Prerequisites for Setting Up AWS Config with the AWS CLI
Before setting up AWS with the AWS CLI, you need to create an Amazon S3 bucket, an Amazon SNS topic, and an IAM role with attached policies as prerequisites. You can then use the AWS CLI to specify the bucket, topic, and role for AWS Config. Follow this procedure to set up your prerequisites for AWS Config.
Topics
Step 1: Creating an Amazon S3 Bucket
If you already have an Amazon S3 bucket in your account and want to use it, skip this step and go to Step 2: Creating an Amazon SNS Topic.
To create a bucket
Open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
Choose Create bucket.
-
In Bucket name, enter a DNS-compliant name for your bucket.
The bucket name must:
-
Be unique across all of Amazon S3.
-
Be between 3 and 63 characters long.
-
Not contain uppercase characters.
-
Start with a lowercase letter or number.
After you create the bucket, you can't change its name. Make sure the bucket name you choose is unique across all existing bucket names in Amazon S3. For more information on bucket naming rules and conventions, see Bucket restrictions and Limitations in the Amazon Simple Storage Service User Guide.
Important
Avoid including sensitive information in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket.
-
-
In Region, choose the AWS Region where you want the bucket to reside.
Choose a Region close to you to minimize latency and costs and address regulatory requirements. Objects stored in a Region never leave that Region unless you explicitly transfer them to another Region. For a list of Amazon S3 AWS Regions, see AWS service endpoints in the Amazon Web Services General Reference.
-
In Bucket settings for Block Public Access, choose the Block Public Access settings that you want to apply to the bucket.
We recommend that you leave all settings enabled unless you know you need to turn one or more of them off for your use case, such as to host a public website. Block public access settings that you enable for the bucket will also be enabled for all access points that you create on the bucket. For more information about blocking public access, see Using Amazon S3 Block Public Access in the Amazon Simple Storage Service User Guide.
-
(Optional) If you want to enable S3 Object Lock:
-
Choose Advanced settings, and read the message that appears.
Important
You can only enable S3 Object Lock for a bucket when you create it. If you enable Object Lock for the bucket, you can't disable it later. Enabling Object Lock also enables versioning for the bucket. After you enable Object Lock for the bucket, you must configure the Object Lock settings before any objects in the bucket will be protected. For more information about configuring protection for objects, see Configuring S3 Object Lock using the Amazon S3 console.
-
If you want to enable Object Lock, enter enable in the text box and choose Confirm.
For more information about the S3 Object Lock feature, see Locking Objects Using Amazon S3 Object Lock in the Amazon Simple Storage Service User Guide.
-
-
Choose Create bucket.
When you use the AWS SDKs to create a bucket, you must create a client and then use the client to send a request to create a bucket. As a best practice, you should create your client and bucket in the same AWS Region. If you don't specify a Region when you create a client or a bucket, Amazon S3 uses the default Region US East (N. Virginia).
To create a client to access a dual-stack endpoint, you must specify an AWS Region. For more information, see Amazon S3 dual-stack endpoints. For a list of available AWS Regions, see Regions and endpoints in the AWS General Reference.
When you create a client, the Region maps to the Region-specific endpoint. The client
uses this endpoint to communicate with Amazon S3:
s3.
. If your Region
launched after March 20, 2019, your client and bucket must be in the same Region. However,
you can use a client in the US East (N. Virginia) Region to create a bucket in any Region
that launched before March 20, 2019. For more information, see Legacy
Endpoints.<region>
.amazonaws.com
These AWS SDK code examples perform the following tasks:
-
Create a client by explicitly specifying an AWS Region — In the example, the client uses the
s3.us-west-2.amazonaws.com
endpoint to communicate with Amazon S3. You can specify any AWS Region. For a list of AWS Regions, see Regions and endpoints in the AWS General Reference. -
Send a create bucket request by specifying only a bucket name — The client sends a request to Amazon S3 to create the bucket in the Region where you created a client.
-
Retrieve information about the location of the bucket — Amazon S3 stores bucket location information in the location subresource that is associated with the bucket.
The following code examples show how to use CreateBucket
.
Note
You can also use an Amazon S3 bucket from a different account, but you may need to create a policy for the bucket that grants access permissions to AWS Config. For information on granting permissions to an Amazon S3 bucket, see Permissions for the Amazon S3 Bucket for the AWS Config Delivery Channel, and then go to Step 2: Creating an Amazon SNS Topic.
Step 2: Creating an Amazon SNS Topic
If you already have an Amazon SNS topic in your account and want to use it, skip this step and go to Step 3: Creating an IAM Role.
To create an Amazon SNS topic
Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home
. -
Do one of the following:
-
If no topics have ever been created under your AWS account before, read the description of Amazon SNS on the home page.
-
If topics have been created under your AWS account before, on the navigation panel, choose Topics.
-
-
On the Topics page, choose Create topic.
-
On the Create topic page, in the Details section, do the following:
-
For Type, choose a topic type (Standard or FIFO).
-
Enter a Name for the topic. For a FIFO topic, add .fifo to the end of the name.
-
(Optional) Enter a Display name for the topic.
-
(Optional) For a FIFO topic, you can choose content-based message deduplication to enable default message deduplication. For more information, see Message deduplication for FIFO topics.
-
-
(Optional) Expand the Encryption section and do the following. For more information, see Encryption at rest.
-
Choose Enable encryption.
-
Specify the customer master key (CMK). For more information, see Key terms.
For each CMK type, the Description, Account, and CMK ARN are displayed.
Important
If you aren't the owner of the CMK, or if you log in with an account that doesn't have the
kms:ListAliases
andkms:DescribeKey
permissions, you won't be able to view information about the CMK on the Amazon SNS console.Ask the owner of the CMK to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.
-
The AWS managed CMK for Amazon SNS (Default) alias/aws/sns is selected by default.
Note
Keep the following in mind:
-
The first time you use the AWS Management Console to specify the AWS managed CMK for Amazon SNS for a topic, AWS KMS creates the AWS managed CMK for Amazon SNS.
-
Alternatively, the first time you use the
Publish
action on a topic with SSE enabled, AWS KMS creates the AWS managed CMK for Amazon SNS.
-
-
To use a custom CMK from your AWS account, choose the Customer master key (CMK) field and then choose the custom CMK from the list.
Note
For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide
-
To use a custom CMK ARN from your AWS account or from another AWS account, enter it into the Customer master key (CMK) field.
-
-
-
(Optional) By default, only the topic owner can publish or subscribe to the topic. To configure additional access permissions, expand the Access policy section. For more information, see Identity and access management in Amazon SNS and Example cases for Amazon SNS access control.
Note
When you create a topic using the console, the default policy uses the
aws:SourceOwner
condition key. This key is similar toaws:SourceAccount
. -
(Optional) To configure how Amazon SNS retries failed message delivery attempts, expand the Delivery retry policy (HTTP/S) section. For more information, see Amazon SNS message delivery retries.
-
(Optional) To configure how Amazon SNS logs the delivery of messages to CloudWatch, expand the Delivery status logging section. For more information, see Amazon SNS message delivery status.
-
(Optional) To add metadata tags to the topic, expand the Tags section, enter a Key and a Value (optional) and choose Add tag. For more information, see Amazon SNS topic tagging.
-
Choose Create topic.
The topic is created and the
MyTopic
page is displayed.The topic's Name, ARN, (optional) Display name, and Topic owner's AWS account ID are displayed in the Details section.
-
Copy the topic ARN to the clipboard, for example:
arn:aws:sns:us-east-2:123456789012:MyTopic
To subscribe an email address to the Amazon SNS topic
Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home
. -
In the left navigation pane, choose Subscriptions.
-
On the Subscriptions page, choose Create subscription.
-
On the Create subscription page, in the Details section, do the following:
-
For Topic ARN, choose the Amazon Resource Name (ARN) of a topic.
-
For Protocol, choose an endpoint type. The available endpoint types are:
-
Note
To subscribe to an SNS FIFO topic, choose this option.
-
For Endpoint, enter the endpoint value, such as an email address or the ARN of an Amazon SQS queue.
-
Firehose endpoints only: For Subscription role ARN, specify the ARN of the IAM role that you created for writing to Firehose delivery streams. For more information, see Prerequisites for subscribing Firehose delivery streams to Amazon SNS topics.
-
(Optional) For Firehose, Amazon SQS, HTTP/S endpoints, you can also enable raw message delivery. For more information, see Amazon SNS raw message delivery.
-
(Optional) To configure a filter policy, expand the Subscription filter policy section. For more information, see Amazon SNS subscription filter policies.
-
(Optional) To configure a dead-letter queue for the subscription, expand the Redrive policy (dead-letter queue) section. For more information, see Amazon SNS dead-letter queues (DLQs).
-
Choose Create subscription.
The console creates the subscription and opens the subscription's Details page.
-
To use an AWS SDK, you must configure it with your credentials. For more information, see The shared config and credentials files in the AWS SDKs and Tools Reference Guide.
The following code examples show how to use CreateTopic
.
Note
You can also use an Amazon SNS topic in a different account, but in that case you might need to create a policy for topic that grants access permissions to AWS Config. For information on granting permissions to an Amazon SNS topic, see Permissions for the Amazon SNS Topic and then go to Step 3: Creating an IAM Role.
Step 3: Creating an IAM Role
Important
(Recommended) Use the AWS Config service-linked role
It is recommended to use the AWS Config service-linked role: AWSServiceRoleForConfig
. Service-linked roles are predefined and include all the permissions that AWS Config requires to call other AWS services. The AWS Config service-linked role is required for service-linked configuration recorders.
For more information, see Using Service-Linked Roles for AWS Config.
You can use the IAM console to create an IAM role that grants AWS Config permissions to access your Amazon S3 bucket, access your Amazon SNS topic, and get configuration details for supported AWS resources. When you use the console to create an IAM role, AWS Config automatically attaches the required permissions to the role for you.
Note
If you have used an AWS service that uses AWS Config (such as AWS Security Hub or AWS Control Tower) and an AWS Config role has already been created, you should make sure that the IAM role you use when setting up AWS Config keeps the same minimum privileges as the already created AWS Config role in order for the other AWS service to continue to run as expected.
For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon S3 objects, you should guarantee the same permissions are granted within the IAM role you use when setting up AWS Config. Otherwise, it may interfere with AWS Control Tower's operations.
For more information about IAM roles for AWS Config, see AWS Identity and Access Management.
To create a role for an AWS service
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane of the IAM console, choose Roles, and then choose Create role.
-
For Select trusted entity, choose AWS service.
-
Choose the use case you want for AWS Config: Config - Customizable, Config - Organizations, Config, or Config - Conformance Packs. Then, choose Next.
-
On the Name, review, and create page, review the details about your role, and choose Create Role.
To use an AWS SDK, you must configure it with your credentials. For more information, see The shared config and credentials files in the AWS SDKs and Tools Reference Guide.
The following code examples show how to use CreateRole
.