListTags",
				"firehose:DescribeDeliveryStream",
				"firehose:ListDeliveryStreams",
				"firehose:ListTagsForDeliveryStream",
				"fsx:DescribeFileSystems",
				"fsx:ListTagsForResource",
				"globalaccelerator:DescribeAccelerator",
				"globalaccelerator:DescribeEndpointGroup",
				"globalaccelerator:DescribeListener",
				"globalaccelerator:ListAccelerators",
				"globalaccelerator:ListEndpointGroups",
				"globalaccelerator:ListListeners",
				"globalaccelerator:ListTagsForResource",
				"guardduty:GetDetector",
				"guardduty:GetFindings",
				"guardduty:GetMasterAccount",
				"guardduty:ListDetectors",
				"guardduty:ListFindings",
				"guardduty:ListOrganizationAdminAccounts",
				"iam:GenerateCredentialReport",
				"iam:GetAccountAuthorizationDetails",
				"iam:GetAccountPasswordPolicy",
				"iam:GetAccountSummary",
				"iam:GetCredentialReport",
				"iam:GetGroup",
				"iam:GetGroupPolicy",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:GetUser",
				"iam:GetUserPolicy",
				"iam:ListAttachedGroupPolicies",
				"iam:ListAttachedRolePolicies",
				"iam:ListAttachedUserPolicies",
				"iam:ListEntitiesForPolicy",
				"iam:ListGroupPolicies",
				"iam:ListGroupsForUser",
				"iam:ListInstanceProfilesForRole",
				"iam:ListPolicyVersions",
				"iam:ListRolePolicies",
				"iam:ListUserPolicies",
				"iam:ListVirtualMFADevices",
				"kafka:DescribeCluster",
				"kafka:ListClusters",
				"kinesis:DescribeStreamConsumer",
				"kinesis:DescribeStreamSummary",
				"kinesis:ListStreamConsumers",
				"kinesis:ListStreams",
				"kinesis:ListTagsForStream",
				"kms:DescribeKey",
				"kms:GetKeyPolicy",
				"kms:GetKeyRotationStatus",
				"kms:ListAliases",
				"kms:ListKeys",
				"kms:ListResourceTags",
				"lambda:GetAlias",
				"lambda:GetFunction",
				"lambda:GetFunctionCodeSigningConfig",
				"lambda:GetPolicy",
				"lambda:ListAliases",
				"lambda:ListFunctions",
				"lambda:ListVersionsByFunction",
				"logs:DescribeLogGroups",
				"logs:ListTagsLogGroup",
				"network-firewall:DescribeLoggingConfiguration",
				"network-firewall:ListFirewalls",
				"opsworks:DescribeLayers",
				"opsworks:ListTags",
				"organizations:DescribeOrganization",
				"organizations:DescribePolicy",
				"organizations:ListParents",
				"organizations:ListPolicies",
				"organizations:ListPoliciesForTarget",
				"rds:DescribeDBClusterParameterGroups",
				"rds:DescribeDBClusterParameters",
				"rds:DescribeDBClusters",
				"rds:DescribeDBClusterSnapshotAttributes",
				"rds:DescribeDBClusterSnapshots",
				"rds:DescribeDBEngineVersions",
				"rds:DescribeDBInstances",
				"rds:DescribeDBParameterGroups",
				"rds:DescribeDBParameterGroups",
				"rds:DescribeDBParameters",
				"rds:DescribeDBSecurityGroups",
				"rds:DescribeDBSnapshotAttributes",
				"rds:DescribeDBSnapshots",
				"rds:DescribeDBSubnetGroups",
				"rds:DescribeEventSubscriptions",
				"rds:DescribeOptionGroups",
				"rds:ListTagsForResource",
				"redshift:DescribeClusterParameterGroups",
				"redshift:DescribeClusterParameters",
				"redshift:DescribeClusters",
				"redshift:DescribeClusterSecurityGroups",
				"redshift:DescribeClusterSnapshots",
				"redshift:DescribeClusterSubnetGroups",
				"redshift:DescribeEventSubscriptions",
				"redshift:DescribeLoggingStatus",
				"route53:GetHealthCheck",
				"route53:GetHostedZone",
				"route53:ListHealthChecks",
				"route53:ListHostedZones",
				"route53:ListHostedZonesByName",
				"route53:ListQueryLoggingConfigs",
				"route53:ListResourceRecordSets",
				"route53:ListTagsForResource",
				"route53resolver:GetResolverEndpoint",
				"route53resolver:GetResolverRule",
				"route53resolver:GetResolverRuleAssociation",
				"route53resolver:ListResolverEndpointIpAddresses",
				"route53resolver:ListResolverEndpoints",
				"route53resolver:ListResolverRuleAssociations",
				"route53resolver:ListResolverRules",
				"route53resolver:ListTagsForResource",
				"s3:GetAccelerateConfiguration",
				"s3:GetAccessPoint",
				"s3:GetAccessPointPolicy",
				"s3:GetAccessPointPolicyStatus",
				"s3:GetAccountPublicAccessBlock",
				"s3:GetBucketAcl",
				"s3:GetBucketCORS",
				"s3:GetBucketLocation",
				"s3:GetBucketLogging",
				"s3:GetBucketNotification",
				"s3:GetBucketObjectLockConfiguration",
				"s3:GetBucketPolicy",
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketRequestPayment",
				"s3:GetBucketTagging",
				"s3:GetBucketVersioning",
				"s3:GetBucketWebsite",
				"s3:GetEncryptionConfiguration",
				"s3:GetLifecycleConfiguration",
				"s3:GetReplicationConfiguration",
				"s3:ListAccessPoints",
				"s3:ListAllMyBuckets",
				"s3:ListBucket",
				"sagemaker:DescribeCodeRepository",
				"sagemaker:DescribeEndpoint",
				"sagemaker:DescribeEndpointConfig",
				"sagemaker:DescribeModel",
				"sagemaker:DescribeMonitoringSchedule",
				"sagemaker:DescribeNotebookInstance",
				"sagemaker:DescribeNotebookInstanceLifecycleConfig",
				"sagemaker:DescribeWorkteam",
				"sagemaker:ListCodeRepositories",
				"sagemaker:ListEndpointConfigs",
				"sagemaker:ListEndpoints",
				"sagemaker:ListModels",
				"sagemaker:ListMonitoringSchedules",
				"sagemaker:ListNotebookInstanceLifecycleConfigs",
				"sagemaker:ListNotebookInstances",
				"sagemaker:ListTags",
				"sagemaker:ListWorkteams",
				"secretsmanager:ListSecrets",
				"secretsmanager:ListSecretVersionIds",
				"securityhub:DescribeHub",
				"shield:DescribeDRTAccess",
				"shield:DescribeProtection",
				"shield:DescribeSubscription",
				"sns:GetSubscriptionAttributes",
				"sns:GetTopicAttributes",
				"sns:ListSubscriptions",
				"sns:ListSubscriptionsByTopic",
				"sns:ListTagsForResource",
				"sns:ListTopics",
				"sqs:GetQueueAttributes",
				"sqs:ListQueues",
				"sqs:ListQueueTags",
				"ssm:DescribeAutomationExecutions",
				"ssm:DescribeDocument",
				"ssm:DescribeDocumentPermission",
				"ssm:GetAutomationExecution",
				"ssm:GetDocument",
				"ssm:ListDocuments",
				"states:DescribeActivity",
				"states:DescribeStateMachine",
				"states:ListActivities",
				"states:ListStateMachines",
				"states:ListTagsForResource",
				"storagegateway:ListGateways",
				"storagegateway:ListTagsForResource",
				"storagegateway:ListVolumes",
				"support:DescribeCases",
				"tag:GetResources",
				"waf-regional:GetLoggingConfiguration",
				"waf-regional:GetWebACL",
				"waf-regional:GetWebACLForResource",
				"waf:GetLoggingConfiguration",
				"waf:GetWebACL",
				"wafv2:GetLoggingConfiguration",
				"wafv2:GetRuleGroup",
				"wafv2:ListRuleGroups",
				"wafv2:ListTagsForResource",
				"workspaces:DescribeConnectionAliases",
				"workspaces:DescribeTags",
				"workspaces:DescribeWorkspaces"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogStream",
				"logs:CreateLogGroup"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/config/*"
		},
		{
			"Effect": "Allow",
			"Action": "logs:PutLogEvents",
			"Resource": "arn:aws:logs:*:*:log-group:/aws/config/*:log-stream:config-rule-evaluation/*"
		}
	]
}

AWS Config updates to AWS managed policies

View details about updates to AWS managed policies for AWS Config since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Config Document history page.

Change	Description	Date
AWSConfigServiceRolePolicy – Add cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies	This policy now grants permission to get information about all or a specified AWS CloudTrail event data store (EDS), get information about all or a specified AWS CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about AWS Database Migration Service (AWS DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an AWS Organizations of a specified type.	April 1, 2022
AWS_ConfigRole – Add cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies	This policy now grants permission to get information about all or a specified AWS CloudTrail event data store (EDS), get information about all or a specified AWS CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about AWS Database Migration Service (AWS DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an AWS Organizations of a specified type.	April 1, 2022
AWSConfigServiceRolePolicy – Add backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces	This policy now supports additional permissions for AWS Backup, AWS Batch, DynamoDB Accelerator, AWS Database Migration Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service, Amazon FSx, Amazon GuardDuty, AWS Key Management Service, AWS OpsWorks, Amazon Relational Database Service, AWS WAFV2, and Amazon WorkSpaces.	March 14, 2022
AWS_ConfigRole – Add backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces	This policy now supports additional permissions for AWS Backup, AWS Batch, DynamoDB Accelerator, AWS Database Migration Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service, Amazon FSx, Amazon GuardDuty, AWS Key Management Service, AWS OpsWorks, Amazon Relational Database Service, AWS WAFV2, and Amazon WorkSpaces.	March 14, 2022
AWSConfigServiceRolePolicy – Add elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies	This policy now grants permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an AWS account, retrieve information about an AWS Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived AWS Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account.	February 10, 2022
AWS_ConfigRole – Add elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies	This policy now grants permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an AWS account, retrieve information about an AWS Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived AWS Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account.	February 10, 2022
AWSConfigServiceRolePolicy – Add logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent	This policy now grants permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams.	December 15, 2021
AWS_ConfigRole – Add logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent	This policy now grants permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams.	Decemeber 15, 2021
AWSConfigServiceRolePolicy – Add es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots	This policy now grants permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get detais about Amazon ElastiCache snapshots.	September 8, 2021
AWS_ConfigRole – Add es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots	This policy now grants permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get detais about Amazon ElastiCache snapshots.	September 8, 2021
AWSConfigServiceRolePolicy – Add logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine, and additional permissions for AWS resource types	This policy now grants permission to list tags for a log group, list tags for a state machine, and list all state machines. This policy now grants permission to get details about a state machine. This policy also now supports additional permissions for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Kinesis Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker, Amazon Simple Notification Service, AWS Database Migration Service, AWS Global Accelerator, and AWS Storage Gateway.	July 28, 2021
AWS_ConfigRole – Add logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine, and additional permissions for AWS resource types	This policy now grants permission to list tags for a log group, list tags for a state machine, and list all state machines. This policy now grants permission to get details about a state machine. This policy also now supports additional permissions for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Kinesis Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker, Amazon Simple Notification Service, AWS Database Migration Service, AWS Global Accelerator, and AWS Storage Gateway.	July 28, 2021
AWSConfigServiceRolePolicy – Add ssm:DescribeDocumentPermission and additional permissions for AWS resource types	This policy now grants permission to view the permissions of AWS Systems Manager documents and information about IAM Access Analyzer. This policy now supports additional AWS resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, AWS Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types. This policy also now support filtering Lambda@Edge functions for the lambda-inside-vpc AWS Config managed rule.	June 8, 2021
AWS_ConfigRole – Add ssm:DescribeDocumentPermission and additional permissions for AWS resource types	This policy now grants permission to view the permissions of AWS Systems Manager documents and information about IAM Access Analyzer. This policy now supports additional AWS resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, AWS Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types. This policy also now support filtering Lambda@Edge functions for the lambda-inside-vpc AWS Config managed rule.	June 8, 2021
AWSConfigServiceRolePolicy – Add apigateway:GET permission to make read-only GET calls to API Gateway and s3:GetAccessPointPolicy permission and s3:GetAccessPointPolicyStatus permission to invoke Amazon S3 read-only APIs	This policy now grants permissions that allow AWS Config to make read-only GET calls to API Gateway to support a AWS Config Rule for API Gateway. The policy also adds permissions that allow AWS Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new `AWS::S3::AccessPoint` resource type.	May 10, 2021
AWS_ConfigRole – Add apigateway:GET permission to make read-only GET calls to API Gateway and s3:GetAccessPointPolicy permission and s3:GetAccessPointPolicyStatus permission to invoke Amazon S3 read-only APIs	This policy now grants permissions that allow AWS Config to make read-only GET calls to API Gateway to support a AWS Config for API Gateway. The policy also adds permissions that allow AWS Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new `AWS::S3::AccessPoint` resource type.	May 10, 2021
AWSConfigServiceRolePolicy – Add ssm:ListDocuments permission and additional permissions for AWS resource types	This policy now grants permission to view information about AWS Systems Manager specified documents. This policy also now supports additional AWS resource types for AWS Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker, AWS Database Migration Service, and Amazon Route 53. These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types.	April 1, 2021
AWS_ConfigRole – Add ssm:ListDocuments permission and additional permissions for AWS resource types	This policy now grants permission to view information about AWS Systems Manager specified documents. This policy also now supports additional AWS resource types for AWS Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker, AWS Database Migration Service, and Amazon Route 53. These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types.	April 1, 2021
`AWSConfigRole` is deprecated	`AWSConfigRole` is deprecated. The replacement policy is `AWS_ConfigRole`.	April 1, 2021
AWS Config started tracking changes	AWS Config started tracking changes for its AWS managed policies.	April 1, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using Service-Linked Roles

Logging and Monitoring