Selecting Which Resources AWS Config Records - AWS Config

Selecting Which Resources AWS Config Records

AWS Config continuously detects when supported resource types are created, changed, or deleted. AWS Config records these events as configuration items. You can customize AWS Config to record configuration changes for all supported resource types, or for only the supported resource types that are relevant to you. For a list of supported resource types that AWS Config can record, see Supported Resource Types.

Note

High Number of AWS Config Evaluations

You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.

If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling. If you want to avoid the increased activity from running ephemeral workloads, you can set up the configuration recorder to exclude these resource types from being recorded, or run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.

Note

Region availability

Before specifying a resource type for AWS Config to track, check Resource Coverage by Region availability to see if the resource type is supported in the AWS Region where you set up AWS Config. If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config, even if the specified resource type is not supported in the AWS Region where you set up AWS Config.

What are the differences between Regional and global resources?

Regional resources

Regional resources are tied to a Region and can be used only in that Region. You create them in a specified AWS Region, and then they exist in that Region. To see or interact with those resources, you must direct your operations to that Region. For example, to create an Amazon EC2 instance with the AWS Management Console, you choose the AWS Region that you want to create the instance in. If you use the AWS Command Line Interface (AWS CLI) to create the instance, then you include the --region parameter. The AWS SDKs each have their own equivalent mechanism to specify the Region that the operation uses.

There are several reasons for using Regional resources. One reason is to ensure that the resources, and the service endpoints that you use to access them, are as close to the customer as possible. This improves performance by minimizing latency. Another reason is to provide an isolation boundary. This lets you create independent copies of resources in multiple Regions to distribute the load and improve scalability. At the same time, it isolates the resources from each other to improve availability.

If you specify a different AWS Region in the console or in an AWS CLI command, then you can no longer see or interact with the resources you could see in the previous Region.

When you look at the Amazon Resource Name (ARN) for a Regional resource, the Region that contains the resource is specified as the fourth field in the ARN. For example, an Amazon EC2 instance is a Regional resource. The following is an example of an ARN for a Amazon EC2 instance that exists in the us-east-1 Region.

arn:aws:ec2:us-east-1:123456789012:instance/i-0a6f30921424d3eee
Global resources

Some AWS services resources are global resources, meaning that you can use the resource from anywhere. You don't specify an AWS Region in a global service's console. To access a global resource, you don't specify a --region parameter when using the service's AWS CLI and AWS SDK operations.

Global resources support cases where it is critical that only one instance of a particular resource can exist at a time. In these scenarios, replication or synchronization between copies in different Regions is not adequate. Having to access a single global endpoint, with the possible increase in latency, is considered acceptable to ensure that any changes are instantaneously visible to consumers of the resource.

For example, Amazon Aurora global clusters (AWS::RDS::GlobalCluster) are global resources, and therefore not tied to a Region. This means that you can create a global cluster without relying on a regional endpoint. The benefit is that, while the Amazon Relational Database Service (Amazon RDS) itself is organized by Regions, the specific Region where a global cluster originates doesn't impact the global cluster. It appears as a single, continuous global cluster across all Regions.

The Amazon Resource Name (ARN) for a global resource doesn't include a Region. The fourth field is empty, such as in the following example of an ARN for a global cluster.

arn:aws:rds::123456789012:global-cluster:test-global-cluster
Important

Global resource types onboarded to AWS Config after February 2022 will only be recorded in the service's home Region for the commercial partition and AWS GovCloud (US-West) for the GovCloud partition. You can view the configuration items for these new global resource types only in their home Region and AWS GovCloud (US-West).

Global resource types onboarded before February 2022 (AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User) remain unchanged. You can enable the recording of these global IAM resources in all Regions where AWS Config was supported before February 2022. These global IAM resources cannot be recorded in Regions supported by AWS Config after February 2022.

Global resource types | IAM resources

The following IAM resource types are global resources: IAM users, groups, roles, and customer managed policies. These resource types can be recorded by AWS Config in Regions where AWS Config was available before February 2022. This list where you cannot record the global IAM resource types includes the following Regions: Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Canada West (Calgary), Europe (Spain), Europe (Zurich), Israel (Tel Aviv), and Middle East (UAE).

To prevent duplicate configuration items, you should consider only recording the global IAM resource types once in one of the supported Regions. This can also help you avoid unneccessary evaluations and API throttling.

Global resource types | Home Region Only

Global resources for the following services are only recorded by AWS Config in the home Region of the global resource type: Amazon Elastic Container Registry Public, AWS Global Accelerator, and Amazon Route 53. For these global resources, the same instance of the resource type can be used in multiple AWS Regions, but the configuration items are only recorded in the home Region for the commercial partition or AWS GovCloud (US-West) for the AWS GovCloud (US) partition.

Home Regions for Global Resource Types
AWS Service Resource Type Value Home Region
Amazon Elastic Container Registry Public AWS::ECR::PublicRepository US East (N. Virginia) Region
AWS Global Accelerator AWS::GlobalAccelerator::Listener US West (Oregon) Region
AWS::GlobalAccelerator::EndpointGroup US West (Oregon) Region
AWS::GlobalAccelerator::Accelerator US West (Oregon) Region
Amazon Route 53 AWS::Route53::HostedZone US East (N. Virginia) Region
AWS::Route53::HealthCheck US East (N. Virginia) Region
Global resource types | Aurora global clusters

AWS::RDS::GlobalCluster is a global resource that is recorded in all supported AWS Config Regions where the configuration recorder is enabled. This global resource type is unique in that if you enable the recording of this resource in one Region, AWS Config will record configuration items for this resource type in all your enabled Regions.

If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use one of the following recording strategies for the AWS Config console:

  • Record all resource types with customizable overrides, choose "AWS RDS GlobalCluster", and choose the override "Exclude from recording"

  • Record specific resource types.

If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use one of the following recording strategies for the API/CLI:

  • Record all current and future resource types with exclusions (EXCLUSION_BY_RESOURCE_TYPES)

  • Record specific resource types (INCLUSION_BY_RESOURCE_TYPES).

Recording Resources in the AWS Config Console

You can use the AWS Config console to select the types of resources that AWS Config records.

To select resources
  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. Choose Settings in the left navigation pane, and then choose Edit. For the list of supported Regions, see AWS Config endpoints and quotas in the Amazon Web Services General Reference.

  3. In the Recording method section, choose a recording strategy. You can specify the AWS resources that you want AWS Config to record.

    All resource types with customizable overrides

    Set up AWS Config to record configuration changes for all current and future supported resource types in this Region. You can override the recording frequency for specific resource types or exclude specific resource types from recording. For more information, see Supported Resource Types.

    • Default settings

      Configure the default recording frequency for all current and future supported resource types. For more information see, Recording Frequency.

      • Continuous recording – AWS Config will record configuration changes continuously whenever a change occurs.

      • Daily recording – You will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

      Note

      AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

    • Override settings

      Override the recording frequency for specific resource types, or exclude specific resource types from recording. If you change the recording frequency for a resource type or stop recording a resource type, the configuration items that were already recorded will remain unchanged.

      Note

      Global resource types | Aurora global clusters are initially included in recording

      The AWS::RDS::GlobalCluster resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled.

      If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, choose "AWS RDS GlobalCluster", and choose the override "Exclude from recording".

      Note

      Global resource types | IAM resource types are initially excluded from recording

      "All globally recorded IAM resource types" are initially excluded from recording to help you reduce costs. This bundle includes IAM users, groups, roles, and customer managed policies. Choose Remove to remove the override and include these resources in your recording.

      The exception to this note is for US East (N. Virginia). The global IAM resource types are initially included in the US East (N. Virginia) Region as this Region functions as the home Region for the global IAM resource types.

      Additionally, the global IAM resource types (AWS::IAM::User, AWS::IAM::Group, AWS::IAM::Role, and AWS::IAM::Policy) cannot be recorded in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

      • Asia Pacific (Hyderabad)

      • Asia Pacific (Melbourne)

      • Canada West (Calgary)

      • Europe (Spain)

      • Europe (Zurich)

      • Israel (Tel Aviv)

      • Middle East (UAE)

      Note

      Limits

      You can add up to 100 frequency overrides and 600 exclusion overrides.

      Daily recording is not supported for the following resource types:

      • AWS::Config::ResourceCompliance

      • AWS::Config::ConformancePackCompliance

      • AWS::Config::ConfigurationRecorder

    Specific resource types

    Set up AWS Config to record configuration changes for only the resource types that you specify.

    • Specific resource types

      Choose a resource type to record and its frequency. For more information see, Recording Frequency.

      • Continuous recording – AWS Config will record configuration changes continuously whenever a change occurs.

      • Daily recording – You will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

      Note

      AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

      If you change the recording frequency for a resource type or stop recording a resource type, the configuration items that were already recorded will remain unchanged.

    Note

    Region availability

    Before specifying a resource type for AWS Config to track, check Resource Coverage by Region availability to see if the resource type is supported in the AWS Region where you set up AWS Config. If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config, even if the specified resource type is not supported in the AWS Region where you set up AWS Config.

    Note

    Limits

    No limits if all resource types have the same frequency. You can add up to 100 resource types with Daily frequency if at least one resource type is set to Continuous.

    The Daily frequency is not supported for the following resource types:

    • AWS::Config::ResourceCompliance

    • AWS::Config::ConformancePackCompliance

    • AWS::Config::ConfigurationRecorder

  4. Choose Save to save your changes.

Recording Resources with the AWS CLI

You can use the AWS CLI to select the types of resources that you want AWS Config to record. You do this by creating a configuration recorder, which records the types of resources that you specify in a recording group. In the recording group, you specify whether you want to record all supported resource types, or to include or exclude specific types of resources.

Record all current and future supported resource types

Set up AWS Config to record configuration changes for all current and future supported resource types in this Region. For more information, see Supported Resource Types.

  1. Use the following put-configuration-recorder command:

    $ aws configservice put-configuration-recorder \ --configuration-recorder file://configurationRecorder.json \ --recording-group file://recordingGroup.json

    This command uses the --configuration-recorder and ---recording-group fields.

    Note

    Recording group and configuration recorder

    The --recording-group field specifies which resource types are recorded.

    The --configuration-recorder field specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

    1. put-configuration-recorder uses the following fields for the --recording-group parameter:

      • allSupported=true – AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. When AWS Config adds support for a new resource type, AWS Config starts recording resources of that type automatically.

      • includeGlobalResourceTypes=true – This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

        • Asia Pacific (Hyderabad)

        • Asia Pacific (Melbourne)

        • Canada West (Calgary)

        • Europe (Spain)

        • Europe (Zurich)

        • Israel (Tel Aviv)

        • Middle East (UAE)

        Important

        Aurora global clusters are recorded in all enabled Regions

        The AWS::RDS::GlobalCluster resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if includeGlobalResourceTypes is not set to true. The includeGlobalResourceTypes option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.

        If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use one of the following recording strategies:

        1. Record all current and future resource types excluding the types you specify (EXCLUSION_BY_RESOURCE_TYPES), or

        2. Record specific resource types (INCLUSION_BY_RESOURCE_TYPES).

        For more information, see Selecting Which Resources are Recorded | Regional and Global Resources.

        Important

        includeGlobalResourceTypes and the exclusion recording strategy

        The includeGlobalResourceTypes field has no impact on the EXCLUSION_BY_RESOURCE_TYPES recording strategy. This means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will not be automatically added as exclusions for exclusionByResourceTypes when includeGlobalResourceTypes is set to false.

        The includeGlobalResourceTypes field should only be used to modify the AllSupported field, as the default for the AllSupported field is to record configuration changes for all supported resource types excluding the global IAM resource types. To include the global IAM resource types when AllSupported is set to true, make sure to set includeGlobalResourceTypes to true.

        To exclude the global IAM resource types for the EXCLUSION_BY_RESOURCE_TYPES recording strategy, you need to manually add them to the resourceTypes field of exclusionByResourceTypes.

        Note

        Required and optional fields

        Before you can set includeGlobalResourceTypes to true, set the allSupported field to true.

        Optionally, you can set the useOnly field of RecordingStrategy to ALL_SUPPORTED_RESOURCE_TYPES.

        Note

        Overriding fields

        If you set includeGlobalResourceTypesto false but list global IAM resource types in the resourceTypes field of RecordingGroup, AWS Config will still record configuration changes for those specified resource types regardless of if you set the includeGlobalResourceTypes field to false.

        If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the resourceTypes field in addition to setting the includeGlobalResourceTypes field to false.

      The recordingGroup.json file specifies which types of resources AWS Config will record.

      { "allSupported": true, "recordingStrategy": { "useOnly": "ALL_SUPPORTED_RESOURCE_TYPES" }, "includeGlobalResourceTypes": true }
    2. put-configuration-recorder uses the following fields for the --configuration-recorder parameter:

      • name – The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder.

      • roleARN – Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder.

      • recordingMode – Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

        • recordingFrequency – The default recording frequency that AWS Config uses to record configuration changes.

          Note

          AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

        • recordingModeOverrides – This field allows you to specify your overrides for the recording mode. It is an array of recordingModeOverride objects. Each recordingModeOverride object in the recordingModeOverrides array consists of three fields:

          • description – A description that you provide for the override.

          • recordingFrequency – The recording frequency that will be applied to all the resource types specified in the override.

          • resourceTypes – A comma-separated list that specifies which resource types AWS Config includes in the override.

      Note

      Required and optional fields

      The recordingMode field for put-configuration-recorder is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.

      Note

      Limits

      Daily recording is not supported for the following resource types:

      • AWS::Config::ResourceCompliance

      • AWS::Config::ConformancePackCompliance

      • AWS::Config::ConfigurationRecorder

      For the Record all current and future supported resource types (ALL_SUPPORTED_RESOURCE_TYPES) recording strategy, these resource types will be set to Continuous recording.

      The configurationRecorder.json file specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

      { "name": "default", "roleARN": "arn:aws:iam::123456789012:role/config-role", "recordingMode": { "recordingFrequency": CONTINUOUS or DAILY, "recordingModeOverrides": [ { "description": "Description you provide for the override", "recordingFrequency": CONTINUOUS or DAILY, "resourceTypes": [ Comma-separated list of resource types to include in the override ] } ] } }
  2. (Optional) To verify that your configuration recorder has the settings that you want, use the following describe-configuration-recorders command.

    $ aws configservice describe-configuration-recorders

    The following is an example response.

    { "ConfigurationRecorders": [ { "name": "default" "recordingGroup": { "allSupported": true, "exclusionByResourceTypes": { "resourceTypes": [] }, "includeGlobalResourceTypes": true, "recordingStrategy": { "useOnly": "ALL_SUPPORTED_RESOURCE_TYPES" }, "resourceTypes": [], }, "recordingMode": { "recordingFrequency": CONTINUOUS or DAILY, "recordingModeOverrides": [ { "description": "Description you provide for the override, "recordingFrequency": CONTINUOUS or DAILY, "resourceTypes": [ Comma-separated list of resource types to include in the override] } ] }, "roleARN": "arn:aws:iam::123456789012:role/config-role" } ] }
Record all current and future supported resources types excluding the types you specify

Set up AWS Config to record configuration changes for all current and future supported resource types, including global resource types, except the resource types that you specify to exclude from recording. If you choose to stop recording for a resource type, the configuration items that were already recorded will remain unchanged. For more information, see Supported Resource Types.

This command uses the --configuration-recorder and ---recording-group fields.

$ aws configservice put-configuration-recorder \ --configuration-recorder file://configurationRecorder.json \ --recording-group file://recordingGroup.json
Note

Recording group and configuration recorder

The --recording-group field specifies which resource types are recorded.

The --configuration-recorder field specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

  1. Use the put-configuration-recorder command, and pass one or more resource types to exclude in the resourceTypes field of exclusionByResourceTypes, as shown in the following example.

    1. The recordingGroup.json file specifies which types of resources AWS Config will record.

      { "allSupported": false, "exclusionByResourceTypes": { "resourceTypes": [ "AWS::Redshift::ClusterSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::CloudFront::StreamingDistribution" ] }, "includeGlobalResourceTypes": false, "recordingStrategy": { "useOnly": "EXCLUSION_BY_RESOURCE_TYPES" }, }

      Before you can specify resource types to exclude in the recording:

      • You must set the allSupported and includeGlobalResourceTypes fields of the --recording-group parameter to false or omit them.

      • You must set the useOnly field of RecordingStrategy to EXCLUSION_BY_RESOURCE_TYPES.

      Note

      Overriding fields

      If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the exclusionByResourceTypes field will override other properties in the request.

      For example, even if you set includeGlobalResourceTypes to false, the global IAM resource types will still be automatically recorded in this option, unless those resource types are specifically listed as exclusions in the resourceTypes field of exclusionByResourceTypes.

      Note

      Global resource types and the resource exclusion recording strategy

      By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.

      Unless specifically listed as exclusions, AWS::RDS::GlobalCluster will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.

      IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

      • Asia Pacific (Hyderabad)

      • Asia Pacific (Melbourne)

      • Canada West (Calgary)

      • Europe (Spain)

      • Europe (Zurich)

      • Israel (Tel Aviv)

      • Middle East (UAE)

    2. put-configuration-recorder uses the following fields for the --configuration-recorder parameter:

      • name – The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder.

      • roleARN – Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder.

      • recordingMode – Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

        • recordingFrequency – The default recording frequency that AWS Config uses to record configuration changes.

          Note

          AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

        • recordingModeOverrides – This field allows you to specify your overrides for the recording mode. It is an array of recordingModeOverride objects. Each recordingModeOverride object in the recordingModeOverrides array consists of three fields:

          • description – A description that you provide for the override.

          • recordingFrequency – The recording frequency that will be applied to all the resource types specified in the override.

          • resourceTypes – A comma-separated list that specifies which resource types AWS Config includes in the override.

      Note

      Required and optional fields

      The recordingMode field for put-configuration-recorder is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.

      Note

      Limits

      Daily recording is not supported for the following resource types:

      • AWS::Config::ResourceCompliance

      • AWS::Config::ConformancePackCompliance

      • AWS::Config::ConfigurationRecorder

      For the Record all current and future supported resource types (ALL_SUPPORTED_RESOURCE_TYPES) recording strategy, these resource types will be set to Continuous recording.

      The configurationRecorder.json file specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

      { "name": "default", "roleARN": "arn:aws:iam::123456789012:role/config-role", "recordingMode": { "recordingFrequency": CONTINUOUS or DAILY, "recordingModeOverrides": [ { "description": "Description you provide for the override", "recordingFrequency": CONTINUOUS or DAILY, "resourceTypes": [ Comma-separated list of resource types to include in the override ] } ] } }
  2. (Optional) To verify that your configuration recorder has the settings that you want, use the following describe-configuration-recorders command.

    $ aws configservice describe-configuration-recorders

    The following is an example response.

    { "ConfigurationRecorders": [ { "name": "default", "recordingGroup": { "allSupported": false, "exclusionByResourceTypes": { "resourceTypes": [ "AWS::Redshift::ClusterSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::CloudFront::StreamingDistribution" ] }, "includeGlobalResourceTypes": false, "recordingStrategy": { "useOnly": "EXCLUSION_BY_RESOURCE_TYPES" }, "resourceTypes": [], }, "recordingMode": { "recordingFrequency": CONTINUOUS or DAILY, "recordingModeOverrides": [ { "description": "Description you provide for the override, "recordingFrequency": CONTINUOUS or DAILY, "resourceTypes": [ Comma-separated list of resource types to include in the override] } ] }, "roleARN": "arn:aws:iam::123456789012:role/config-role" } ] }
Record specific resource types

Set up AWS Config to record configuration changes for only the resource types that you specify. If you choose to stop recording for a resource type, the configuration items that were already recorded will remain unchanged.

This command uses the --configuration-recorder and ---recording-group fields.

$ aws configservice put-configuration-recorder \ --configuration-recorder file://configurationRecorder.json \ --recording-group file://recordingGroup.json
Note

Recording group and configuration recorder

The --recording-group field specifies which resource types are recorded.

The --configuration-recorder field specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

  1. Use the put-configuration-recorder command, and pass one or more resource types in the resourceTypes field of recordingGroup, as shown in the following example.

    1. The recordingGroup.json file specifies which types of resources AWS Config will record.

      { "allSupported": false, "recordingStrategy": { "useOnly": "INCLUSION_BY_RESOURCE_TYPES" }, "includeGlobalResourceTypes": false, "resourceTypes": [ "AWS::EC2::EIP", "AWS::EC2::Instance", "AWS::EC2::NetworkAcl", "AWS::EC2::SecurityGroup", "AWS::CloudTrail::Trail", "AWS::EC2::Volume", "AWS::EC2::VPC", "AWS::IAM::User", "AWS::IAM::Policy" ] }
      Note

      Required and optional fields

      Before you can specify resource types to include in recording, you must set the allSupported and includeGlobalResourceTypes fields to false, or omit them.

      The recordingStrategy field is optional when you list resource types in the resourceTypes field of --recording-group.

      Note

      Region availability

      Before specifying a resource type for AWS Config to track, check Resource Coverage by Region availability to see if the resource type is supported in the AWS Region where you set up AWS Config. If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config, even if the specified resource type is not supported in the AWS Region where you set up AWS Config.

    2. put-configuration-recorder uses the following fields for the --configuration-recorder parameter:

      • name – The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder.

      • roleARN – Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder.

      • recordingMode – Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

        • recordingFrequency – The default recording frequency that AWS Config uses to record configuration changes.

          Note

          AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

        • recordingModeOverrides – This field allows you to specify your overrides for the recording mode. It is an array of recordingModeOverride objects. Each recordingModeOverride object in the recordingModeOverrides array consists of three fields:

          • description – A description that you provide for the override.

          • recordingFrequency – The recording frequency that will be applied to all the resource types specified in the override.

          • resourceTypes – A comma-separated list that specifies which resource types AWS Config includes in the override.

      Note

      Required and optional fields

      The recordingMode field for put-configuration-recorder is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.

      Note

      Limits

      Daily recording is not supported for the following resource types:

      • AWS::Config::ResourceCompliance

      • AWS::Config::ConformancePackCompliance

      • AWS::Config::ConfigurationRecorder

      For the Record all current and future supported resource types (ALL_SUPPORTED_RESOURCE_TYPES) recording strategy, these resource types will be set to Continuous recording.

      The configurationRecorder.json file specifies name and roleArn as well as the default recording frequency for the configuration recorder (recordingMode). You can also use this field override the recording frequency for specific resource types.

      { "name": "default", "roleARN": "arn:aws:iam::123456789012:role/config-role", "recordingMode": { "recordingFrequency": CONTINUOUS or DAILY, "recordingModeOverrides": [ { "description": "Description you provide for the override", "recordingFrequency": CONTINUOUS or DAILY, "resourceTypes": [ Comma-separated list of resource types to include in the override ] } ] } }
  2. (Optional) To verify that your configuration recorder has the settings that you want, use the following describe-configuration-recorders command.

    $ aws configservice describe-configuration-recorders

    The following is an example response.

    { "ConfigurationRecorders": [ { "name": "default", "recordingGroup": { "allSupported": false, "exclusionByResourceTypes": { "resourceTypes": [] }, "includeGlobalResourceTypes": false "recordingStrategy": { "useOnly": "INCLUSION_BY_RESOURCE_TYPES" }, "resourceTypes": [ "AWS::EC2::EIP", "AWS::EC2::Instance", "AWS::EC2::NetworkAcl", "AWS::EC2::SecurityGroup", "AWS::CloudTrail::Trail", "AWS::EC2::Volume", "AWS::EC2::VPC", "AWS::IAM::User", "AWS::IAM::Policy" ] }, "recordingMode": { "recordingFrequency": CONTINUOUS or DAILY, "recordingModeOverrides": [ { "description": "Description you provide for the override, "recordingFrequency": CONTINUOUS or DAILY, "resourceTypes": [ Comma-separated list of resource types to include in the override] } ] }, "roleARN": "arn:aws:iam::123456789012:role/config-role" } ] }

Recording Frequency

AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.

Continuous recording

Some benefits of continuous recording include:

  • Real-time Monitoring: Continuous recording can provide immediate detection for unauthorized changes or unexpected alterations, which can enhance your security and compliance efforts.

  • Detailed Analysis: Continuous recording can allow you to perfom in-depth analysis of configuration changes to your resources as they occur, which can allow you to identify patterns and trends in the moment.

Daily recording

Some benefits of daily recording include:

  • Minimal Disruption: Daily recording can provide you with a more mangeable flow of information, which can reduce the frequency of notifications and alert fatigue.

  • Cost Efficiency: Daily recording can provide you with the flexibility to record changes to your resources at at a lower frequency, which can reduce costs related to the number of configuration changes recorded.

Note

AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

Stopping the Recording of Resources

You can stop AWS Config from recording a type of resource at any time. After AWS Config stops recording a resource, it retains the configuration information that was previously captured, and you can continue to access this information.

Non-recorded Resources

If a resource is not recorded, AWS Config captures only the creation and deletion of that resource, and no other details, at no cost to you. When a non-recorded resource is created or deleted, AWS Config sends a notification, and it displays the event on the resource details page. The details page for a non-recorded resource provides null values for most configuration details, and it does not provide information about relationships and configuration changes.

Note

The AWS::IAM::User, AWS::IAM::Policy, AWS::IAM::Group, AWS::IAM::Role resource types will only capture the creation (ResourceNotRecorded) and deletion (ResourceDeletedNotRecorded) states if the resource is, or previously was, selected as a resource to record in the configuration recorder.

The relationship information that AWS Config provides for recorded resources is not limited because of missing data for non-recorded resources. If a recorded resource is related to a non-recorded resource, that relationship is provided in the details page of the recorded resource.

AWS Config Rules and Global Resource Types

Global resource types onboarded before February 2022 (AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User) can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. These global IAM resource types cannot be recorded in Regions supported by AWS Config after February 2022.

If you have selected to record global IAM resource types in at least one Region, periodic rules that report compliance on global resource types will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of global resource types in the Region where the periodic rule was added.

You should only deploy periodic rules that report compliance on global resource types to one of the supported Regions to avoid unnecessary evaluations and API throttling. Not enabling the recording of global IAM resource types will not prevent these periodic rule from running evaluations, if you have enable the recording of global IAM resource types in another Region. To avoid unnecessary evaluations, you should limit the deployment of these periodic rule to one Region.

If you are not recording global resource types onboarded before February 2022, it is recommended that you do not enable the following periodic rules to avoid unnecessary evaluations:

Best Practices for reporting compliance on global resources

If you are recording global resource types onboarded before February 2022 (AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User), you should only deploy AWS Config rules and conformance packs that have these global resources in scope in one of the supported Regions to avoid unnecessary evaluations and API throttling. This applies to regular AWS Config rules, organizational AWS Config rules, and also rules created by other AWS services, such as AWS Security Hub and AWS Control Tower.

Global resource types onboarded to AWS Config recording after February 2022 will be recorded only in the service's home Region for the commercial partition and AWS GovCloud (US-West) for the AWS GovCloud (US) partition. You should deploy only AWS Config rules and conformance packs that have these global resources in scope in the resource type's home Region. For more information, see Home Regions for Global Resource Types Onboarded after February 2022.