# Recording AWS Resources with AWS Config
AWS Config continuously detects when supported resource types are created, changed, or deleted. AWS Config records these events as configuration items (CIs).
You can customize AWS Config to record configuration changes for all supported resource types, or for only the supported resource types that are relevant to you. For a list of supported resource types that AWS Config can record, see [Supported Resource Types for AWS Config](resource-config-reference.md).
**Topics**
+ [
## Considerations
](#select-resources-considerations)
+ [Regional and global Resources](#select-resources-all)
+ [
## AWS Config Rules and global resource types
](#select-resources-rules-and-global)
+ [Recording frequency](#select-resources-recording-frequency)
+ [
## Non-recorded resources
](#select-resources-non-recorded)
+ [Recording resources (Console)](select-resources-console.md)
+ [Recording resources (AWS CLI)](select-resources-cli.md)
+ [Excluding resources](select-resources-excluding.md)
+ [Stopping recording](select-resources-stopping-recording.md)
## Considerations
** High Number of AWS Config Evaluations**
You might notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.
If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling.
If you want to avoid the increased activity from running ephemeral workloads, you can set up the customer managed configuration recorder to exclude these resource types from being recorded, or run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.
**Region availability**
Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config.
If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config, even if the specified resource type is not supported in the AWS Region where you set up AWS Config.
## What are the differences between Regional and global resources?
**Regional resources**
*Regional resources* are tied to a Region and can be used only in that Region. You create them in a specified AWS Region, and then they exist in that Region. To see or interact with those resources, you must direct your operations to that Region. For example, to create an Amazon EC2 instance with the AWS Management Console, you [choose the AWS Region](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/select-region.html) that you want to create the instance in. If you use the AWS Command Line Interface (AWS CLI) to create the instance, then you include the `--region` parameter. The AWS SDKs each have their own equivalent mechanism to specify the Region that the operation uses.
There are several reasons for using Regional resources. One reason is to ensure that the resources, and the service endpoints that you use to access them, are as close to the customer as possible. This improves performance by minimizing latency. Another reason is to provide an isolation boundary. This lets you create independent copies of resources in multiple Regions to distribute the load and improve scalability. At the same time, it isolates the resources from each other to improve availability.
If you specify a different AWS Region in the console or in an AWS CLI command, then you can no longer see or interact with the resources you could see in the previous Region.
When you look at the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for a Regional resource, the Region that contains the resource is specified as the fourth field in the ARN. For example, an Amazon EC2 instance is a Regional resource. The following is an example of an ARN for a Amazon EC2 instance that exists in the `us-east-1` Region.
```
arn:aws:ec2:us-east-1:123456789012:instance/i-0a6f30921424d3eee
```
**Global resources**
Some AWS services resources are *global resources*, meaning that you can use the resource from ***anywhere***. You don't specify an AWS Region in a global service's console. To access a global resource, you don't specify a `--region` parameter when using the service's AWS CLI and AWS SDK operations.
Global resources support cases where it is critical that only one instance of a particular resource can exist at a time. In these scenarios, replication or synchronization between copies in different Regions is not adequate. Having to access a single global endpoint, with the possible increase in latency, is considered acceptable to ensure that any changes are instantaneously visible to consumers of the resource.
For example, Amazon Aurora global clusters (`AWS::RDS::GlobalCluster`) are global resources, and therefore not tied to a Region. This means that you can create a global cluster without relying on a regional endpoint. The benefit is that, while the Amazon Relational Database Service (Amazon RDS) itself is organized by Regions, the specific Region where a global cluster originates doesn't impact the global cluster. It appears as a single, continuous global cluster across all Regions.
The [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for a global resource doesn't include a Region. The fourth field is empty, such as in the following example of an ARN for a global cluster.
```
arn:aws:rds::123456789012:global-cluster:test-global-cluster
```
Global resource types onboarded to AWS Config after February 2022 will only be recorded in the service's home Region for the commercial partition and AWS GovCloud (US-West) for the GovCloud partition. You can view the configuration items (CIs) for these new global resource types only in their home Region and AWS GovCloud (US-West).
Global resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) remain unchanged. You can enable the recording of these global IAM resources in all Regions where AWS Config was supported before February 2022. These global IAM resources cannot be recorded in Regions supported by AWS Config after February 2022.
**Global resource types \$1 IAM resources**
The following IAM resource types are global resources: IAM users, groups, roles, and customer managed policies. These resource types can be recorded by AWS Config in Regions where AWS Config was available before February 2022. This list where you cannot record the global IAM resource types includes the following Regions: Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Asia Pacific (Thailand), Canada West (Calgary), Europe (Spain), Europe (Zurich), Israel (Tel Aviv), Mexico (Central), and Middle East (UAE).
To prevent duplicate configuration items (CIs), you should consider only recording the global IAM resource types one time in one of the supported Regions. This can also help you avoid unneccessary evaluations and API throttling.
**Global resource types \$1 Home Region Only**
Global resources for the following services are only recorded by AWS Config in the home Region of the global resource type: Amazon Elastic Container Registry Public, AWS Global Accelerator, Amazon Route 53, Amazon CloudFront, and AWS WAF. For these global resources, the same instance of the resource type can be used in multiple AWS Regions, but the configuration items (CIs) are only recorded in the home Region for the commercial partition or AWS GovCloud (US-West) for the AWS GovCloud (US) partition.
**Home Regions for Global Resource Types**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/select-resources.html)
**Global resource types \$1 Aurora global clusters**
`AWS::RDS::GlobalCluster` is a global resource that is recorded in all supported AWS Config Regions where the customer managed configuration recorder is enabled. This global resource type is unique in that if you enable the recording of this resource in one Region, AWS Config will record configuration items (CIs) for this resource type in all your enabled Regions.
If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies for the AWS Config console:
+ **Record all resource types with customizable overrides**, choose "AWS RDS GlobalCluster", and choose the override "Exclude from recording"
+ **Record specific resource types**.
If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies for the API/CLI:
+ **Record all current and future resource types with exclusions** (`EXCLUSION_BY_RESOURCE_TYPES`)
+ **Record specific resource types** (`INCLUSION_BY_RESOURCE_TYPES`).
## AWS Config Rules and global resource types
The global IAM resource types onboarded before February 2022 (`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User`) can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. These global IAM resource types cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).
If you record a global IAM resource type in at least one Region, periodic rules that report compliance on the global IAM resource type will run evaluations in all Regions where the periodic rule is added, even if you have not enabled the recording of the global IAM resource type in the Region where the periodic rule was added.
**Best Practices for reporting compliance on global resources onboarded before February 2022**
To avoid unnecessary evaluations, you should only deploy AWS Config rules and conformance packs that have these global resources in scope to one of the supported Regions. For a list of which managed rules are supported in which Regions, see [List of AWS Config Managed Rules by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html). This applies to AWS Config rules, organizational AWS Config rules, and also rules created by other AWS services, such as AWS Security Hub CSPM and AWS Control Tower.
If you are not recording global resource types onboarded before February 2022, it is recommended that you do not enable the following periodic rules to avoid unnecessary evaluations:
+ [access-keys-rotated](https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html)
+ [account-part-of-organizations](https://docs.aws.amazon.com/config/latest/developerguide/account-part-of-organizations.html)
+ [iam-password-policy](https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html)
+ [iam-policy-in-use](https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-in-use.html)
+ [iam-root-access-key-check](https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html)
+ [iam-user-mfa-enabled](https://docs.aws.amazon.com/config/latest/developerguide/iam-user-mfa-enabled.html)
+ [iam-user-unused-credentials-check](https://docs.aws.amazon.com/config/latest/developerguide/iam-user-unused-credentials-check.html)
+ [mfa-enabled-for-iam-console-access](https://docs.aws.amazon.com/config/latest/developerguide/mfa-enabled-for-iam-console-access.html)
+ [root-account-hardware-mfa-enabled](https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html)
+ [root-account-mfa-enabled](https://docs.aws.amazon.com/config/latest/developerguide/root-account-mfa-enabled.html)
**Best Practices for reporting compliance on global resources onboarded after February 2022**
Global resource types onboarded to AWS Config recording after February 2022 will be recorded only in the service's home Region for the commercial partition and AWS GovCloud (US-West) for the AWS GovCloud (US) partition. You should deploy AWS Config rules and conformance packs that have these global resources in scope only to the resource type's home Region. For more information, see [Home Regions for Global Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).
## Recording frequency for AWS Config
AWS Config supports *Continuous recording* and *Daily recording*. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. For steps on how to change the recording frequency, see [Changing Recording Frequency](https://docs.aws.amazon.com/config/latest/developerguide/managing-recorder_console-change-recording-frequency.html).
**Continuous recording**
Some benefits of continuous recording include:
+ **Real-time Monitoring**: Continuous recording can provide immediate detection for unauthorized changes or unexpected alterations, which can enhance your security and compliance efforts.
+ **Detailed Analysis**: Continuous recording can allow you to perfom in-depth analysis of configuration changes to your resources as they occur, which can allow you to identify patterns and trends in the moment.
**Daily recording**
Some benefits of daily recording include:
+ **Minimal Disruption**: Daily recording can provide you with a more mangeable flow of information, which can reduce the frequency of notifications and alert fatigue.
+ **Cost Efficiency**: Daily recording can provide you with the flexibility to record changes to your resources at at a lower frequency, which can reduce costs related to the number of configuration changes recorded.
**Note**
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
## Non-recorded resources
If a resource is not recorded, AWS Config captures only the creation and deletion of that resource, and no other details, at no cost to you. When a non-recorded resource is created or deleted, AWS Config sends a notification, and it displays the event on the resource details page. The details page for a non-recorded resource provides null values for most configuration details, and it does not provide information about relationships and configuration changes.
The relationship information that AWS Config provides for recorded resources is not limited because of missing data for non-recorded resources. If a recorded resource is related to a non-recorded resource, that relationship is provided in the details page of the recorded resource.
**IAM resource type considerations**
The `AWS::IAM::User`, `AWS::IAM::Policy`,` AWS::IAM::Group`, `AWS::IAM::Role` resource types will only capture the creation (`ResourceNotRecorded`) and deletion (`ResourceDeletedNotRecorded`) states if the resource is, or previously was, selected as a resource to record in the customer managed configuration recorder .
**CI recording schedule for non-recorded resources**
The configuration items (CIs) for `ResourceNotRecorded` and `ResourceDeletedNotRecorded` do not follow the typical recording time for resource types. These resource types are only recorded during the periodic baselining process for the customer managed configuration recorder, which is at a less frequent cadance than that for the other resource types. This means that create and delete notifications are not sent upon creation or deletion, but during the baselining process.
**CI delivery and service-linked recorder scope**
For service-linked configuration recorders, the recording scope determines if you receive configuration items (CIs) in the delivery channel. The recording scope is set by the service that is linked to the configuration recorder. If the recording scope is internal, you will not receive CIs in the delivery channel.
# Recording resources in the AWS Config console
You can use the AWS Config console to select the types of resources that AWS Config records with the customer managed configuration recorder.
**To select resources**
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Choose **Settings** in the left navigation pane.
1. On the **Customer managed recorder** tab, choose **Edit**.
1. In the **Recording method** section, choose a recording strategy. You can specify the AWS resources that you want AWS Config to record.
------
#### [ All resource types with customizable overrides ]
Set up AWS Config to record configuration changes for all current and future supported resource types in this Region. You can override the recording frequency for specific resource types or exclude specific resource types from recording. For more information, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).
+ **Default settings**
Configure the default recording frequency for all current and future supported resource types. For more information see, [Recording Frequency](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-recording-frequency).
+ Continuous recording – AWS Config will record configuration changes continuously whenever a change occurs.
+ Daily recording – You will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
**Note**
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
+ **Override settings**
Override the recording frequency for specific resource types, or exclude specific resource types from recording. If you change the recording frequency for a resource type or stop recording a resource type, the configuration items that were already recorded will remain unchanged.
------
#### [ Specific resource types ]
Set up AWS Config to record configuration changes for only the resource types that you specify.
+ **Specific resource types**
Choose a resource type to record and its frequency. For more information see, [Recording Frequency](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-recording-frequency).
+ Continuous recording – AWS Config will record configuration changes continuously whenever a change occurs.
+ Daily recording – You will receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
**Note**
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
If you change the recording frequency for a resource type or stop recording a resource type, the configuration items that were already recorded will remain unchanged.
------
1. Choose **Save** to save your changes.
## Considerations When Recording Resources
** High Number of AWS Config Evaluations**
You might notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.
If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling. . If you want to avoid the increased activity from running ephemeral workloads, you can set up the customer managed configuration recorder to exclude these resource types from being recorded, or run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.
------
#### [ Considerations: All resource types with customizable overrides ]
**Globally recorded resource types \$1 Aurora global clusters are initially included in recording**
The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the customer managed configuration recorder is enabled.
If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, choose "AWS RDS GlobalCluster", and choose the override "Exclude from recording".
**Global resource types \$1 IAM resource types are initially excluded from recording**
The global IAM resource types are initially excluded from recording to help you reduce costs. This bundle includes IAM users, groups, roles, and customer managed policies. Choose **Remove** to remove the override and include these resources in your recording.
Additionally, the global IAM resource types (`AWS::IAM::User`, `AWS::IAM::Group`, `AWS::IAM::Role`, and `AWS::IAM::Policy`) cannot be recorded in Regions supported by AWS Config after February 2022. For a list of those Regions, see [Recording AWS Resources \$1 Global Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).
**Limits**
You can add up to 100 frequency overrides and 600 exclusion overrides.
Daily recording is not supported for the following resource types:
+ `AWS::Config::ResourceCompliance`
+ `AWS::Config::ConformancePackCompliance`
+ `AWS::Config::ConfigurationRecorder`
------
#### [ Considerations: Specific resource types ]
**Region Availability**
Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config. If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config, even if the specified resource type is not supported in the AWS Region where you set up AWS Config.
**Limits**
No limits if all resource types have the same frequency. You can add up to 100 resource types with Daily frequency if at least one resource type is set to Continuous.
The Daily frequency is not supported for the following resource types:
+ `AWS::Config::ResourceCompliance`
+ `AWS::Config::ConformancePackCompliance`
+ `AWS::Config::ConfigurationRecorder`
------
# Recording resources with the AWS CLI
You can use the AWS CLI to select the types of resources that you want AWS Config to record. You do this by creating a customer managed configuration recorder, which records the types of resources that you specify in a recording group. In the recording group, you specify whether you want to record all supported resource types, or to include or exclude specific types of resources.
------
#### [ Record all current and future supported resource types ]
Set up AWS Config to record configuration changes for all current and future supported resource types in this Region. For a list of supported resources types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).
1. Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) command:
This command uses the `--configuration-recorder` and `---recording-group` fields.
```
$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json \
--recording-group file://recordingGroup.json
```
**The `configuration-recorder` field**
The `configurationRecorder.json` file specifies `name` and `roleArn` as well as the default recording frequency for the configuration recorder (`recordingMode`).
```
{
"name": "default",
"roleARN": "arn:aws:iam::123456789012:role/config-role",
"recordingMode": {
"recordingFrequency": CONTINUOUS or DAILY,
"recordingModeOverrides": [
{
"description": "Description you provide for the override",
"recordingFrequency": CONTINUOUS or DAILY,
"resourceTypes": [ Comma-separated list of resource types to include in the override ]
}
]
}
}
```
**The `recording-group` field**
The `recordingGroup.json` file specifies which resource types are recorded.
```
{
"allSupported": true,
"recordingStrategy": {
"useOnly": "ALL_SUPPORTED_RESOURCE_TYPES"
},
"includeGlobalResourceTypes": true
}
```
For more information about these fields, see [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) in the *AWS CLI Command Reference*.
1. (Optional) To verify that your customer managed configuration recorder has the settings that you want, use the following [http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html) command.
```
$ aws configservice describe-configuration-recorders
```
The following is an example response.
```
{
"ConfigurationRecorders": [
{
"name": "default"
"recordingGroup": {
"allSupported": true,
"exclusionByResourceTypes": {
"resourceTypes": []
},
"includeGlobalResourceTypes": true,
"recordingStrategy": {
"useOnly": "ALL_SUPPORTED_RESOURCE_TYPES"
},
"resourceTypes": [],
},
"recordingMode": {
"recordingFrequency": CONTINUOUS or DAILY,
"recordingModeOverrides": [
{
"description": "Description you provide for the override,
"recordingFrequency": CONTINUOUS or DAILY,
"resourceTypes": [ Comma-separated list of resource types to include in the override]
}
]
},
"roleARN": "arn:aws:iam::123456789012:role/config-role"
}
]
}
```
------
#### [ Record all current and future supported resources types excluding the types you specify ]
Set up AWS Config to record configuration changes for all current and future supported resource types, including global resource types, except the resource types that you specify to exclude from recording.
If you choose to stop recording for a resource type, the configuration items that were already recorded will remain unchanged. For a list of supported resources types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).
1. Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) command:
This command uses the `--configuration-recorder` and `---recording-group` fields.
```
$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json \
--recording-group file://recordingGroup.json
```
**The `configuration-recorder` field**
The `configurationRecorder.json` file specifies `name` and `roleArn` as well as the default recording frequency for the configuration recorder (`recordingMode`).
```
{
"name": "default",
"roleARN": "arn:aws:iam::123456789012:role/config-role",
"recordingMode": {
"recordingFrequency": CONTINUOUS or DAILY,
"recordingModeOverrides": [
{
"description": "Description you provide for the override",
"recordingFrequency": CONTINUOUS or DAILY,
"resourceTypes": [ Comma-separated list of resource types to include in the override ]
}
]
}
}
```
**The `recording-group` field**
The `recordingGroup.json` file specifies which types of resources AWS Config will record. Pass one or more resource types to exclude in the `resourceTypes` field of `exclusionByResourceTypes`, as shown in the following example.
```
{
"allSupported": false,
"exclusionByResourceTypes": {
"resourceTypes": [
"AWS::Redshift::ClusterSnapshot",
"AWS::RDS::DBClusterSnapshot",
"AWS::CloudFront::StreamingDistribution"
]
},
"includeGlobalResourceTypes": false,
"recordingStrategy": {
"useOnly": "EXCLUSION_BY_RESOURCE_TYPES"
},
}
```
For more information about these fields, see [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) in the *AWS CLI Command Reference*.
1. (Optional) To verify that your customer managed configuration recorder has the settings that you want, use the following [http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html) command.
```
$ aws configservice describe-configuration-recorders
```
The following is an example response.
```
{
"ConfigurationRecorders": [
{
"name": "default",
"recordingGroup": {
"allSupported": false,
"exclusionByResourceTypes": {
"resourceTypes": [
"AWS::Redshift::ClusterSnapshot",
"AWS::RDS::DBClusterSnapshot",
"AWS::CloudFront::StreamingDistribution"
]
},
"includeGlobalResourceTypes": false,
"recordingStrategy": {
"useOnly": "EXCLUSION_BY_RESOURCE_TYPES"
},
"resourceTypes": [],
},
"recordingMode": {
"recordingFrequency": CONTINUOUS or DAILY,
"recordingModeOverrides": [
{
"description": "Description you provide for the override,
"recordingFrequency": CONTINUOUS or DAILY,
"resourceTypes": [ Comma-separated list of resource types to include in the override]
}
]
},
"roleARN": "arn:aws:iam::123456789012:role/config-role"
}
]
}
```
------
#### [ Record specific resource types ]
Set up AWS Config to record configuration changes for only the resource types that you specify.
If you choose to stop recording for a resource type, the configuration items that were already recorded will remain unchanged. For a list of supported resources types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).
1. Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) command:
This command uses the `--configuration-recorder` and `---recording-group` fields.
```
$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json \
--recording-group file://recordingGroup.json
```
**The `configuration-recorder` field**
The `configurationRecorder.json` file specifies `name` and `roleArn` as well as the default recording frequency for the configuration recorder (`recordingMode`).
```
{
"name": "default",
"roleARN": "arn:aws:iam::123456789012:role/config-role",
"recordingMode": {
"recordingFrequency": CONTINUOUS or DAILY,
"recordingModeOverrides": [
{
"description": "Description you provide for the override",
"recordingFrequency": CONTINUOUS or DAILY,
"resourceTypes": [ Comma-separated list of resource types to include in the override ]
}
]
}
}
```
**The `recording-group` field**
The `recordingGroup.json` file specifies which types of resources AWS Config will record. Pass one or more resource types to exclude in the `resourceTypes` field as shown in the following example.
```
{
"allSupported": false,
"recordingStrategy": {
"useOnly": "INCLUSION_BY_RESOURCE_TYPES"
},
"includeGlobalResourceTypes": false,
"resourceTypes": [
"AWS::EC2::EIP",
"AWS::EC2::Instance",
"AWS::EC2::NetworkAcl",
"AWS::EC2::SecurityGroup",
"AWS::CloudTrail::Trail",
"AWS::EC2::Volume",
"AWS::EC2::VPC",
"AWS::IAM::User",
"AWS::IAM::Policy"
]
}
```
For more information about these fields, see [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) in the *AWS CLI Command Reference*.
1. (Optional) To verify that your customer managed configuration recorder has the settings that you want, use the following [http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html) command.
```
$ aws configservice describe-configuration-recorders
```
The following is an example response.
```
{
"ConfigurationRecorders": [
{
"name": "default",
"recordingGroup": {
"allSupported": false,
"exclusionByResourceTypes": {
"resourceTypes": []
},
"includeGlobalResourceTypes": false
"recordingStrategy": {
"useOnly": "INCLUSION_BY_RESOURCE_TYPES"
},
"resourceTypes": [
"AWS::EC2::EIP",
"AWS::EC2::Instance",
"AWS::EC2::NetworkAcl",
"AWS::EC2::SecurityGroup",
"AWS::CloudTrail::Trail",
"AWS::EC2::Volume",
"AWS::EC2::VPC",
"AWS::IAM::User",
"AWS::IAM::Policy"
]
},
"recordingMode": {
"recordingFrequency": CONTINUOUS or DAILY,
"recordingModeOverrides": [
{
"description": "Description you provide for the override,
"recordingFrequency": CONTINUOUS or DAILY,
"resourceTypes": [ Comma-separated list of resource types to include in the override]
}
]
},
"roleARN": "arn:aws:iam::123456789012:role/config-role"
}
]
}
```
------
# Excluding resources from recording with AWS Config
AWS Config allows you to exclude specific types of AWS resources from inventory tracking and compliance monitoring while still tracking all other supported resource types currently available in AWS Config, including those that will be added in the future. You can use this feature to concentrate on critical resources that are subject to your compliance and governance standards.
------
#### [ Excluding resources (Console) ]
If you do not want to record an AWS resource type, use one of the following recording strategies for the AWS Config console:
+ **Record all resource types with customizable overrides**, choose the resource type you want to exclude, and choose the override "Exclude from recording"
+ **Record specific resource types**.
For more detailed steps, see [Recording resources (Console)](https://docs.aws.amazon.com/config/latest/developerguide/select-resources-console.html).
------
#### [ Excluding resources (AWS CLI) ]
If you do not want to record an AWS resource type, use one of the following recording strategies for the API/CLI:
+ **Record all current and future resource types with exclusions** (`EXCLUSION_BY_RESOURCE_TYPES`)
+ **Record specific resource types** (`INCLUSION_BY_RESOURCE_TYPES`).
For more detailed steps, see [Recording Resources (AWS CLI)](https://docs.aws.amazon.com/config/latest/developerguide/select-resources-cli.html).
------
# Stopping AWS Config from recording with the customer managed configuration recorder
You can stop AWS Config from recording with the customer managed configuration recorder any time. After AWS Config stops recording a resource, it retains the configuration information that was previously captured, and you can continue to access this information.
For steps on how to stop recording, see [Stopping the customer managed configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/managing-recorder_console-stop.html).