Working with the configuration recorder
The configuration recorder stores the configuration changes to the resource types in scope as configuration items (CIs).
There are two types of configuration recorders.
| Type | Description |
|---|---|
| Customer managed configuration recorder | A configuration recorder that you managed. The resource types in scope are set by you. By default, a customer managed configuration recorder records all supported resources in the AWS Region where AWS Config is running. |
| Service-linked configuration recorder | A configuration recorder that is linked to a specific AWS service. The resource types in scope are set by the linked service. |
Topics
- Considerations for the customer managed configuration recorder
- Considerations for service-linked configuration recorders
- Drift detection for the configuration recorder
- Starting the customer managed configuration recorder
- Stopping the customer managed configuration recorder
- Changing the recording frequency for the customer managed configuration recorder
- Renaming the customer managed configuration recorder
- Viewing your configuration recorders
- Deleting your configuration recorders
Considerations for the customer managed configuration recorder
One customer managed configuration recorder per account per Region
You can have only one customer managed configuration recorder for each AWS account for each AWS Region.
Default is to record all supported resource types, excluding the global IAM resource types
The default for a customer managed configuration recorder is to record all supported resource types,
excluding the following global IAM resource types: AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, and AWS::IAM::User You can specify which resource types you want to include or exclude from recording.
For more information, see Recording AWS Resources with AWS Config.
You are charged service usage fees for using the customer managed configuration recorder
You are charged service usage fees when AWS Config starts recording configurations with the customer managed configuration recorder.
For pricing
information, see AWS Config Pricing
Use AWS Systems Manager to create a customer managed configuration recorder across an organization
You can use AWS Systems Manager Quick Setup to create a customer managed configuration recorder across multiple organizational units (OUs) and AWS Regions using AWS best practices.
For more information, see Create an AWS Config configuration recorder using Quick Setup in the Systems Manager User Guide.
Important
Policies and compliance results
IAM policies and other policies managed in AWS Organizations can impact whether AWS Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use AWS Config.
Stale evaluation results for deleted resources can persist if the configuration recorder is turned off
If the customer managed configuration recorder is turned off, it disables the ability of AWS Config Config to track changes to the configuration of the resources you specified, including their deletions. This means you might see stale evaluation results for resources that are deleted when the customer managed configuration recorder is turned off since AWS Config cannot capture deletion events if recording is not on.
Considerations for service-linked configuration recorders
The AWS Config service-linked role must be used
The AWS Config service-linked role is required for service-linked configuration recorders.
For more information, see Using Service-Linked Roles for AWS Config.
Service-linked configuration recorders are always recording
You cannot stop or start recording for service-linked configuration recorders. To stop recording, you must delete the service-linked configuration recorder.
For more information, see Deleting the Configuration Recorder.
The recording scope determines if you receive configuration items
The recording scope is set by the service that is linked to the configuration recorder and determines whether you receive configuration items (CIs) in the delivery channel. If the recording scope is internal, you will not receive CIs in the delivery channel.
The recording scope determines if you are charged a service fee
The recording scope is set by the service that is linked to the configuration recorder and determines whether the configuration items (CIs) in scope are recorded for free (INTERNAL) or if it impacts the costs of your bill (PAID).
Drift detection for the configuration recorder
The AWS::Config::ConfigurationRecorder resource type is a
configuration item (CI) for the configuration recorder that tracks all
changes to the state of configuration recorder. You can use this CI to check if the state of
the configuration recorder differs, or has drifted, from its previous
state.
For example, this CI tracks if there are updates to resource types that you have enabled AWS Config to track, if you have stopped or started the configuration recorder, or if you have deleted or uninstalled the configuration recorder. A drifted configuration recorder indicates that you are not accurately detecting changes to your intended resource types. If your configuration recorder has been drifted, this can result in false negative or false positive compliance results.
The AWS::Config::ConfigurationRecorder resource type is a system resource
type of AWS Config and recording of this resource type is enabled by default in all supported
Regions. Recording for the AWS::Config::ConfigurationRecorder resource type comes
with no additional charge.
