ConfigurationRecorder - AWS Config


Records configuration changes to your specified resource types. For more information about the configuration recorder, see Managing the Configuration Recorder in the AWS Config Developer Guide.



The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder.


You cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No


Specifies which resource types AWS Config records for configuration changes.


High Number of AWS Config Evaluations

You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.

If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling. If you want to avoid the increased activity from running ephemeral workloads, you can set up the configuration recorder to exclude these resource types from being recorded, or run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.

Type: RecordingGroup object

Required: No


Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports Continuous recording and Daily recording.

  • Continuous recording allows you to record configuration changes continuously whenever a change occurs.

  • Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.


AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.

You can also override the recording frequency for specific resource types.

Type: RecordingMode object

Required: No


Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder.


While the API model does not require this field, the server will reject a request without a defined roleARN for the configuration recorder.


Authorization Policies for AWS Can Prevent Acceses

If you use a pre-existing IAM role, make sure there is not an authorization policy for AWS Organizations which prevents AWS Config from having permission to record your resources. For more information on authorization policies for AWS Organizations, see Managing policies in AWS Organizations in the AWS Organizations User Guide.

Keep Minimum Permisions When Reusing an IAM role

If you use an AWS service that uses AWS Config, such as AWS Security Hub or AWS Control Tower, and an IAM role has already been created, make sure that the IAM; role that you use when setting up AWS Config keeps the same minimum permissions as the pre-existing IAM role. You must do this to ensure that the other AWS service continues to run as expected.

For example, if AWS Control Tower has an IAM role that allows AWS Config to read S3 objects, make sure that the same permissions are granted to the IAM role you use when setting up AWS Config. Otherwise, it may interfere with how AWS Control Tower operates.

Type: String

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: