Managing the Configuration Recorder
AWS Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. You must create a configuration recorder before AWS Config can track your resource configurations.
If you set up AWS Config by using the console or the AWS CLI, AWS Config automatically creates and then starts the configuration recorder for you. For more information, see Getting Started with AWS Config.
By default, the configuration recorder records all supported resources in the region where AWS Config is running. You can create a customized configuration recorder that records only the resource types that you specify. For more information, see Selecting Which Resources AWS Config Records.
You are charged service usage fees when AWS Config starts recording configurations. For pricing
information, see AWS Config Pricing
When you start the configuration recorder, AWS Config takes an inventory of all AWS resources in your account.
Managing the Configuration Recorder (Console)
You can use the AWS Config console to stop or start the configuration recorder.
To stop or start the configuration recorder
Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/
. -
Choose Settings in the navigation pane.
-
Stop or start the configuration recorder:
-
If you want to stop recording, under Recording is on, choose Turn off. When prompted, choose Continue.
-
If you want to start recording, under Recording is off, choose Turn on. When prompted, choose Continue.
-
Managing the Configuration Recorder (AWS CLI)
You can use the AWS CLI to stop or start the configuration recorder. You can also rename or delete the configuration recorder using the AWS CLI, the AWS Config API, or one of the AWS SDKs. The following steps help you use the AWS CLI.
To stop the configuration recorder
-
Use the
stop-configuration-recordercommand:$ aws configservice stop-configuration-recorder --configuration-recorder-nameconfigRecorderName
To start the configuration recorder
-
Use the
start-configuration-recordercommand:$ aws configservice start-configuration-recorder --configuration-recorder-nameconfigRecorderName
To rename the configuration recorder
To change the configuration recorder name, you must delete it and create a new configuration recorder with the desired name.
-
Use the
describe-configuration-recorderscommand to look up the name of your current configuration recorder:$ aws configservice describe-configuration-recorders { "ConfigurationRecorders": [ { "roleARN": "arn:aws:iam::012345678912:role/myConfigRole", "name": "default" } ] } -
Use the
delete-configuration-recordercommand to delete your current configuration recorder:$ aws configservice delete-configuration-recorder --configuration-recorder-namedefault -
Use the
put-configuration-recordercommand to create a configuration recorder with the desired name:$ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole -
Use the
start-configuration-recordercommand to resume recording:$ aws configservice start-configuration-recorder --configuration-recorder-nameconfigRecorderName
To delete the configuration recorder
-
Use the
delete-configuration-recordercommand:$ aws configservice delete-configuration-recorder --configuration-recorder-namedefault
Drift Detection for the Configuration Recorder
The AWS::Config::ConfigurationRecorder resource type is a
configuration item (CI) for the configuration recorder that tracks all
changes to the state of configuration recorder. You can use this CI to check if the state of
the configuration recorder differs, or has drifted, from its previous
state. For example, this CI tracks if there are updates to resource types that you have
enabled AWS Config to track, if you have stopped or started the configuration recorder, or if you
have deleted or uninstalled the configuration recorder. A drifted configuration recorder
indicates that you are not accurately detecting changes to your intended resource types. If
your configuration recorder has been drifted, this can result in false negative or false
positive compliance results.
The AWS::Config::ConfigurationRecorder resource type is a system resource
type of AWS Config and recording of this resource type is enabled by default in all supported
Regions. Recording for the AWS::Config::ConfigurationRecorder resource type comes
with no additional charge.
Drift detection for the configuration recorder is supported in the following Regions:
| Region Name | Region | Endpoint | Protocol |
|---|---|---|---|
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
| Asia Pacific (Hong Kong) | ap-east-1 | config.ap-east-1.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Middle East (Bahrain) | me-south-1 | config.me-south-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |
