Supported Resources, Configuration Items, and Relationships

AWS Config supports the following AWS resources, configuration items, and resource relationships.

Contents

Supported AWS Resource Types

AWS Config supports the following AWS resources.

AWS Service	Resource Type	`resourceType` Value
AWS Certificate Manager	Certificate	`AWS::ACM::Certificate`
AWS CloudTrail	Trail	`AWS::CloudTrail::Trail`
Amazon Elastic Block Store	Amazon EBS volume	`AWS::EC2::Volume`
Amazon Elastic Compute Cloud	EC2 Dedicated host¹	`AWS::EC2::Host`
	EC2 Elastic IP (VPC only)	`AWS::EC2::EIP`
	EC2 instance	`AWS::EC2::Instance`
	EC2 network interface	`AWS::EC2::NetworkInterface`
	EC2 security group	`AWS::EC2::SecurityGroup`
Amazon EC2 Systems Manager	Managed instance inventory²	`AWS::SSM::ManagedInstanceInventory`
Elastic Load Balancing	Application load balancer	`AWS::ElasticLoadBalancingV2::LoadBalancer`
AWS Identity and Access Management³	IAM user⁴	`AWS::IAM::User`
	IAM group⁴	`AWS::IAM::Group`
	IAM role⁴	`AWS::IAM::Role`
	IAM customer managed policy	`AWS::IAM::Policy`
Amazon Redshift	Cluster	`AWS::Redshift::Cluster`
	Cluster parameter group	`AWS::Redshift::ClusterParameterGroup`
	Cluster security group	`AWS::Redshift::ClusterSecurityGroup`
	Cluster snapshot	`AWS::Redshift::ClusterSnapshot`
	Cluster subnet group	`AWS::Redshift::ClusterSubnetGroup`
	Event subscription	`AWS::Redshift::EventSubscription`
Amazon Relational Database Service	RDS DB instance	`AWS::RDS::DBInstance`
	RDS DB security group	`AWS::RDS::DBSecurityGroup`
	RDS DB snapshot	`AWS::RDS::DBSnapshot`
	RDS DB subnet group	`AWS::RDS::DBSubnetGroup`
	Event subscription	`AWS::RDS::EventSubscription`
Amazon Simple Storage Service	Amazon S3 bucket⁵	`AWS::S3::Bucket`
Amazon Virtual Private Cloud	Customer gateway	`AWS::EC2::CustomerGateway`
	Internet gateway	`AWS::EC2::InternetGateway`
	Network access control list (ACL)	`AWS::EC2::NetworkAcl`
	Route table	`AWS::EC2::RouteTable`
	Subnet	`AWS::EC2::Subnet`
	Virtual private cloud (VPC)	`AWS::EC2::VPC`
	VPN connection	`AWS::EC2::VPNConnection`
	VPN gateway	`AWS::EC2::VPNGateway`

Notes

AWS Config records the configuration details of Dedicated hosts and the instances that you launch on them. As a result, you can use AWS Config as a data source when you report compliance with your server-bound software licenses. For example, you can view the configuration history of an instance and determine which Amazon Machine Image (AMI) it is based on. Then, you can look up the configuration history of the host, which includes details such as the numbers of sockets and cores, to verify that the host complies with the license requirements of the AMI. For more information, see Tracking Configuration Changes with AWS Config in the Amazon EC2 User Guide for Linux Instances.
To learn more about managed instance inventory, see Recording software configuration for managed instances.
AWS Identity and Access Management (IAM) resources are global resources. Global resources are not tied to an individual region and can be used in all regions. The configuration details for a global resource are the same in all regions. For more information, see Selecting Which Resources AWS Config Records.
AWS Config includes inline policies with the configuration details that it records.
If you configured AWS Config to record your S3 buckets, and are not receiving configuration change notifications, verify your S3 bucket policies have the required permissions. For more information, see Troubleshooting for recording S3 buckets.

Recording software configuration for managed instances

You can use AWS Config to record software inventory changes on EC2 instances and on-premises servers. This enables you to see the historical changes to software configuration. For example, when a new Windows update is installed on a managed Windows instance, AWS Config records the changes and then sends the changes to your delivery channels, so that you are notified about the change. With AWS Config, you can see the history of when Windows updates were installed for the managed instance and how they changed over time.

You must complete the following steps to record software configuration changes:

Turn on recording for the managed instance inventory resource type in AWS Config
Configure EC2 and on-premises instances as managed instances
Initiate collection of software inventory from your managed instances

You can also use AWS Config rules to monitor software configuration changes and be notified whether the changes are compliant or noncompliant against your rules. For example, if you create a rule that checks whether your managed instances have a specified application, and an instance doesn't have that application installed, AWS Config flags that instance as noncompliant against your rule. For a list of AWS Config managed rules, see AWS Managed Rules.

To enable recording of software configuration changes in AWS Config:

Turn on recording for all supported resource types or selectively record the managed instance inventory resource type in AWS Config. For more information, see Selecting Which Resources AWS Config Records.
Launch an Amazon EC2 instance with an IAM role and the AmazonEC2RoleforSSM policy. You may also need to install an SSM Agent. For more information, see Systems Manager Prerequisites in the Amazon EC2 User Guide for Linux Instances or Systems Manager Prerequisites in the Amazon EC2 User Guide for Windows Instances.
Initiate inventory collection as described in Configuring Inventory Collection in the Amazon EC2 User Guide for Linux Instances. The procedures are the same for Linux and Windows instances.
AWS Config can record configuration changes for the following inventory types:
- Applications – A list of applications for managed instances, such as antivirus software.
- AWS components – A list of AWS components for managed instances, such as the AWS CLI and SDKs.
- Instance information – Instance information such as OS name and version, domain, and firewall status.
- Network configuration – Configuration information such as IP address, gateway, and subnet mask.
- Windows Updates – A list of Windows updates for managed instances (Windows instances only).
Note
AWS Config doesn't support recording the custom inventory type at this time.

Inventory collection is one of many Amazon EC2 Systems Manager capabilities, which also includes applying operating system patches and configuring instances at scale. For more information, see Amazon EC2 Systems Manager in the Amazon EC2 User Guide for Linux Instances or Amazon EC2 Systems Manager in the Amazon EC2 User Guide for Windows Instances.

Components of a Configuration Item

A configuration item consists of the following components.

Component	Description	Contains
Metadata	Information about this configuration item	Version ID Configuration item ID Time when the configuration item was captured Status of the configuration item indicating whether the item was captured successfully State ID indicating the ordering of the configuration items of a resource A unique MD5Hash representing the state of a configuration item that can be used to compare two states of two or more configuration items of the same resource
Attributes¹	Resource attributes	Resource ID List of key–value tags for this resource Resource type; see Supported AWS Resource Types Amazon Resource Name (ARN) Availability Zone that contains this resource, if applicable Time the resource was created
Relationships	How the resource is related to other resources associated with the account	Description of the relationship, such as Amazon EBS volume `vol-1234567` is attached to an Amazon EC2 instance `i-a1b2c3d4`
Current configuration	Information returned through a call to the Describe or List API of the resource	For example, `DescribeVolumes` API returns the following information about the volume: Availability Zone the volume is in Time the volume was attached ID of the EC2 instance it is attached to Current status of the volume State of DeleteOnTermination flag Device the volume is attached to Type of volume, such as `gp2, io1,` or `standard`
Related events	The AWS CloudTrail events that is related to the current configuration of the resource	CloudTrail event ID

Notes

A configuration item relationship does not include network flow or data flow dependencies. Configuration items cannot be customized to represent your application architecture.
AWS Config also records the following attributes for the Amazon S3 bucket resource type. For more information about the attributes, see Bucket Configuration Options in the Amazon Simple Storage Service Developer Guide.

Amazon S3 Bucket Attributes

Attributes	Description
AccelerateConfiguration	Transfer acceleration for data over long distances between your client and a bucket.
BucketAcl	Access control list used to manage access to buckets and objects.
BucketPolicy	Policy that defines the permissions to the bucket.
CrossOriginConfiguration	Allow cross-origin requests to the bucket.
LifecycleConfiguration	Rules that define the lifecycle for objects in your bucket.
LoggingConfiguration	Logging used to track requests for access to the bucket.
NotificationConfiguration	Event notifications used to send alerts or trigger workflows for specified bucket events.
ReplicationConfiguration	Automatic, asynchronous copying of objects across buckets in different AWS Regions.
RequestPaymentConfiguration	Requester pays is enabled.
TaggingConfiguration	Tags added to the bucket to categorize. You can also use tagging to track billing.
WebsiteConfiguration	Static website hosting is enabled for the bucket.
VersioningConfiguration	Versioning is enabled for objects in the bucket.

Supported Resource Relationships

AWS Config supports the following relationships between different resources.

Note

AWS Config can create multiple configuration items when a resource is changed and that resource is related to other resources. For more information, see Configuration Items for Resources with Relationships.

Resource	Relationship	Related Resource
Amazon EBS volume	is attached to	EC2 instance
Amazon Redshift cluster	is associated with	Cluster parameter group
		Cluster security group
		Cluster subnet group
		Security group
		Virtual private cloud (VPC)
Amazon Redshift cluster snapshot	is associated with	Cluster
Amazon Redshift cluster snapshot	is associated with	Virtual private cloud (VPC)
Amazon Redshift cluster subnet group	is associated with	Subnet
Amazon Redshift cluster subnet group	is associated with	Virtual private cloud (VPC)
Application load balancer	is associated with	EC2 security group
	is attached to	Subnet
	is contained in	Virtual private cloud (VPC)
Customer gateway	is attached to	VPN connection
EC2 Dedicated host	contains	EC2 instance
EC2 Elastic IP (EIP)	is attached to	EC2 instance
EC2 Elastic IP (EIP)	is attached to	Network interface
EC2 instance	contains	EC2 network interface
	is associated with	EC2 security group
	is attached to	Amazon EBS volume
	is attached to	EC2 Elastic IP (EIP)
	is contained in	EC2 Dedicated host
		Route table
		Subnet
		Virtual private cloud (VPC)
EC2 network interface	is associated with	EC2 security group
	is attached to	EC2 Elastic IP (EIP)
	is attached to	EC2 instance
	is contained in	Route table
		Subnet
		Virtual private cloud (VPC)
EC2 security group	is associated with	EC2 instance
		EC2 network interface
		Virtual private cloud (VPC)
IAM user	is attached to	IAM group
IAM user	is attached to	IAM customer managed policy
IAM group	contains	IAM user
IAM group	is attached to	IAM customer managed policy
IAM role	is attached to	IAM customer managed policy
IAM customer managed policy	is attached to	IAM user
		IAM group
		IAM role
Internet gateway	is attached to	Virtual private cloud (VPC)
Managed instance inventory	is associated with	EC2 instance
Network ACL	is attached to	Subnet
Network ACL	is contained in	Virtual private cloud (VPC)
RDS DB instance	is associated with	EC2 security group
		RDS DB security group
		RDS DB subnet group
RDS DB security group	is associated with	EC2 security group
RDS DB security group	is associated with	Virtual private cloud (VPC)
RDS DB snapshot	is associated with	Virtual private cloud (VPC)
RDS DB subnet group	is associated with	EC2 subnet
RDS DB subnet group	is associated with	Virtual private cloud (VPC)
Route table	contains	EC2 instance
		EC2 network interface
		Subnet
		VPN gateway
	is contained in	Virtual private cloud (VPC)
Subnet	contains	EC2 instance
	contains	EC2 network interface
	is attached to	Network ACL
	is contained in	Route table
	is contained in	Virtual private cloud (VPC)
Virtual private cloud (VPC)	contains	EC2 instance
		EC2 network interface
		Network ACL
		Route table
		Subnet
	is associated with	Security group
	is attached to	Internet gateway
	is attached to	VPN gateway
VPN connection	is attached to	Customer gateway
VPN connection	is attached to	VPN gateway
VPN gateway	is attached to	Virtual private cloud (VPC)
	is attached to	VPN connection
	is contained in	Route table

Document Conventions

« Previous Next »