AWS Config provides a way to keep track of the configurations of all the AWS resources associated with your AWS account. You can use AWS Config to get the current and historical configurations of each AWS resource and also to get information about the relationship between the resources. An AWS resource can be an Amazon Compute Cloud (Amazon EC2) instance, an Elastic Block Store (EBS) volume, an elastic network Interface (ENI), or a security group. For a complete list of resources currently supported by AWS Config, see Supported AWS Resources.
You can access and manage AWS Config through the AWS Management Console, the AWS Command Line Interface (AWS CLI), the AWS Config API, or the AWS SDKs for AWS Config. This reference guide contains documentation for the AWS Config API and the AWS CLI commands that you can use to manage AWS Config. The AWS Config API uses the Signature Version 4 protocol for signing requests. For more information about how to sign a request with this protocol, see Signature Version 4 Signing Process. For detailed information about AWS Config features and their associated actions or commands, as well as how to work with AWS Management Console, see What Is AWS Config in the AWS Config Developer Guide.
A collection of accounts and regions.
Indicates whether an AWS Config rule is compliant based on account ID, region, compliance, and rule name.
A rule is compliant if all of the resources that the rule evaluated comply with it. It is noncompliant if any of these resources do not comply.
Returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator.
The details of an AWS Config evaluation for an account ID and region in an aggregator. Provides the AWS resource that was evaluated, the compliance of the resource, related time stamps, and supplementary information.
The details that identify a resource that is collected by AWS Config aggregator, including the resource type, ID, (if available) the custom resource name, the source account, and source region.
The current sync status between the source and the aggregator account.
An object that represents the authorizations granted to aggregator accounts and regions.
The detailed configuration of a specified resource.
Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.
Indicates whether an AWS Config rule is compliant. A rule is compliant if all of the resources that the rule evaluated comply with it. A rule is noncompliant if any of these resources do not comply.
Indicates whether an AWS resource that is evaluated according to one or more AWS Config rules is compliant. A resource is compliant if it complies with all of the rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.
The number of AWS resources or AWS Config rules responsible for the current compliance of the item, up to a maximum number.
The number of AWS Config rules or AWS resources that are compliant and noncompliant.
The number of AWS resources of a specific type that are compliant or noncompliant, up to a maximum of 100 for each.
Provides status of the delivery of the snapshot or the configuration history to the specified Amazon S3 bucket. Also provides the status of notifications about the Amazon S3 delivery to the specified Amazon SNS topic.
An AWS Config rule represents an AWS Lambda function that you create for a custom rule or a predefined function for an AWS managed rule. The function evaluates configuration items to assess whether your AWS resources comply with your desired configurations. This function can run when AWS Config detects a configuration change to an AWS resource and at a periodic frequency that you choose (for example, every 24 hours).
You can use the AWS CLI and AWS SDKs if you want to create a rule that triggers evaluations for your resources when AWS Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide.
Filters the compliance results based on account ID, region, compliance type, and rule name.
Filters the results based on the account IDs and regions.
Status information for your AWS managed Config rules. The status includes information such as the last time the rule ran, the last time it failed, and the related error for the last failure.
This action does not return status information about custom AWS Config rules.
A client for the Config Service API.
Provides options for how often AWS Config delivers configuration snapshots to the Amazon S3 bucket in your delivery channel.
The frequency for a rule that triggers evaluations for your resources when AWS Config delivers the configuration snapshot is set by one of two values, depending on which is less frequent:
You should set the
To update the
A list that contains the status of the delivery of the configuration stream notification to the Amazon SNS topic.
The details about the configuration aggregator, including information about source accounts, regions, and metadata of the aggregator.
A list that contains detailed configurations of a specified resource.
An object that represents the recording of configuration changes of an AWS resource.
The current status of the configuration recorder.
The request object for the
The input for the DeleteDeliveryChannel action. The action accepts the following data, in JSON format.
The output when you delete the evaluation results for the specified AWS Config rule.
The input for the DeliverConfigSnapshot action.
The output for the DeliverConfigSnapshot action, in JSON format.
The channel through which AWS Config delivers notifications and updated configuration states.
The status of a specified delivery channel.
The input for the DescribeConfigurationRecorderStatus action.
The output for the DescribeConfigurationRecorderStatus action, in JSON format.
The input for the DescribeConfigurationRecorders action.
The output for the DescribeConfigurationRecorders action.
The input for the DeliveryChannelStatus action.
The output for the DescribeDeliveryChannelStatus action.
The input for the DescribeDeliveryChannels action.
The output for the DescribeDeliveryChannels action.
Identifies an AWS resource and indicates whether it complies with the AWS Config rule that it was evaluated against.
The details of an AWS Config evaluation. Provides the AWS resource that was evaluated, the compliance of the resource, related time stamps, and supplementary information.
Uniquely identifies an evaluation result.
Identifies an AWS Config rule that evaluated an AWS resource, and provides the type and ID of the resource that the rule evaluated.
List of each of the failed remediations with specific reasons.
Details about the fields such as name of the field.
The input for the GetResourceConfigHistory action.
The output for the GetResourceConfigHistory action.
The count of resources that are grouped by the group name.
This object contains regions to set up the aggregator and an IAM role to retrieve organization details.
An object that represents the account ID and region of an aggregator account that is requesting authorization but is not yet authorized.
The input for the PutConfigurationRecorder action.
The input for the PutDeliveryChannel action.
Details about the query.
Specifies the types of AWS resource for which AWS Config records configuration changes.
In the recording group, you specify whether all supported types or specific types of resources are recorded.
By default, AWS Config records configuration changes for all supported types of regional resources that AWS Config discovers in the region in which it is running. Regional resources are tied to a region and can be used only in that region. Examples of regional resources are EC2 instances and EBS volumes.
You can also have AWS Config record configuration changes for supported types of global resources (for example, IAM resources). Global resources are not tied to an individual region and can be used in all regions.
The configuration details for any global resource are the same in all regions. If you customize AWS Config in multiple regions to record global resources, it will create multiple configuration items each time a global resource changes: one configuration item for each region. These configuration items will contain identical data. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources, unless you want the configuration items to be available in multiple regions.
If you don't want AWS Config to record all resources, you can specify which types of resources it will record with the
For a list of supported resource types, see Supported Resource Types.
For more information, see Selecting Which Resources AWS Config Records.
The relationship of the related resource to the main resource.
An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.
Provides details of the current status of the invoked remediation action for that resource.
Name of the step from the SSM document.
The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or a static value.
An object that contains the resource type and the number of resources.
Filters the resource count based on account ID, region, and resource type.
Filters the results by resource account ID, region, resource ID, and resource name.
The details that identify a resource that is discovered by AWS Config, including the resource type, ID, and (if available) the custom resource name.
The details that identify a resource within AWS Config, including the resource type and resource ID.
The dynamic value of the resource.
An object with the name of the retention configuration and the retention period in days. The object stores the configuration for data retention in AWS Config.
Defines which resources trigger an evaluation for an AWS Config rule. The scope can include one or more resource types, a combination of a tag key and value, or a combination of one resource type and one resource ID. Specify a scope to constrain which resources trigger an evaluation for a rule. Otherwise, evaluations for the rule are triggered when any resource in your recording group changes in configuration.
Provides the AWS Config rule owner (AWS or customer), the rule identifier, and the events that trigger the evaluation of your AWS resources.
Provides the source and the message types that trigger AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic. You can specify the parameter values for
The output when you start the evaluation for the specified AWS Config rule.
The input for the StartConfigurationRecorder action.
The static value of the resource.
The input for the StopConfigurationRecorder action.
The tags for the resource. The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.
Errors returned by BatchGetAggregateResourceConfig
Errors returned by BatchGetResourceConfig
Errors returned by DeleteAggregationAuthorization
Errors returned by DeleteConfigRule
Errors returned by DeleteConfigurationAggregator
Errors returned by DeleteConfigurationRecorder
Errors returned by DeleteDeliveryChannel
Errors returned by DeleteEvaluationResults
Errors returned by DeletePendingAggregationRequest
Errors returned by DeleteRemediationConfiguration
Errors returned by DeleteRetentionConfiguration
Errors returned by DeliverConfigSnapshot
Errors returned by DescribeAggregateComplianceByConfigRules
Errors returned by DescribeAggregationAuthorizations
Errors returned by DescribeComplianceByConfigRule
Errors returned by DescribeComplianceByResource
Errors returned by DescribeConfigRuleEvaluationStatus
Errors returned by DescribeConfigRules
Errors returned by DescribeConfigurationAggregatorSourcesStatus
Errors returned by DescribeConfigurationAggregators
Errors returned by DescribeConfigurationRecorderStatus
Errors returned by DescribeConfigurationRecorders
Errors returned by DescribeDeliveryChannelStatus
Errors returned by DescribeDeliveryChannels
Errors returned by DescribePendingAggregationRequests
Errors returned by DescribeRemediationConfigurations
Errors returned by DescribeRemediationExecutionStatus
Errors returned by DescribeRetentionConfigurations
Errors returned by GetAggregateComplianceDetailsByConfigRule
Errors returned by GetAggregateConfigRuleComplianceSummary
Errors returned by GetAggregateDiscoveredResourceCounts
Errors returned by GetAggregateResourceConfig
Errors returned by GetComplianceDetailsByConfigRule
Errors returned by GetComplianceDetailsByResource
Errors returned by GetComplianceSummaryByConfigRule
Errors returned by GetComplianceSummaryByResourceType
Errors returned by GetDiscoveredResourceCounts
Errors returned by GetResourceConfigHistory
Errors returned by ListAggregateDiscoveredResources
Errors returned by ListDiscoveredResources
Errors returned by ListTagsForResource
Errors returned by PutAggregationAuthorization
Errors returned by PutConfigRule
Errors returned by PutConfigurationAggregator
Errors returned by PutConfigurationRecorder
Errors returned by PutDeliveryChannel
Errors returned by PutEvaluations
Errors returned by PutRemediationConfigurations
Errors returned by PutRetentionConfiguration
Errors returned by SelectResourceConfig
Errors returned by StartConfigRulesEvaluation
Errors returned by StartConfigurationRecorder
Errors returned by StartRemediationExecution
Errors returned by StopConfigurationRecorder
Errors returned by TagResource
Errors returned by UntagResource
Trait representing the capabilities of the Config Service API. Config Service clients implement this trait.