Recording AWS Resources
AWS Config continuously detects when supported resource types are created, changed, or
deleted. AWS Config records these events as configuration items (CIs). You can customize
AWS Config to record configuration changes for all supported resource types, or for only the supported resource types that are
relevant to you. For a list of supported resource types that AWS Config can record, see Supported Resource Types.
High Number of AWS Config Evaluations
You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months.
During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.
If you are running ephemeral workloads, you may see increased activity from AWS Config as it
records configuration changes associated with creating and deleting these temporary resources.
An ephemeral workload is a temporary use of computing resources that are loaded and run when
needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling. If
you want to avoid the increased activity from running ephemeral workloads, you can set up the configuration recorder to exclude these resource types from being recorded, or run these
types of workloads in a separate account with AWS Config turned off to avoid increased configuration
recording and rule evaluations.
Region availability
Before specifying a resource type for AWS Config to track,
check Resource Coverage by Region availability
to see if the resource type is supported in the AWS Region where you set up AWS Config.
If a resource type is supported by AWS Config in at least one Region,
you can enable the recording of that resource type in all Regions supported by AWS Config,
even if the specified resource type is not supported in the AWS Region where you set up AWS Config.
What are the differences between Regional and global resources?
- Regional resources
-
Regional resources are tied to a Region and can be used only in that Region. You
create them in a specified AWS Region, and then they exist in that Region. To see or
interact with those resources, you must direct your operations to that Region. For
example, to create an Amazon EC2 instance with the AWS Management Console, you choose the AWS Region
that you want to create the instance in. If you use the AWS Command Line Interface (AWS CLI) to create the
instance, then you include the --region
parameter. The AWS SDKs each have
their own equivalent mechanism to specify the Region that the operation uses.
There are several reasons for using Regional resources. One reason is to ensure that
the resources, and the service endpoints that you use to access them, are as close to
the customer as possible. This improves performance by minimizing latency. Another
reason is to provide an isolation boundary. This lets you create independent copies of
resources in multiple Regions to distribute the load and improve scalability. At the
same time, it isolates the resources from each other to improve availability.
If you specify a different AWS Region in the console or in an AWS CLI
command, then you can no longer see or interact with the resources you could
see in the previous Region.
When you look at the Amazon Resource Name (ARN) for a Regional resource, the Region that contains the
resource is specified as the fourth field in the ARN. For example, an Amazon EC2 instance is
a Regional resource. The following is an example of an ARN for a Amazon EC2 instance that exists in the
us-east-1
Region.
arn:aws:ec2:us-east-1:123456789012:instance/i-0a6f30921424d3eee
- Global resources
-
Some AWS services resources are global
resources, meaning that you can use the resource from anywhere. You don't specify an
AWS Region in a global service's console. To access a global resource, you don't
specify a --region
parameter when using the service's AWS CLI and AWS SDK
operations.
Global resources support cases where it is critical that only one instance of a
particular resource can exist at a time. In these scenarios, replication or
synchronization between copies in different Regions is not adequate. Having to access a
single global endpoint, with the possible increase in latency, is considered acceptable
to ensure that any changes are instantaneously visible to consumers of the
resource.
For example, Amazon Aurora global clusters (AWS::RDS::GlobalCluster
) are global resources, and therefore not tied to a Region.
This means that you can create a global cluster without relying on a regional endpoint.
The benefit is that, while the Amazon Relational Database Service (Amazon RDS) itself is organized by Regions,
the specific Region where a global cluster originates doesn't impact the global cluster.
It appears as a single, continuous global cluster across all Regions.
The Amazon Resource Name (ARN) for a global resource doesn't include a Region. The fourth field is
empty, such as in the following example of an ARN for a global cluster.
arn:aws:rds::123456789012:global-cluster:test-global-cluster
Global resource types onboarded to AWS Config after February 2022 will only be recorded
in the service's home Region for the commercial partition and AWS GovCloud (US-West)
for the GovCloud partition. You can view the configuration items (CIs) for these new global
resource types only in their home Region and AWS GovCloud (US-West).
Global resource types onboarded before February 2022
(AWS::IAM::Group
, AWS::IAM::Policy
,
AWS::IAM::Role
, and AWS::IAM::User
) remain unchanged. You
can enable the recording of these global IAM resources in all Regions where AWS Config was
supported before February 2022. These global IAM resources cannot be recorded in
Regions supported by AWS Config after February 2022.
- Global resource types | IAM resources
-
The following IAM resource types are global resources: IAM users, groups, roles, and
customer managed policies. These resource types can be recorded by AWS Config in Regions where AWS Config was available before February 2022. This list where you cannot record the global IAM
resource types includes the following Regions:
Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Canada West (Calgary), Europe (Spain), Europe (Zurich),
Israel (Tel Aviv), and Middle East (UAE).
To prevent duplicate configuration items (CIs), you should consider only recording the global IAM resource types one time in one of the supported Regions. This can also help you avoid unneccessary evaluations and API throttling.
- Global resource types | Home Region Only
-
Global resources for the following services are only recorded by AWS Config in the home Region of the global
resource type: Amazon Elastic Container Registry Public, AWS Global Accelerator, Amazon Route 53, Amazon CloudFront, and AWS WAF. For these global resources, the same
instance of the resource type can be used in multiple AWS Regions, but the configuration
items (CIs) are only recorded in the home Region for the commercial partition or AWS GovCloud (US-West)
for the AWS GovCloud (US) partition.
AWS Service |
Resource Type Value |
Home Region |
Amazon Elastic Container Registry Public |
AWS::ECR::PublicRepository |
US East (N. Virginia) Region |
AWS Global Accelerator |
AWS::GlobalAccelerator::Listener |
US West (Oregon) Region |
AWS::GlobalAccelerator::EndpointGroup |
US West (Oregon) Region |
AWS::GlobalAccelerator::Accelerator |
US West (Oregon) Region |
Amazon Route 53 |
AWS::Route53::HostedZone |
US East (N. Virginia) Region |
AWS::Route53::HealthCheck |
US East (N. Virginia) Region |
Amazon CloudFront |
AWS::CloudFront::Distribution |
US East (N. Virginia) Region |
AWS WAF |
AWS::WAFv2::WebACL |
US East (N. Virginia) Region |
- Global resource types | Aurora global clusters
-
AWS::RDS::GlobalCluster
is a global resource that is recorded in all supported AWS Config Regions where the configuration recorder is enabled.
This global resource type is unique in that if you enable the recording of this resource in one Region, AWS Config will record configuration items (CIs) for this resource type in all your enabled Regions.
If you do not want to record AWS::RDS::GlobalCluster
in all enabled Regions, use one of the following recording strategies for the AWS Config console:
Record all resource types with customizable overrides, choose "AWS RDS GlobalCluster", and choose the override "Exclude from recording"
Record specific resource types.
If you do not want to record AWS::RDS::GlobalCluster
in all enabled Regions, use one of the following recording strategies for the API/CLI:
Recording Resources in the AWS Config Console
You can use the AWS Config console to select the types of resources that AWS Config records.
To select resources
Sign in to the AWS Management Console and open the AWS Config console at
https://console.aws.amazon.com/config/.
-
Choose Settings in the left navigation pane, and then choose Edit. For the list of supported
Regions, see AWS Config endpoints and quotas in
the Amazon Web Services General Reference.
-
In the Recording method section, choose a recording strategy. You can specify the
AWS resources that you want AWS Config to record.
- All resource types with customizable overrides
-
Set up AWS Config to record configuration changes for
all current and future supported resource types in this Region. You can override the recording frequency for specific resource types or exclude specific resource types from recording. For more information, see Supported
Resource Types.
Default settings
Configure the default recording frequency for all current and future supported resource types. For more information see, Recording Frequency.
Continuous recording – AWS Config will record configuration changes continuously whenever a change occurs.
Daily recording – You will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager,
it is recommended that you set the recording frequency to Continuous.
Override settings
Override the recording frequency for specific resource types, or exclude specific resource types from recording.
If you change the recording frequency for a resource type or stop recording a resource type,
the configuration items that were already recorded will remain unchanged.
Global resource types | Aurora global clusters are initially included in recording
The AWS::RDS::GlobalCluster
resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled.
If you do not want to record AWS::RDS::GlobalCluster
in all enabled Regions, choose "AWS RDS GlobalCluster", and choose the override "Exclude from recording".
Global resource types | IAM resource types are initially excluded from recording
"All globally recorded IAM resource types" are initially excluded from
recording to help you reduce costs. This bundle includes IAM users,
groups, roles, and customer managed policies. Choose
Remove to remove the override and include these
resources in your recording.
The exception to this note is for US East (N. Virginia). The global IAM
resource types are initially included in the US East (N. Virginia) Region as this Region
functions as the home Region for the global IAM resource types.
Additionally, the global IAM resource types (AWS::IAM::User
,
AWS::IAM::Group
, AWS::IAM::Role
, and
AWS::IAM::Policy
) cannot be recorded in Regions supported
by AWS Config after February 2022. This list where you cannot record the global IAM
resource types includes the following Regions:
Asia Pacific (Hyderabad)
Asia Pacific (Melbourne)
Canada West (Calgary)
Europe (Spain)
Europe (Zurich)
Israel (Tel Aviv)
Middle East (UAE)
Limits
You can add up to 100 frequency overrides and 600 exclusion overrides.
Daily recording is not supported for the following resource types:
AWS::Config::ResourceCompliance
AWS::Config::ConformancePackCompliance
AWS::Config::ConfigurationRecorder
- Specific resource types
-
Set up AWS Config to record configuration changes for only the resource types that you specify.
Specific resource types
Choose a resource type to record and its frequency. For more information see, Recording Frequency.
Continuous recording – AWS Config will record configuration changes continuously whenever a change occurs.
Daily recording – You will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager,
it is recommended that you set the recording frequency to Continuous.
If you change the recording frequency for a resource type or stop recording a resource type, the configuration items that were already recorded will remain unchanged.
Region availability
Before specifying a resource type for AWS Config to track,
check Resource Coverage by Region availability
to see if the resource type is supported in the AWS Region where you set up AWS Config.
If a resource type is supported by AWS Config in at least one Region,
you can enable the recording of that resource type in all Regions supported by AWS Config,
even if the specified resource type is not supported in the AWS Region where you set up AWS Config.
Limits
No limits if all resource types have the same frequency. You can add up to 100 resource types with Daily frequency if at least one resource type is set to Continuous.
The Daily frequency is not supported for the following resource types:
AWS::Config::ResourceCompliance
AWS::Config::ConformancePackCompliance
AWS::Config::ConfigurationRecorder
-
Choose Save to save your changes.
Recording Resources with the AWS CLI
You can use the AWS CLI to select the types of resources that you want AWS Config to record.
You do this by creating a configuration recorder, which records the types of resources that
you specify in a recording group. In the recording group, you specify whether you want to record all supported resource types, or to include or exclude specific types of resources.
- Record all current and future supported resource types
-
Set up AWS Config to record configuration changes for all current and future supported resource types in this Region. For more information, see Supported
Resource Types.
-
Use the following put-configuration-recorder
command:
$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json
\
--recording-group file://recordingGroup.json
This command uses the --configuration-recorder
and ---recording-group
fields.
Recording group and configuration recorder
The --recording-group
field specifies which resource types are recorded.
The --configuration-recorder
field specifies name
and roleArn
as well as the default recording frequency for the configuration recorder (recordingMode
).
You can also use this field override the recording frequency for specific resource types.
-
put-configuration-recorder
uses the following fields for the --recording-group
parameter:
-
allSupported=true
– AWS Config records configuration changes for all
supported resource types, excluding the global IAM resource types. When AWS Config adds support for a new resource type,
AWS Config starts recording resources of that type automatically.
-
includeGlobalResourceTypes=true
– This option is a bundle
which only applies to the global IAM resource types: IAM users,
groups, roles, and customer managed policies. These global IAM
resource types can only be recorded by AWS Config in Regions where AWS Config was
available before February 2022. You cannot be record the global IAM
resouce types in Regions supported by AWS Config after February 2022. This
list where you cannot record the global IAM resource types includes
the following Regions:
Asia Pacific (Hyderabad)
Asia Pacific (Melbourne)
Canada West (Calgary)
Europe (Spain)
Europe (Zurich)
Israel (Tel Aviv)
Middle East (UAE)
Aurora global clusters are recorded in all enabled Regions
The AWS::RDS::GlobalCluster
resource type will be recorded in all
supported AWS Config Regions where the configuration recorder is enabled,
even if includeGlobalResourceTypes
is not set to
true
. The includeGlobalResourceTypes
option is a
bundle which only applies to IAM users, groups, roles, and customer
managed policies.
If you do not want to record AWS::RDS::GlobalCluster
in all enabled Regions, use one of the following recording strategies:
Record all current and future resource types excluding the types you specify (EXCLUSION_BY_RESOURCE_TYPES
), or
Record specific resource types (INCLUSION_BY_RESOURCE_TYPES
).
For more information, see Selecting Which Resources are Recorded | Regional and Global Resources.
includeGlobalResourceTypes and the exclusion recording strategy
The includeGlobalResourceTypes
field has no impact on the EXCLUSION_BY_RESOURCE_TYPES
recording strategy.
This means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will
not be automatically added as exclusions for exclusionByResourceTypes
when includeGlobalResourceTypes
is set to false
.
The includeGlobalResourceTypes
field should only be used to modify the AllSupported
field, as the default for
the AllSupported
field is to record configuration changes for all supported resource types excluding the global
IAM resource types. To include the global IAM resource types when AllSupported
is set to true
, make sure to set includeGlobalResourceTypes
to true
.
To exclude the global IAM resource types for the EXCLUSION_BY_RESOURCE_TYPES
recording strategy, you need to manually add them to the resourceTypes
field of exclusionByResourceTypes
.
Required and optional fields
Before you can set includeGlobalResourceTypes
to true
, set the
allSupported
field to true
.
Optionally, you can set the useOnly
field of RecordingStrategy
to ALL_SUPPORTED_RESOURCE_TYPES
.
Overriding fields
If you set includeGlobalResourceTypes
to false
but list
global IAM resource types in the resourceTypes
field
of RecordingGroup, AWS Config will still record
configuration changes for those specified resource types
regardless of if you set the
includeGlobalResourceTypes
field to false.
If you do not want to record configuration changes to the global IAM resource
types (IAM users, groups, roles, and customer managed policies), make
sure to not list them in the resourceTypes
field in
addition to setting the includeGlobalResourceTypes
field
to false.
The recordingGroup.json
file specifies which types of resources
AWS Config will record.
{
"allSupported": true,
"recordingStrategy": {
"useOnly": "ALL_SUPPORTED_RESOURCE_TYPES"
},
"includeGlobalResourceTypes": true
}
-
put-configuration-recorder
uses the following fields for the --configuration-recorder
parameter:
name
– The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder.
roleARN
– Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder.
recordingMode
– Specifies the default recording frequency that AWS Config uses to record configuration changes.
AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs.
Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
-
recordingFrequency
– The default recording frequency that AWS Config uses to record configuration changes.
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager,
it is recommended that you set the recording frequency to Continuous.
-
recordingModeOverrides
– This field allows you to specify your overrides for the recording mode. It is an array of recordingModeOverride
objects. Each recordingModeOverride
object in the recordingModeOverrides
array consists of three fields:
description
– A description that you provide for the override.
recordingFrequency
– The recording frequency that will be applied to all the resource types specified in the override.
resourceTypes
– A comma-separated list that specifies which resource types AWS Config includes in the override.
Required and optional fields
The recordingMode
field for put-configuration-recorder
is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.
Limits
Daily recording is not supported for the following resource types:
AWS::Config::ResourceCompliance
AWS::Config::ConformancePackCompliance
AWS::Config::ConfigurationRecorder
For the Record all current and future supported resource types (ALL_SUPPORTED_RESOURCE_TYPES
) recording strategy, these resource types will be set to Continuous recording.
The configurationRecorder.json
file specifies name
and roleArn
as well as the default recording frequency for the configuration recorder (recordingMode
).
You can also use this field override the recording frequency for specific resource types.
{
"name": "default",
"roleARN": "arn:aws:iam::123456789012:role/config-role
",
"recordingMode": {
"recordingFrequency": CONTINUOUS
or DAILY
,
"recordingModeOverrides": [
{
"description": "Description you provide for the override
",
"recordingFrequency": CONTINUOUS
or DAILY
,
"resourceTypes": [ Comma-separated list of resource types to include in the override
]
}
]
}
}
-
(Optional) To verify that your configuration recorder has the settings that you want,
use the following describe-configuration-recorders
command.
$ aws configservice describe-configuration-recorders
The following is an example response.
{
"ConfigurationRecorders": [
{
"name": "default"
"recordingGroup": {
"allSupported": true,
"exclusionByResourceTypes": {
"resourceTypes": []
},
"includeGlobalResourceTypes": true,
"recordingStrategy": {
"useOnly": "ALL_SUPPORTED_RESOURCE_TYPES"
},
"resourceTypes": [],
},
"recordingMode": {
"recordingFrequency": CONTINUOUS
or DAILY
,
"recordingModeOverrides": [
{
"description": "Description you provide for the override
,
"recordingFrequency": CONTINUOUS
or DAILY
,
"resourceTypes": [ Comma-separated list of resource types to include in the override
]
}
]
},
"roleARN": "arn:aws:iam::123456789012:role/config-role"
}
]
}
- Record all current and future supported resources types excluding the types you specify
-
Set up AWS Config to record configuration changes for all current and future supported resource types, including global resource types, except the resource types that you specify to exclude from recording.
If you choose to stop recording for a resource type, the configuration items that were already recorded will remain unchanged. For more information, see Supported
Resource Types.
This command uses the --configuration-recorder
and ---recording-group
fields.
$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json
\
--recording-group file://recordingGroup.json
Recording group and configuration recorder
The --recording-group
field specifies which resource types are recorded.
The --configuration-recorder
field specifies name
and roleArn
as well as the default recording frequency for the configuration recorder (recordingMode
).
You can also use this field override the recording frequency for specific resource types.
-
Use the put-configuration-recorder
command, and pass one or more
resource types to exclude in the resourceTypes
field of
exclusionByResourceTypes
, as shown in the following example.
-
The recordingGroup.json
file specifies which types of resources
AWS Config will record.
{
"allSupported": false,
"exclusionByResourceTypes": {
"resourceTypes": [
"AWS::Redshift::ClusterSnapshot",
"AWS::RDS::DBClusterSnapshot",
"AWS::CloudFront::StreamingDistribution"
]
},
"includeGlobalResourceTypes": false,
"recordingStrategy": {
"useOnly": "EXCLUSION_BY_RESOURCE_TYPES"
},
}
Before you can specify resource types to exclude in the recording:
You must set the allSupported
and includeGlobalResourceTypes
fields of the --recording-group
parameter to false
or omit them.
You must set the useOnly
field of RecordingStrategy
to EXCLUSION_BY_RESOURCE_TYPES
.
Overriding fields
If you choose EXCLUSION_BY_RESOURCE_TYPES
for the recording strategy, the
exclusionByResourceTypes
field will override other properties in the
request.
For example, even if you set includeGlobalResourceTypes
to false, the
global IAM resource types will still be automatically recorded in this option, unless those
resource types are specifically listed as exclusions in the resourceTypes
field of exclusionByResourceTypes
.
Global resource types and the resource exclusion recording strategy
By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES
recording strategy,
when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types,
AWS Config starts recording resources of that type automatically.
Unless specifically listed as exclusions,
AWS::RDS::GlobalCluster
will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.
IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022.
You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This
list where you cannot record the global IAM resource types includes
the following Regions:
Asia Pacific (Hyderabad)
Asia Pacific (Melbourne)
Canada West (Calgary)
Europe (Spain)
Europe (Zurich)
Israel (Tel Aviv)
Middle East (UAE)
-
put-configuration-recorder
uses the following fields for the --configuration-recorder
parameter:
name
– The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder.
roleARN
– Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder.
recordingMode
– Specifies the default recording frequency that AWS Config uses to record configuration changes.
AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs.
Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
-
recordingFrequency
– The default recording frequency that AWS Config uses to record configuration changes.
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager,
it is recommended that you set the recording frequency to Continuous.
-
recordingModeOverrides
– This field allows you to specify your overrides for the recording mode. It is an array of recordingModeOverride
objects. Each recordingModeOverride
object in the recordingModeOverrides
array consists of three fields:
description
– A description that you provide for the override.
recordingFrequency
– The recording frequency that will be applied to all the resource types specified in the override.
resourceTypes
– A comma-separated list that specifies which resource types AWS Config includes in the override.
Required and optional fields
The recordingMode
field for put-configuration-recorder
is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.
Limits
Daily recording is not supported for the following resource types:
AWS::Config::ResourceCompliance
AWS::Config::ConformancePackCompliance
AWS::Config::ConfigurationRecorder
For the Record all current and future supported resource types (ALL_SUPPORTED_RESOURCE_TYPES
) recording strategy, these resource types will be set to Continuous recording.
The configurationRecorder.json
file specifies name
and roleArn
as well as the default recording frequency for the configuration recorder (recordingMode
).
You can also use this field override the recording frequency for specific resource types.
{
"name": "default",
"roleARN": "arn:aws:iam::123456789012:role/config-role
",
"recordingMode": {
"recordingFrequency": CONTINUOUS
or DAILY
,
"recordingModeOverrides": [
{
"description": "Description you provide for the override
",
"recordingFrequency": CONTINUOUS
or DAILY
,
"resourceTypes": [ Comma-separated list of resource types to include in the override
]
}
]
}
}
-
(Optional) To verify that your configuration recorder has the settings that you want,
use the following describe-configuration-recorders
command.
$ aws configservice describe-configuration-recorders
The following is an example response.
{
"ConfigurationRecorders": [
{
"name": "default",
"recordingGroup": {
"allSupported": false,
"exclusionByResourceTypes": {
"resourceTypes": [
"AWS::Redshift::ClusterSnapshot",
"AWS::RDS::DBClusterSnapshot",
"AWS::CloudFront::StreamingDistribution"
]
},
"includeGlobalResourceTypes": false,
"recordingStrategy": {
"useOnly": "EXCLUSION_BY_RESOURCE_TYPES"
},
"resourceTypes": [],
},
"recordingMode": {
"recordingFrequency": CONTINUOUS
or DAILY
,
"recordingModeOverrides": [
{
"description": "Description you provide for the override
,
"recordingFrequency": CONTINUOUS
or DAILY
,
"resourceTypes": [ Comma-separated list of resource types to include in the override
]
}
]
},
"roleARN": "arn:aws:iam::123456789012:role/config-role"
}
]
}
- Record specific resource types
-
Set up AWS Config to record configuration changes for only the resource types
that you specify. If you choose to stop recording for a resource type, the configuration items that were already recorded will remain unchanged.
This command uses the --configuration-recorder
and ---recording-group
fields.
$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json
\
--recording-group file://recordingGroup.json
Recording group and configuration recorder
The --recording-group
field specifies which resource types are recorded.
The --configuration-recorder
field specifies name
and roleArn
as well as the default recording frequency for the configuration recorder (recordingMode
).
You can also use this field override the recording frequency for specific resource types.
-
Use the put-configuration-recorder
command, and pass one or more
resource types in the resourceTypes
field of recordingGroup
, as
shown in the following example.
-
The recordingGroup.json
file specifies which types of resources
AWS Config will record.
{
"allSupported": false,
"recordingStrategy": {
"useOnly": "INCLUSION_BY_RESOURCE_TYPES"
},
"includeGlobalResourceTypes": false,
"resourceTypes": [
"AWS::EC2::EIP",
"AWS::EC2::Instance",
"AWS::EC2::NetworkAcl",
"AWS::EC2::SecurityGroup",
"AWS::CloudTrail::Trail",
"AWS::EC2::Volume",
"AWS::EC2::VPC",
"AWS::IAM::User",
"AWS::IAM::Policy"
]
}
Required and optional fields
Before you can specify resource types to include in recording, you must set the
allSupported
and includeGlobalResourceTypes
fields to
false
, or omit them.
The recordingStrategy
field is optional when you list resource types in the
resourceTypes
field of --recording-group
.
Region availability
Before specifying a resource type for AWS Config to track,
check Resource Coverage by Region availability
to see if the resource type is supported in the AWS Region where you set up AWS Config.
If a resource type is supported by AWS Config in at least one Region,
you can enable the recording of that resource type in all Regions supported by AWS Config,
even if the specified resource type is not supported in the AWS Region where you set up AWS Config.
-
put-configuration-recorder
uses the following fields for the --configuration-recorder
parameter:
name
– The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder.
roleARN
– Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder.
recordingMode
– Specifies the default recording frequency that AWS Config uses to record configuration changes.
AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs.
Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
-
recordingFrequency
– The default recording frequency that AWS Config uses to record configuration changes.
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager,
it is recommended that you set the recording frequency to Continuous.
-
recordingModeOverrides
– This field allows you to specify your overrides for the recording mode. It is an array of recordingModeOverride
objects. Each recordingModeOverride
object in the recordingModeOverrides
array consists of three fields:
description
– A description that you provide for the override.
recordingFrequency
– The recording frequency that will be applied to all the resource types specified in the override.
resourceTypes
– A comma-separated list that specifies which resource types AWS Config includes in the override.
Required and optional fields
The recordingMode
field for put-configuration-recorder
is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.
Limits
Daily recording is not supported for the following resource types:
AWS::Config::ResourceCompliance
AWS::Config::ConformancePackCompliance
AWS::Config::ConfigurationRecorder
For the Record all current and future supported resource types (ALL_SUPPORTED_RESOURCE_TYPES
) recording strategy, these resource types will be set to Continuous recording.
The configurationRecorder.json
file specifies name
and roleArn
as well as the default recording frequency for the configuration recorder (recordingMode
).
You can also use this field override the recording frequency for specific resource types.
{
"name": "default",
"roleARN": "arn:aws:iam::123456789012:role/config-role
",
"recordingMode": {
"recordingFrequency": CONTINUOUS
or DAILY
,
"recordingModeOverrides": [
{
"description": "Description you provide for the override
",
"recordingFrequency": CONTINUOUS
or DAILY
,
"resourceTypes": [ Comma-separated list of resource types to include in the override
]
}
]
}
}
-
(Optional) To verify that your configuration recorder has the settings that you want,
use the following describe-configuration-recorders
command.
$ aws configservice describe-configuration-recorders
The following is an example response.
{
"ConfigurationRecorders": [
{
"name": "default",
"recordingGroup": {
"allSupported": false,
"exclusionByResourceTypes": {
"resourceTypes": []
},
"includeGlobalResourceTypes": false
"recordingStrategy": {
"useOnly": "INCLUSION_BY_RESOURCE_TYPES"
},
"resourceTypes": [
"AWS::EC2::EIP",
"AWS::EC2::Instance",
"AWS::EC2::NetworkAcl",
"AWS::EC2::SecurityGroup",
"AWS::CloudTrail::Trail",
"AWS::EC2::Volume",
"AWS::EC2::VPC",
"AWS::IAM::User",
"AWS::IAM::Policy"
]
},
"recordingMode": {
"recordingFrequency": CONTINUOUS
or DAILY
,
"recordingModeOverrides": [
{
"description": "Description you provide for the override
,
"recordingFrequency": CONTINUOUS
or DAILY
,
"resourceTypes": [ Comma-separated list of resource types to include in the override
]
}
]
},
"roleARN": "arn:aws:iam::123456789012:role/config-role"
}
]
}
Recording Frequency
AWS Config supports Continuous recording and Daily
recording. Continuous recording allows you to record configuration changes
continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
Continuous recording
Some benefits of continuous recording include:
Real-time Monitoring: Continuous recording can provide immediate detection for unauthorized changes or unexpected alterations, which can enhance your security and compliance efforts.
Detailed Analysis: Continuous recording can allow you to perfom in-depth analysis of configuration changes to your resources as they occur, which can allow you to
identify patterns and trends in the moment.
Daily recording
Some benefits of daily recording include:
Minimal Disruption: Daily recording can provide you with a more mangeable flow of information, which can reduce the frequency of notifications and alert fatigue.
Cost Efficiency: Daily recording can provide you with the flexibility to record changes to your resources at at a lower frequency, which can reduce costs related to the number of configuration changes recorded.
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager,
it is recommended that you set the recording frequency to Continuous.
Stopping the Recording of Resources
You can stop AWS Config from recording a type of resource at any time. After AWS Config stops
recording a resource, it retains the configuration information that was previously captured,
and you can continue to access this information.
Non-recorded Resources
If a resource is not recorded, AWS Config captures only the creation and deletion of that
resource, and no other details, at no cost to you. When a non-recorded resource is created or
deleted, AWS Config sends a notification, and it displays the event on the resource details page.
The details page for a non-recorded resource provides null values for most configuration
details, and it does not provide information about relationships and configuration
changes.
The AWS::IAM::User
, AWS::IAM::Policy
, AWS::IAM::Group
, AWS::IAM::Role
resource types will only capture the creation (ResourceNotRecorded
) and deletion
(ResourceDeletedNotRecorded
) states if the resource is, or previously was, selected as a resource to record in the configuration recorder.
The configuration items (CIs) for ResourceNotRecorded
and ResourceDeletedNotRecorded
do not follow the typical recording time for resource types.
These resource types are only recorded during the periodic baselining process for the configuration recorder,
which is at a less frequent cadance than that for the other resource types.
The relationship information that AWS Config provides for recorded resources is not limited
because of missing data for non-recorded resources. If a recorded resource is related to a
non-recorded resource, that relationship is provided in the details page of the recorded
resource.
AWS Config Rules and Global Resource
Types
The global IAM resource types onboarded before February 2022 (AWS::IAM::Group
,
AWS::IAM::Policy
, AWS::IAM::Role
, and AWS::IAM::User
)
can only be recorded by AWS Config in Regions where AWS Config was available before February 2022.
These global IAM resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions,
see Recording AWS Resources | Global Resources.
If you record a global IAM resource type in at least one Region,
periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions
where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type
in the Region where the periodic rule was added.
Best Practices for reporting compliance on global resources onboarded before February 2022
To avoid unnecessary evaluations, you should only deploy AWS Config rules and conformance packs that
have these global resources in scope to one of the supported Regions.
For a list of which managed rules are supported in which Regions,
see List of AWS Config Managed Rules by Region Availability.
This applies to AWS Config rules, organizational AWS Config rules, and also rules
created by other AWS services, such as AWS Security Hub and AWS Control Tower.
If you are not recording global resource types onboarded before February 2022,
it is recommended that you do not enable the following periodic rules to avoid unnecessary evaluations:
Best Practices for reporting compliance on global resources onboarded after February 2022
Global resource types onboarded to AWS Config recording after February 2022 will be recorded
only in the service's home Region for the commercial partition and AWS GovCloud (US-West) for
the AWS GovCloud (US) partition. You should deploy AWS Config rules and conformance packs that have
these global resources in scope only to the resource type's home Region. For more information,
see Home Regions for
Global Resource Types.