Find AWS resources based on their creation date by using AWS Config advanced queries
Created by Inna Saman (AWS)
Summary
This pattern shows how to find AWS resources based on their creation date by using the AWS Config advanced query feature.
AWS Config advanced queries use a subset of SQL to query the configuration state of AWS resources for inventory management, operational intelligence, security, and compliance. You can use these queries to find AWS resources in a single AWS account and AWS Region or across multiple accounts and Regions. By running a query that uses the resourceCreationTime property, you can return a list of your AWS resources based on their specific creation date. You can run AWS config advanced queries by using either of the following:
The AWS Config Query editor in the AWS Config console
The AWS Command Line Interface (AWS CLI)
The example query in the Additional information section of this pattern returns a list of AWS resources created within a specific 60-day time period. The query’s output includes information on the following for each identified resource:
Account ID
Region
Resource name
Resource ID
Resource type
Tags
Creation time
The example query also shows how the inventory list can be scoped to specific resource types with a "WHERE ... IN" statement. You can use a similar query to find other AWS resource types that also work with tags.
Note
To query resources across multiple AWS accounts and Regions or across an AWS Organizations organization, you must use an AWS Config aggregator. For more information, see Multi-account multi-Region data aggregation in the AWS Config Developer Guide. Global resources are recorded only in their home Region. For example, AWS Identity and Access Management (IAM) is a global resource and is recorded in us-east-1 (N. Virginia Region).
Prerequisites and limitations
Prerequisites
One or more active AWS accounts with AWS Config activated to record all supported resource types (default configuration)
(For multi-account, multi-Region queries) An activated AWS Config aggregator
Limitations
AWS Config advanced query results are paginated. When you choose export, up to 500 results are exported from the AWS Management Console. You can also use APIs to retrieve up to 100 paginated results at a time.
AWS Config advanced queries use a subset of SQL that has its own syntax limitations. For more information, see Limitations in Querying the current configuration state of AWS resources in the AWS Config Developer Guide.
Tools
Tools
AWS Config provides a detailed view of the resources in your AWS account and how they’re configured. It helps you identify how resources are related to one another and how their configurations have changed over time.
AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
Epics
Task | Description | Skills required |
---|---|---|
Verify that the resources you're querying are supported by AWS Config. | For a complete list of AWS resources that AWS Config supports, see Supported resource types in the AWS Config Developer Guide. | Cloud administrator |
Verify that the configuration recorder is created and running. | Follow the instructions in Managing the configuration recorder in the AWS Config Developer Guide. NoteAWS Config automatically creates and then starts the default configuration recorder. | Cloud administrator |
Run the query. | Follow the instructions in Query using the SQL query editor (console) or Query using the SQL query editor (AWS CLI) in the AWS Config Developer Guide. NoteIf you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI. For single AWS account and Region queries On the Query editor page, in the Query scope section, make sure that you choose This account and Region only. For multi-account and multi-Region queries On the Query editor page, in the Query scope section, make sure that you create and select an AWS Config aggregator. For more information, see Multi-account multi-Region data aggregation in the AWS Config Developer Guide. If queries across multiple accounts or Regions aren’t working, follow the instructions in Troubleshooting for multi-account multi-Region data aggregation in the AWS Config Developer Guide. NoteTo modify the scope of the query based on resource type, use the WHERE resourceType IN (…) construct. For an example query, see the Example AWS Config advanced query in the Additional information section. | Cloud administrator |
Additional information
Example AWS Config advanced query
The following example query returns a list of AWS resources created within a specific 60-day time period. For more AWS Config advanced query examples, see Example Queries in the AWS Config Developer Guide.
SELECT
accountId,
awsRegion,
resourceName,
resourceId,
resourceType,
resourceCreationTime,
tags
WHERE
resourceType IN (
'AWS::CloudFormation::Stack',
'AWS::EC2::VPC',
'AWS::EC2::Volume',
'AWS::EC2::Instance',
'AWS::RDS::DBInstance',
'AWS::ElasticLoadBalancingV2::LoadBalancer',
'AWS::ServiceCatalog::CloudFormationProvisionedProduct',
'AWS::EC2::NetworkInterface',
'AWS::EC2::Subnet',
'AWS::EC2::SecurityGroup',
'AWS::AutoScaling::AutoScalingGroup',
'AWS::Lambda::Function',
'AWS::DynamoDB::Table',
'AWS::S3::Bucket'
)
AND resourceCreationTime BETWEEN '2022-05-23T00:00:00.000Z' AND '2022-07-23T17:59:51.000Z'
ORDER BY
accountId ASC,
resourceType ASC
Data privacy and protection
AWS Config is activated in each AWS Region separately. To comply with regulatory requirements, special considerations need to apply—such as creating separate Regional aggregators. For more information, see Data protection in AWS Config in the AWS Config Developer Guide.
IAM permissions
The AWS_ConfigRole AWS managed policy is required as a minimum set of permissions to run AWS Config advanced queries. For more information, see IAM role policy for getting configuration details in the Permissions for the IAM role assigned to AWS Config section of the AWS Config Developer Guide.