AWS Config generates configuration items when the configuration of resources changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.
By default, AWS Config creates configuration items for every supported resource in the region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.
When your resources are created, updated, or deleted, AWS Config streams these configuration changes to Amazon Simple Notification Service (SNS), so that you are notified of all the configuration changes. AWS Config represents relationships between resources so that you can access how a change to one resource may impact other resources.
By default, the AWS config is not enabled in all regions. To make AWS resources more secure enable AWS config.
Step 1: Sign in to the AWS Management Console.
Step 2: Navigate to the AWS Config dashboard at https://console.aws.amazon.com/config/:
a. If the AWS console redirects your request to the Get started page:
(The service was/is not enabled in the selected AWS region)
b. If the AWS console redirects your request to the Resource inventory page, click the Status link
and check the AWS Config status in the Service status dialog box. If the Configuration recorder stopped warning is displayed, the Config service was previously activated but the recorder is currently stopped, meaning that the service is disabled in the selected region.
Step 3:Change the AWS region from the navigation bar
and repeat step no. 2 for each region available.
Step 1: Sign in to the AWS Management Console.
Step 2: Navigate to the AWS Config dashboard at https://console.aws.amazon.com/config/ and click Get Started Now to open the Setup AWS Config page.
Step 3: Under Resource types to record section:
To track all supported AWS resources, in the All resources category, do the following:
Check and Record all resources supported in this region to track configuration changes for every supported type of regional AWS resource.
Check Include global resources to include any types of global AWS resources (e.g. AWS IAM) to the existent list of supported resources.
To track only a subset of the available resources, in the category of the Specific type, select the preferred resource(s) available in the dropdown list.
Step 4: Under the Amazon S3 Bucket* section designates the S3 bucket that will receive the service configuration history and configuration snapshot files. This data can be used later with the AWS Config console timeline or a 3rd-party tool. Select one of the following options based on your needs:
Create a new bucket - use a brand new S3 bucket for storing the configuration history data.
Choose a bucket from your account - to use an existing S3 bucket.
Choose a bucket from another account - to use an existing bucket from another AWS account. Ensure that the selected S3 bucket grants access permissions to AWS Config.
Step 5: Next to Bucket Name, enter a unique name and a prefix (optional) for the S3 bucket selected in the previous step.
Step 6: Under the Amazon SNS Topic section, check Enable configuration changes and notifications to be streamed to an Amazon SNS topic so the AWS Config can send configuration changes notifications to an SNS topic. Select one of the following options based on your needs:
Create a new topic - to create a new SNS topic for sending notifications.
Choose a topic from your account - to use an existing SNS topic.
Choose a topic from another account - use an existing SNS topic from another AWS account. Ensure that the selected SNS topic grants access permissions to AWS Config.
Step 8:On the Rules page, choose the rules that you want. You can customize these rules and add other rules to your account after setup. Click the Next button.
Step 9: On the Review page, verify your setup details and then choose Confirm.
Step 10: On the Resource inventory page, under the Recording is on section, you should see the Taking inventory... event status in progress.
If the service was previously enabled in all regions but if want disables, the status for configuration recorders status should be set to OFF.
- Click on Edit
- Uncheck the enable recording then it will prompt to confirm stop recording.
Using AWS CLI:
aws configservice subscribe
AWS Config is designed to be your primary tool to perform configuration audit and compliance verification of both your AWS and third-party resources.