Managing the Configuration Recorder - AWS Config

Managing the Configuration Recorder

AWS Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. You must create a configuration recorder before AWS Config can track your resource configurations.

If you set up AWS Config by using the console or the AWS CLI, AWS Config automatically creates and then starts the configuration recorder for you. For more information, see Getting Started with AWS Config.

By default, the configuration recorder records all supported resources in the region where AWS Config is running. You can create a customized configuration recorder that records only the resource types that you specify. For more information, see Selecting Which Resources AWS Config Records.

You are charged service usage fees when AWS Config starts recording configurations. For pricing information, see AWS Config Pricing. To control costs, you can stop recording by stopping the configuration recorder. After you stop recording, you can continue to access the configuration information that was already recorded. You will not be charged AWS Config usage fees until you resume recording.

When you start the configuration recorder, AWS Config takes an inventory of all AWS resources in your account.

Managing the Configuration Recorder (Console)

You can use the AWS Config console to stop or start the configuration recorder.

To stop or start the configuration recorder

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. Choose Settings in the navigation pane.

  3. Stop or start the configuration recorder:

    • If you want to stop recording, under Recording is on, choose Turn off. When prompted, choose Continue.

    • If you want to start recording, under Recording is off, choose Turn on. When prompted, choose Continue.

Managing the Configuration Recorder (AWS CLI)

You can use the AWS CLI to stop or start the configuration recorder. You can also rename or delete the configuration recorder using the AWS CLI, the AWS Config API, or one of the AWS SDKs. The following steps help you use the AWS CLI.

To stop the configuration recorder

  • Use the stop-configuration-recorder command:

    $ aws configservice stop-configuration-recorder --configuration-recorder-name configRecorderName

To start the configuration recorder

  • Use the start-configuration-recorder command:

    $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName

To rename the configuration recorder

To change the configuration recorder name, you must delete it and create a new configuration recorder with the desired name.

  1. Use the describe-configuration-recorders command to look up the name of your current configuration recorder:

    $ aws configservice describe-configuration-recorders { "ConfigurationRecorders": [ { "roleARN": "arn:aws:iam::012345678912:role/myConfigRole", "name": "default" } ] }
  2. Use the delete-configuration-recorder command to delete your current configuration recorder:

    $ aws configservice delete-configuration-recorder --configuration-recorder-name default
  3. Use the put-configuration-recorder command to create a configuration recorder with the desired name:

    $ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole
  4. Use the start-configuration-recorder command to resume recording:

    $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName

To delete the configuration recorder

Drift Detection for the Configuration Recorder

The AWS::Config::ConfigurationRecorder resource type is a configuration item (CI) for the configuration recorder that tracks all changes to the state of configuration recorder. You can use this CI to check if the state of the configuration recorder differs, or has drifted, from its previous state. For example, this CI tracks if there are updates to resource types that you have enabled AWS Config to track, if you have stopped or started the configuration recorder, or if you have deleted or uninstalled the configuration recorder. A drifted configuration recorder indicates that you are not accurately detecting changes to your intended resource types. If your configuration recorder has been drifted, this can result in false negative or false positive compliance results.

The AWS::Config::ConfigurationRecorder resource type is a system resource type of AWS Config and recording of this resource type is enabled by default in all supported Regions. Recording for the AWS::Config::ConfigurationRecorder resource type comes with no additional charge.

Drift detection for the configuration recorder is supported in the following Regions:

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 config.us-east-2.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 config.us-east-1.amazonaws.com HTTPS
US West (N. California) us-west-1 config.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 config.us-west-2.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 config.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 config.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 config.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 config.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 config.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 config.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 config.ca-central-1.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 config.eu-north-1.amazonaws.com HTTPS
Europe (Frankfurt) eu-central-1 config.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 config.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 config.eu-west-2.amazonaws.com HTTPS
Europe (Paris) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 config.me-south-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 config.sa-east-1.amazonaws.com HTTPS