Summary Prerequisites and limitations Tools Epics Additional information

Find AWS resources based on their creation date by using AWS Config advanced queries

Created by Inna Saman (AWS)

Environment: Production

Technologies: Operations; Security, identity, compliance

AWS services: AWS Config; Amazon EBS; Amazon EC2; Amazon S3; AWS Lambda

Summary

This pattern shows how to find AWS resources based on their creation date by using the AWS Config advanced query feature.

AWS Config advanced queries use a subset of SQL to query the configuration state of AWS resources for inventory management, operational intelligence, security, and compliance. You can use these queries to find AWS resources in a single AWS account and AWS Region or across multiple accounts and Regions. By running a query that uses the resourceCreationTime property, you can return a list of your AWS resources based on their specific creation date. You can run AWS config advanced queries by using either of the following:

The AWS Config Query editor in the AWS Config console
The AWS Command Line Interface (AWS CLI)

The example query in the Additional information section of this pattern returns a list of AWS resources created within a specific 60-day time period. The query’s output includes information on the following for each identified resource:

Account ID
Region
Resource name
Resource ID
Resource type
Tags
Creation time

The example query also shows how the inventory list can be scoped to specific resource types with a "WHERE ... IN" statement. You can use a similar query to find other AWS resource types that also work with tags.

Note: To query resources across multiple AWS accounts and Regions or across an AWS Organizations organization, you must use an AWS Config aggregator. For more information, see Multi-account multi-Region data aggregation in the AWS Config Developer Guide. Global resources are recorded only in their home Region. For example, AWS Identity and Access Management (IAM) is a global resource and is recorded in us-east-1 (N. Virginia Region).

Prerequisites and limitations

Prerequisites

One or more active AWS accounts with AWS Config activated to record all supported resource types (default configuration)
(For multi-account, multi-Region queries) An activated AWS Config aggregator

Limitations

AWS Config advanced query results are paginated. When you choose export, up to 500 results are exported from the AWS Management Console. You can also use APIs to retrieve up to 100 paginated results at a time.
AWS Config advanced queries use a subset of SQL that has its own syntax limitations. For more information, see Limitations in Querying the current configuration state of AWS resources in the AWS Config Developer Guide.

Tools

Tools

AWS Config provides a detailed view of the resources in your AWS account and how they’re configured. It helps you identify how resources are related to one another and how their configurations have changed over time.
AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.

Epics

Task	Description	Skills required
Verify that the resources you're querying are supported by AWS Config.	For a complete list of AWS resources that AWS Config supports, see Supported resource types in the AWS Config Developer Guide.	Cloud administrator
Verify that the configuration recorder is created and running.	Follow the instructions in Managing the configuration recorder in the AWS Config Developer Guide. Note: AWS Config automatically creates and then starts the default configuration recorder.	Cloud administrator
Run the query.	Follow the instructions in Query using the SQL query editor (console) or Query using the SQL query editor (AWS CLI) in the AWS Config Developer Guide. Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI. For single AWS account and Region queries On the Query editor page, in the Query scope section, make sure that you choose This account and Region only. For multi-account and multi-Region queries On the Query editor page, in the Query scope section, make sure that you create and select an AWS Config aggregator. For more information, see Multi-account multi-Region data aggregation in the AWS Config Developer Guide. If queries across multiple accounts or Regions aren’t working, follow the instructions in Troubleshooting for multi-account multi-Region data aggregation in the AWS Config Developer Guide. Note: To modify the scope of the query based on resource type, use the WHERE resourceType IN (…) construct. For an example query, see the Example AWS Config advanced query in the Additional information section.	Cloud administrator

Task

Description

Skills required

Verify that the resources you're querying are supported by AWS Config.

For a complete list of AWS resources that AWS Config supports, see Supported resource types in the AWS Config Developer Guide.

Cloud administrator

Verify that the configuration recorder is created and running.

Follow the instructions in Managing the configuration recorder in the AWS Config Developer Guide.

Note: AWS Config automatically creates and then starts the default configuration recorder.

Cloud administrator

Run the query.

Follow the instructions in Query using the SQL query editor (console) or Query using the SQL query editor (AWS CLI) in the AWS Config Developer Guide.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

For single AWS account and Region queries

On the Query editor page, in the Query scope section, make sure that you choose This account and Region only.

For multi-account and multi-Region queries

On the Query editor page, in the Query scope section, make sure that you create and select an AWS Config aggregator. For more information, see Multi-account multi-Region data aggregation in the AWS Config Developer Guide.

If queries across multiple accounts or Regions aren’t working, follow the instructions in Troubleshooting for multi-account multi-Region data aggregation in the AWS Config Developer Guide.

Note: To modify the scope of the query based on resource type, use the WHERE resourceType IN (…) construct. For an example query, see the Example AWS Config advanced query in the Additional information section.

Cloud administrator

Additional information

Example AWS Config advanced query

The following example query returns a list of AWS resources created within a specific 60-day time period. For more AWS Config advanced query examples, see Example Queries in the AWS Config Developer Guide.


SELECT
  accountId,
  awsRegion,
  resourceName,
  resourceId,
  resourceType,
  resourceCreationTime,
  tags
WHERE
  resourceType IN (
    'AWS::CloudFormation::Stack',
    'AWS::EC2::VPC',
    'AWS::EC2::Volume',
    'AWS::EC2::Instance',
    'AWS::RDS::DBInstance',
    'AWS::ElasticLoadBalancingV2::LoadBalancer',
    'AWS::ServiceCatalog::CloudFormationProvisionedProduct',
    'AWS::EC2::NetworkInterface',
    'AWS::EC2::Subnet',
    'AWS::EC2::SecurityGroup',
    'AWS::AutoScaling::AutoScalingGroup',
    'AWS::Lambda::Function',
    'AWS::DynamoDB::Table',
    'AWS::S3::Bucket'
  )
  AND resourceCreationTime BETWEEN '2022-05-23T00:00:00.000Z' AND '2022-07-23T17:59:51.000Z'
ORDER BY
  accountId ASC,
  resourceType ASC

Data privacy and protection

AWS Config is activated in each AWS Region separately. To comply with regulatory requirements, special considerations need to apply—such as creating separate Regional aggregators. For more information, see Data protection in AWS Config in the AWS Config Developer Guide.

IAM permissions

The AWS_ConfigRole AWS managed policy is required as a minimum set of permissions to run AWS Config advanced queries. For more information, see IAM role policy for getting configuration details in the Permissions for the IAM role assigned to AWS Config section of the AWS Config Developer Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create tag-based CloudWatch dashboards automatically

View EBS snapshot details for your AWS account or organization