Welcome
AWS Config provides a way to keep track of the configurations of all the AWS resources associated with your AWS account. You can use AWS Config to get the current and historical configurations of each AWS resource and also to get information about the relationship between the resources. An AWS resource can be an Amazon Compute Cloud (Amazon EC2) instance, an Elastic Block Store (EBS) volume, an elastic network Interface (ENI), or a security group. For a complete list of resources currently supported by AWS Config, see Supported AWS resources.
You can access and manage AWS Config through the AWS Management Console, the AWS Command Line Interface (AWS CLI), the AWS Config API, or the AWS SDKs for AWS Config. This reference guide contains documentation for the AWS Config API and the AWS CLI commands that you can use to manage AWS Config. The AWS Config API uses the Signature Version 4 protocol for signing requests. For more information about how to sign a request with this protocol, see Signature Version 4 Signing Process. For detailed information about AWS Config features and their associated actions or commands, as well as how to work with AWS Management Console, see What Is AWS Config in the AWS Config Developer Guide.
Configuration Recorder
Use the following APIs for the AWS Config configuration recorder:
-
DescribeConfigurationRecorders, returns the details for the specified configuration recorders.
-
DescribeConfigurationRecorderStatus, returns the current status of the specified configuration recorder.
-
DeleteConfigurationRecorder, deletes the configuration recorder.
-
PutConfigurationRecorder, creates a new configuration recorder to record configuration changes for specified resource types.
-
StartConfigurationRecorder, starts recording configurations of the AWS resources you have selected to record in your AWS account.
-
StopConfigurationRecorder, stops recording configurations of the AWS resources you have selected to record in your AWS account.
Delivery Channel
Use the following APIs for the AWS Config delivery channel:
-
DeliverConfigSnapshot, schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel.
-
DescribeDeliveryChannels, returns details about the specified delivery channel.
-
DescribeDeliveryChannelStatus, returns the current status of the specified delivery channel.
-
DeleteDeliveryChannel, deletes the delivery channel.
-
PutDeliveryChannel, creates a delivery channel object to deliver configuration information and other compliance notifications to an Amazon S3 bucket and Amazon SNS topic.
Resource Management
Use the following APIs for AWS Config resource management:
-
BatchGetResourceConfig, returns the
BaseConfigurationItem
for one or more requested resources. -
DeleteResourceConfig, records the configuration state for a custom resource that has been deleted.
-
DeleteRetentionConfiguration, deletes the retention configuration.
-
DeliverConfigSnapshot, schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel.
-
DescribeRetentionConfigurations, returns the details of one or more retention configurations.
-
GetDiscoveredResourceCounts, returns the resource types, the number of each resource type, and the total number of resources that AWS Config is recording in this region for your AWS account.
-
GetResourceConfigHistory, returns a list of
ConfigurationItems
for the specified resource. -
ListDiscoveredResources, accepts a resource type and returns a list of resource identifiers for the resources of that type.
-
ListTagsForResource, list the tags for AWS Config resource.
-
PutResourceConfig, records the configuration state for the resource provided in the request.
-
PutRetentionConfiguration, creates and updates the retention configuration with details about retention period (number of days) that AWS Config stores your historical information.
-
TagResource, associates the specified tags to a resource with the specified resourceArn.
-
UntagResource, deletes specified tags from a resource.
AWS Config Rules
Use the following APIs for AWS Config Rules:
-
DeleteConfigRule, deletes the specified AWS Config rule and all of its evaluation results.
-
DeleteEvaluationResults, deletes the evaluation results for the specified AWS Config rule.
-
DeleteOrganizationConfigRule, deletes the specified organization AWS Config rule and all of its evaluation results from all member accounts in that organization.
-
DescribeComplianceByConfigRule, indicates whether the specified AWS Config rules are compliant.
-
DescribeComplianceByResource, indicates whether the specified AWS resources are compliant.
-
DescribeConfigRuleEvaluationStatus, returns status information for each of your AWS Config managed rules.
-
DescribeConfigRules, returns details about your AWS Config rules.
-
DescribeOrganizationConfigRules, returns a list of organization AWS Config rules.
-
DescribeOrganizationConfigRuleStatuses, provides organization AWS Config rule deployment status for an organization.
-
GetComplianceDetailsByConfigRule, returns the evaluation results for the specified AWS Config rule.
-
GetComplianceDetailsByResource, returns the evaluation results for the specified AWS resource.
-
GetComplianceSummaryByConfigRule, returns the number of AWS Config rules that are compliant and noncompliant, up to a maximum of 25 for each.
-
GetComplianceSummaryByResourceType, returns the number of resources that are compliant and the number that are noncompliant.
-
GetCustomRulePolicy, returns the policy definition containing the logic for your AWS Config Custom Policy rule.
-
GetOrganizationConfigRuleDetailedStatus, returns detailed status for each member account within an organization for a given organization AWS Config rule.
-
GetOrganizationCustomRulePolicy, returns the metadata, the rule name, and the policy definition containing the logic for your organization AWS Config Custom Policy rule.
-
GetResourceEvaluationSummary, returns a summary of resource evaluation for the specified resource evaluation ID from the proactive rules that were run.
-
ListResourceEvaluations, returns a list of proactive resource evaluations.
-
PutConfigRule, adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.
-
PutEvaluations, used by an AWS Lambda function to deliver evaluation results to AWS Config.
-
PutOrganizationConfigRule, adds or updates organization AWS Config rule for your entire organization evaluating whether your AWS resources comply with your desired configurations.
-
StartConfigRulesEvaluation, runs an on-demand evaluation for the specified AWS Config rules against the last known configuration state of the resources.
-
StartResourceEvaluation, runs an on-demand evaluation for the specified resource to determine whether the resource details will comply with configured AWS Config rules.
Remediation
Use the following APIs for AWS Config remediation actions:
-
DeleteRemediationConfiguration, deletes the remediation configuration.
-
DeleteRemediationExceptions, deletes one or more remediation exceptions mentioned in the resource keys.
-
DescribeRemediationConfigurations, returns the details of one or more remediation configurations.
-
DescribeRemediationExceptions, returns the details of one or more remediation exceptions.
-
DescribeRemediationExecutionStatus, provides a detailed view of a Remediation Execution for a set of resources including state, timestamps for when steps for the remediation execution occur, and any error messages for steps that have failed.
-
PutRemediationConfigurations, adds or updates the remediation configuration with a specific AWS Config rule with the selected target or action.
-
PutRemediationExceptions, adds a new exception or updates an exisiting exception for a specific resource with a specific AWS Config rule.
-
StartRemediationExecution, runs an on-demand remediation for the specified AWS Config rules against the last known remediation configuration.
Conformance Packs
Use the following APIs for conformance packs:
-
DeleteConformancePack, deletes the specified conformance pack and all the AWS Config rules and all evaluation results within that conformance pack.
-
DeleteOrganizationConformancePack, deletes the specified organization conformance pack and all of the AWS Config rules and remediation actions from all member accounts in that organization.
-
DescribeConformancePackCompliance, returns compliance information for each rule in that conformance pack.
-
DescribeConformancePacks, returns a list of one or more conformance packs.
-
DescribeConformancePackStatus, provides one or more conformance packs deployment status.
-
DescribeOrganizationConformancePacks, returns a list of organization conformance packs.
-
DescribeOrganizationConformancePackStatuses, provides organization conformance pack deployment status for an organization.
-
GetConformancePackComplianceDetails, returns compliance details of a conformance pack for all AWS resources that are monitered by conformance pack.
-
GetConformancePackComplianceSummary, returns compliance information for the conformance pack based on the cumulative compliance results of all the rules in that conformance pack.
-
GetOrganizationConformancePackDetailedStatus, returns detailed status for each member account within an organization for a given organization conformance pack.
-
ListConformancePackComplianceScores, returns a list of conformance pack compliance scores.
-
PutConformancePack, creates or updates a conformance pack.
-
PutOrganizationConformancePack, deploys conformance packs across member accounts in an AWS Organization.
-
PutExternalEvaluation, add or updates the evaluations for process checks.
Aggregators
Use the following APIs for multi-account multi-Region data aggregation:
-
BatchGetAggregateResourceConfig, returns the current configuration items for resources that are present in your AWS Config aggregator.
-
DeleteAggregationAuthorization, deletes the authorization granted to the specified configuration aggregator account in a specified region.
-
DeleteConfigurationAggregator, deletes the specified configuration aggregator and the aggregated data associated with the aggregator.
-
DeletePendingAggregationRequest, deletes pending authorization requests for a specified aggregator account in a specified region.
-
DescribeAggregateComplianceByConfigRules, returns a list of compliant and noncompliant rules with the number of resources for compliant and noncompliant rules.
-
DescribeAggregateComplianceByConformancePacks, returns a list of existing and deleted conformance packs and their associated compliance status with the count of compliant and noncompliant AWS Config rules within each conformance pack.
-
DescribeAggregationAuthorizations, returns a list of authorizations granted to various aggregator accounts and regions.
-
DescribeConfigurationAggregators, returns the details of one or more configuration aggregators. If the configuration aggregator is not specified, this action returns the details for all the configuration aggregators associated with the account.
-
DescribeConfigurationAggregatorSourcesStatus, returns status information for sources within an aggregator. The status includes information about the last time AWS Config verified authorization between the source account and an aggregator account.
-
DescribePendingAggregationRequests, returns a list of all pending aggregation requests.
-
GetAggregateConformancePackComplianceSummary, returns the count of compliant and noncompliant conformance packs across all AWS accounts and AWS Regions in an aggregator.
-
GetAggregateComplianceDetailsByConfigRule, returns the evaluation results for the specified AWS Config rule for a specific resource in a rule. The results indicate which AWS resources were evaluated by the rule, when each resource was last evaluated, and whether each resource complies with the rule.
-
GetAggregateConfigRuleComplianceSummary, returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator.
-
GetAggregateDiscoveredResourceCounts, returns the resource counts across accounts and regions that are present in your AWS Config aggregator.
-
GetAggregateResourceConfig, returns configuration item that is aggregated for your specific resource in a specific source account and region.
-
ListAggregateDiscoveredResources, accepts a resource type and returns a list of resource identifiers that are aggregated for a specific resource type across accounts and regions.
-
PutAggregationAuthorization, authorizes the aggregator account and region to collect data from the source account and region.
-
PutConfigurationAggregator, creates and updates the configuration aggregator with the selected source accounts and regions.
Advanced Queries
Use the following APIs for AWS Config:
-
SelectAggregateResourceConfig, accepts a structured query language (SQL) SELECT command and an aggregator to query configuration state of AWS resources across multiple accounts and regions.
-
SelectResourceConfig, accepts a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties.
-
PutStoredQuery, saves a new query or updates an existing saved query.
-
GetStoredQuery, returns the details of a specific stored query.
-
ListStoredQueries, lists the stored queries for a single AWS account and a single AWS Region.
-
DeleteStoredQuery, deletes the stored query for a single AWS account and a single AWS Region.
This document was last published on November 22, 2024.