# Working with the configuration recorder
<a name="stop-start-recorder"></a>

The *configuration recorder* stores the configuration changes to the resource types in scope as [configuration items (CIs)](https://docs.aws.amazon.com/config/latest/developerguide/config-item-table.html). 

There are two types of configuration recorders.


| **Type** | **Description** | 
| --- | --- | 
| Customer managed configuration recorder | A configuration recorder that you managed. The resource types in scope are set by you. By default, a customer managed configuration recorder records all supported resources in the AWS Region where AWS Config is running. | 
| Service-linked configuration recorder | A configuration recorder that is linked to a specific AWS service. The resource types in scope are set by the linked service. | 

**Topics**
+ [Considerations for the customer managed configuration recorder](#stop-start-recorder-considerations)
+ [Considerations for service-linked configuration recorders](#stop-start-recorder-considerations-service-linked)
+ [Drift detection for the configuration recorder](#drift-detection)
+ [Starting the customer managed configuration recorder](managing-recorder_console-start.md)
+ [Stopping the customer managed configuration recorder](managing-recorder_console-stop.md)
+ [Changing the recording frequency for the customer managed configuration recorder](managing-recorder_console-change-recording-frequency.md)
+ [Renaming the customer managed configuration recorder](managing-recorder_console-rename.md)
+ [Viewing your configuration recorders](configuration-recorder-view.md)
+ [Deleting your configuration recorders](managing-recorder_console-delete.md)

## Considerations for the customer managed configuration recorder
<a name="stop-start-recorder-considerations"></a>

**One customer managed configuration recorder per account per Region**

You can have only one customer managed configuration recorder for each AWS account for each AWS Region.

**Default is to record all supported resource types, excluding the global IAM resource types**

The default for a customer managed configuration recorder is to record all supported resource types, excluding the following global IAM resource types: `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, and `AWS::IAM::User` You can specify which resource types you want to include or exclude from recording.

For more information, see [Recording AWS Resources with AWS ConfigConsiderations](select-resources.md).

**You are charged service usage fees for using the customer managed configuration recorder**

You are charged service usage fees when AWS Config starts recording configurations with the customer managed configuration recorder.

For pricing information, see [AWS Config Pricing](https://aws.amazon.com/config/pricing/).



**Use AWS Systems Manager to create a customer managed configuration recorder across an organization**

You can use AWS Systems Manager Quick Setup to create a customer managed configuration recorder across multiple organizational units (OUs) and AWS Regions using AWS best practices.

For more information, see [Create an AWS Config configuration recorder using Quick Setup](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-config.html) in the *Systems Manager User Guide*.



**Important**  
**Policies and compliance results**  
[IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [other policies managed in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) can impact whether AWS Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use AWS Config.  
**Stale evaluation results for deleted resources can persist if the configuration recorder is turned off**  
If the customer managed configuration recorder is turned off, it disables the ability of AWS Config Config to track changes to the configuration of the resources you specified, including their deletions. This means you might see stale evaluation results for resources that are deleted when the customer managed configuration recorder is turned off since AWS Config cannot capture deletion events if recording is not on.

## Considerations for service-linked configuration recorders
<a name="stop-start-recorder-considerations-service-linked"></a>

**The AWS Config service-linked role must be used**

The AWS Config service-linked role is required for service-linked configuration recorders.

For more information, see [Using Service-Linked Roles for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html).

**Service-linked configuration recorders are always recording**

Service-linked recorders are fixed. You can't directly change the settings in a service-linked recorder. To modify recorder settings such as starting, stopping, or updating the recorder, make these changes through the associated AWS service that uses the service-linked recorder.

For more information, see [Deleting the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/managing-recorder_console-delete.html).

**The recording scope determines if you receive configuration items**

The recording scope is set by the AWS service that is linked to the configuration recorder and determines whether you receive configuration items (CIs) in the delivery channel. If the recording scope is INTERNAL, you will not receive CIs in the delivery channel.

**The recording scope determines if you are charged a service fee**

The recording scope is set by the AWS service that is linked to the configuration recorder and determines whether the configuration items (CIs) in scope are recorded for free (INTERNAL) or if it impacts the costs of your bill (PAID).

**Recording frequency precedence between recorders**

When you have both a customer managed configuration recorder and a service-linked configuration recorder with a recording scope of 'PAID' that record the same resource types, the recorder with the higher recording frequency takes precedence. For example, if your customer managed recorder is set to daily recording, but you enable an AWS service that uses a service-linked recorder with a recording scope of 'PAID' and continuous recording, the affected resource types will be recorded continuously.

This means that even though your customer managed recorder settings still show "Daily recording," you will be charged for continuous recording for the resource types that are in scope for both recorders. This only affects resource types that are being recorded by both recorders.

**Note**  
You are charged only once per configuration item, regardless of the number of configuration items generated by a customer managed configuration recorder or service-linked configuration recorders that you pay for.

**Example: Recording frequency precedence**  
You have configured your customer managed recorder to record Amazon EC2 instances with daily recording frequency. Later, you enable an AWS service feature that uses a service-linked recorder with a recording scope of 'PAID' and continuous recording that also records Amazon EC2 instances. In this scenario:  
+ Your customer managed recorder settings will still show "Daily recording"
+ Amazon EC2 instances will be recorded continuously and provides additional CIs because the service-linked recorder with a recording scope of 'PAID' has a higher recording frequency
+ You will be charged for continuous recording of Amazon EC2 instances
+ Other resource types that are only recorded by your customer managed recorder will continue to be recorded in a daily recording frequency

### Supported services
<a name="stop-start-recorder-considerations-service-linked-supported"></a>

Service-linked configuration recorders are supported for the following services:


| **AWS service** | **Service principal** | **Benefits of using with AWS Config** | **Learn more** | 
| --- | --- | --- | --- | 
| Amazon CloudWatch | observabilityadmin.amazonaws.com, telemetry-enablement.observabilityadmin.amazonaws.com | You can use Amazon CloudWatch Observability Admin to discover and understand the state of telemetry configuration in CloudWatch for your AWS Organization or account. | For more information, see [Auditing CloudWatch telemetry configurations ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/telemetry-config-cloudwatch.html) in the CloudWatch User Guide. | 
| AWS Security Hub CSPM | securityhub.amazonaws.com | You can use AWS Security Hub CSPM to centrally manage security findings and perform security assessments across your AWS accounts. The service-linked recorder enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage. | For more information, see [Enabling Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/security-hub-adv-getting-started-enable.html) in the Security Hub CSPM User Guide. | 

## Drift detection for the configuration recorder
<a name="drift-detection"></a>

The `AWS::Config::ConfigurationRecorder` resource type is a *configuration item* (CI) for the configuration recorder that tracks all changes to the state of configuration recorder. You can use this CI to check if the state of the configuration recorder differs, or has *drifted*, from its previous state.

For example, this CI tracks if there are updates to resource types that you have enabled AWS Config to track, if you have stopped or started the configuration recorder, or if you have deleted or uninstalled the configuration recorder. A drifted configuration recorder indicates that you are not accurately detecting changes to your intended resource types. If your configuration recorder has been drifted, this can result in false negative or false positive compliance results.

The `AWS::Config::ConfigurationRecorder` resource type is a system resource type of AWS Config and recording of this resource type is enabled by default in all supported Regions. Recording for the `AWS::Config::ConfigurationRecorder` resource type comes with no additional charge.

# Starting the customer managed configuration recorder
<a name="managing-recorder_console-start"></a>

You can use the AWS Config console or the AWS CLI start the customer managed configuration recorder.

------
#### [ To start the customer managed configuration recorder (Console) ]

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. Choose **Settings** in the navigation pane.

1. On the **Customer managed recorder** tab, choose **Start recording**. When prompted, choose **Confirm**.

------
#### [ To start the customer managed configuration recorder (CLI) ]

Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/start-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/start-configuration-recorder.html) command:

```
$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName
```

------

# Stopping the customer managed configuration recorder
<a name="managing-recorder_console-stop"></a>

**Note**  
**Service-linked configuration recorders are always recording**  
You cannot stop a service-linked configuration recorder because service-linked configuration recorders are always recording. To stop recording, you must delete the service-linked configuration recorder. For more information, see [Deleting the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/managing-recorder_console-delete.html).

You can use the AWS Config console or the AWS CLI stop the customer managed configuration recorder.

------
#### [ To stop the customer managed configuration recorder (Console) ]

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. Choose **Settings** in the navigation pane.

1. On the **Customer managed recorder** tab, choose **Stop recording**. When prompted, choose **Confirm**.

------
#### [ To stop the customer managed configuration recorder (CLI) ]

Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/stop-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/stop-configuration-recorder.html) command:

```
$ aws configservice stop-configuration-recorder --configuration-recorder-name configRecorderName
```

------

# Changing the recording frequency for the customer managed configuration recorder
<a name="managing-recorder_console-change-recording-frequency"></a>

AWS Config supports continuous recording and daily recording:
+ *Continuous recording* allows you to record configuration changes continuously whenever a change occurs.
+ *Daily recording* allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. For more information see, [Recording Frequency](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-recording-frequency).

You can use the AWS Config console or the AWS CLI change the recording frequency.

------
#### [ To change the recording frequency for the customer managed configuration recorder (Console) ]

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. Choose **Settings** in the navigation pane.

1. On the **Customer managed recorder** tab, choose **Start recording**.

1. For **Recording method managed recorder**, choose **All resource types with customizable overrides**.

1. For **Default settings**, choose a recording frequency.

1. Choose **Save**.

------
#### [ To change the recording frequency (CLI) ]

Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) command to change the recording frequency for the configuration recorder:

```
$ aws configservice put-configuration-recorder \
--configuration-recorder file://configurationRecorder.json
```

The `configurationRecorder.json` file specifies `name` and `roleArn` as well as the default recording frequency for the configuration recorder (`recordingMode`). You can also use this field override the recording frequency for specific resource types.

```
{
  "name": "default",
  "roleARN": "arn:aws:iam::123456789012:role/config-role",
  "recordingMode": {
    "recordingFrequency": CONTINUOUS or DAILY,
    "recordingModeOverrides": [ 
        { 
            "description": "Description you provide for the override",
            "recordingFrequency": CONTINUOUS or DAILY,
            "resourceTypes": [ Comma-separated list of resource types to include in the override ]
        }
    ]
  }
}
```

[http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) uses the following fields for the `--configuration-recorder` parameter:
+ `name` – The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder.
+ `roleARN` – Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder.
+ `recordingMode` – Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports *Continuous recording* and *Daily recording*. Continuous recording allows you to record configuration changes continuously whenever a change occurs. Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
  + `recordingFrequency` – The default recording frequency that AWS Config uses to record configuration changes.
**Note**  
AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
  + `recordingModeOverrides` – This field allows you to specify your overrides for the recording mode. It is an array of `recordingModeOverride` objects. Each `recordingModeOverride` object in the `recordingModeOverrides` array consists of three fields:
    + `description` – A description that you provide for the override.
    + `recordingFrequency` – The recording frequency that will be applied to all the resource types specified in the override.
    + `resourceTypes` – A comma-separated list that specifies which resource types AWS Config includes in the override.

**Note**  
**Required and optional fields**  
The `recordingMode` field for [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) is optional. By default, the recording frequency for the configuration recorder is set to Continuous recording.

**Note**  
**Limits**  
Daily recording is not supported for the following resource types:  
`AWS::Config::ResourceCompliance`
`AWS::Config::ConformancePackCompliance`
`AWS::Config::ConfigurationRecorder`
For the **Record all current and future supported resource types** (`ALL_SUPPORTED_RESOURCE_TYPES`) recording strategy, these resource types will be set to Continuous recording.

------

# Renaming the customer managed configuration recorder
<a name="managing-recorder_console-rename"></a>

You must use the AWS CLI to rename the customer managed configuration recorder. To change the name of the customer managed configuration recorder, you must delete it and create a new configuration recorder with your specified name. 

**Renaming the customer managed configuration recorder using the AWS CLI**

1. Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html) command to look up the name of your current customer managed configuration recorder:

   ```
   $ aws configservice describe-configuration-recorders
   {
       "ConfigurationRecorders": [
           {
               "roleARN": "arn:aws:iam::012345678912:role/myConfigRole",
               "name": "default"
           }
       ]
   }
   ```

1. Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/delete-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/delete-configuration-recorder.html) command to delete your customer managed current configuration recorder:

   ```
   $ aws configservice delete-configuration-recorder --configuration-recorder-name default
   ```

1. Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) command to create a customer managed configuration recorder with the new name:

   ```
   $ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole
   ```

1. Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/start-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/start-configuration-recorder.html) command to resume recording:

   ```
   $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName
   ```

# Viewing your configuration recorders
<a name="configuration-recorder-view"></a>

You can use the AWS Config console or the AWS CLI view details about your configuration recorders.

------
#### [ To view your configuration recorders (Console) ]

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. Choose **Settings** in the navigation pane.

1. For the customer managed configuration recorder, you can view details on the **Customer managed recorder** tab.

1. For service-linked configuration recorders, choose a service-linked configuration recorders on the **Service-linked recorders** tab, and then choose **View**.

------
#### [ To view your configuration recorders (CLI) ]

Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html) command to view details about your configuration recorders:

```
$ aws configservice describe-configuration-recorders
{
    "ConfigurationRecorders": [
        {
            "roleARN": "arn:aws:iam::012345678912:role/myConfigRole",
            "name": "default"
        }
    ]
}
```

Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html) command to view the current status of your configuration recorders:

```
$ aws configservice describe-configuration-recorder-status
{
    "ConfigurationRecordersStatus": [
        {
            "name": "default",
            "lastStatus": "SUCCESS",
            "lastStopTime": 1414511624.914,
            "lastStartTime": 1414708460.276,
            "recording": true,
            "lastStatusChangeTime": 1414816537.148,
            "lastErrorMessage": "NA",
            "lastErrorCode": "400"
        }
    ]
}
```

For both of these commands, you can use the `arn` and `configuration-recorder-names` fields to specify a list of configuration recorders. For service-linked configuration recorders, you can use the `service-principal` field to specify a configuration recorder.

If a configuration recorder is not specified, this command returns the details of all configuration recorders associated with the account.

------

# Deleting your configuration recorders
<a name="managing-recorder_console-delete"></a>

You must use the AWS CLI to delete the customer managed configuration recorder. You can use AWS Config console or the AWS CLI to delete a service-linked configuration recorder.

------
#### [ To delete the customer managed configuration recorder (CLI) ]

Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/delete-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/delete-configuration-recorder.html) command:

```
$ aws configservice delete-configuration-recorder --configuration-recorder-name default
```

------
#### [ To delete a service-linked configuration recorder (Console) ]

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. Choose **Settings** in the navigation pane.

1. On the **Service-linked recorders** tab, choose a service-linked configuration recorders on the **Service-linked recorders** tab, and then choose **Delete**. When prompted, choose **Delete**.

------
#### [ To delete a service-linked configuration recorder (CLI) ]

Use the [https://docs.aws.amazon.com/cli/latest/reference/configservice/delete-service-linked-configuration-recorder.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/delete-service-linked-configuration-recorder.html) command:

This command uses the `--service-principal` field.

```
$ aws configservice delete-service-linked-configuration-recorder --service-principal "The service principal of the AWS service for the service-linked configuration recorder that you want to delete"
```

------