Transcription of AWS Config - Developer Guide
1 AWS ConfigDeveloper GuideAWS Config Developer GuideAWS Config : Developer GuideCopyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Config Developer GuideTable of ContentsWhat Is AWS Config ? .. 1 Ways to Use AWS Config .. 1 Resource Administration .. 1 Auditing and Compliance .. 1 Managing and Troubleshooting Configuration Changes.
2 2 Security Analysis .. 2 AWS Config Concepts .. 2 AWS Config .. 3 AWS Config Managed and Custom Rules .. 4 Multi-Account Multi-Region Data Aggregation .. 5 Managing AWS Config .. 5 Control Access to AWS Config .. 6 Partner Solutions .. 6 How AWS Config Works .. 6 Deliver Configuration Items .. 7 AWS Config Supported AWS Resource Types and Resource Relationships .. 9 Amazon CloudFront .. 9 Amazon CloudWatch .. 9 Amazon DynamoDB .. 10 Amazon Elastic Compute Cloud .. 10 Amazon Elastic Block Store .. 11 Amazon Redshift .. 11 Amazon Relational Database Service .. 11 Amazon Simple Storage Service .. 12 Amazon S3 Bucket Attributes .. 12 Amazon Virtual Private Cloud .. 13 AWS Auto Scaling .. 14 AWS Certificate Manager .. 14 AWS CloudFormation.
3 14 AWS CloudTrail .. 15 AWS CodeBuild .. 15 AWS CodePipeline .. 15 AWS Elastic Beanstalk .. 15 AWS Identity and Access Management .. 16 AWS Lambda Function .. 16 AWS Shield .. 17 AWS Systems Manager .. 17 AWS WAF .. 17 AWS X-Ray .. 18 Elastic Load 18 Getting Started .. 19 Setting Up AWS Config (Console) .. 19 Setting Up AWS Config (AWS CLI) .. 22 Prerequisites .. 22 Turning on AWS Config .. 25 Verify that AWS Config Is On .. 25 Setting Up AWS Config Rules (Console) .. 27 Viewing the AWS Config Dashboard .. 28 AWS Config .. 30 Components of a Configuration 30 Viewing AWS Resource Configurations and History .. 31 Looking Up Discovered Resources .. 32 Viewing Configuration 33 Viewing Compliance History .. 39iiiAWS Config Developer GuideDelivering Configuration Snapshot.
4 41 Managing AWS Config .. 46 Managing the Delivery Channel .. 46 Updating the IAM Role .. 49 Managing the Configuration Recorder .. 50 Selecting Which Resources are Recorded .. 52 Recording Software Configuration for Managed Instances .. 55 Monitoring Resource Changes by Email .. 56 Deleting 60 Example 62 Example Configuration Item Change 63 Example Configuration History Delivery Notification .. 71 Example Configuration Snapshot Delivery Started Notification .. 71 Example Configuration Snapshot Delivery Notification .. 72 Example Compliance Change Notification .. 72 Example Rules Evaluation Started Notification .. 73 Example Oversized Configuration Item Change Notification .. 74 Example Delivery Failed Notification.
5 75 Controlling Permissions for AWS Config .. 77 Permissions for AWS Config Administration .. 77 Creating an IAM Group and Users for AWS Config Access .. 78 Granting Full-Access Permission for AWS Config Access .. 78 Additional Resources .. 79 Custom Permissions for AWS Config Users .. 79 Read-only access .. 79 Full access .. 80 Controlling User Permissions for Actions on Multi-Account Multi-Region Data Aggregation .. 82 Additional Information .. 79 Supported Resource-Level Permissions for AWS Config Rules APIs Actions .. 85 Permissions for the IAM Role .. 86 Creating IAM Role Policies .. 87 Troubleshooting for recording S3 buckets .. 88 Permissions for the Amazon S3 Bucket .. 89 Required Permissions for the Amazon S3 Bucket When Using IAM Roles.
6 89 Required Permissions for the Amazon S3 Bucket When Using Service-Linked Roles .. 90 Granting AWS Config access to the Amazon S3 Bucket .. 90 Permissions for the Amazon SNS Topic .. 91 Required Permissions for the Amazon SNS Topic When Using IAM Roles .. 91 Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles .. 92 Troubleshooting for the Amazon SNS Topic .. 92 AWS Config Rules .. 93 Viewing Configuration Compliance .. 93 Specifying Triggers for AWS Config Rules .. 96 Trigger types .. 96 Example rules with 97 Rule evaluations when the configuration recorder is turned off .. 97 AWS Config Managed Rules .. 98 List of AWS Config Managed Rules .. 98 Working with AWS Config Managed Rules .. 146 Creating AWS Config Managed Rules With AWS CloudFormation Templates.
7 147 AWS Config Custom Rules .. 148 Getting Started with Custom Rules .. 148 Developing a Custom Rule .. 150 Example Functions and Events .. 154 Managing your AWS Config Rules .. 162 Add, View, Update and Delete Rules (Console) .. 162 View, Update, and Delete Rules (AWS CLI) .. 164ivAWS Config Developer GuideView, Update, and Delete Rules (API) .. 165 Evaluating your Resources .. 166 Evaluating your Resources (Console) .. 166 Evaluating your Resources (CLI) .. 166 Evaluating your Resources (API) .. 167 Deleting Evaluation Results .. 167 Deleting Evaluating Results (Console) .. 167 Deleting Evaluating Results (CLI) .. 167 Deleting Evaluating Results (API) .. 167 Multi-Account Multi-Region Data Aggregation .. 168 Region Support.
8 168 Learn More .. 169 Viewing Configuration and Compliance Data in the Aggregated View .. 170 Use the Aggregated View .. 170 Learn More .. 171 Setting Up an Aggregator (Console) .. 171 Add an Aggregator .. 171 Edit an Aggregator .. 172 Delete an Aggregator .. 173 Learn More .. 171 Setting Up an Aggregator (AWS CLI) .. 173 Add an Aggregator Using Individual Accounts .. 174 Add an Aggregator Using AWS Organizations .. 175 View an Aggregator .. 175 Edit an Aggregator .. 176 Delete an Aggregator .. 177 Learn More .. 171 Authorizing Aggregator Accounts (Console) .. 177 Add Authorization for Aggregator Accounts and Regions .. 178 Authorize a Pending Request for an Aggregator Account .. 178 Delete Authorization for an Exisiting Aggregator Account.
9 179 Learn More .. 171 Authorizing Aggregator Accounts (AWS CLI) .. 180 Add Authorization for Aggregator Accounts and Regions .. 180 Delete an Authorization Account .. 181 Learn More .. 171 Troubleshooting .. 181 Learn More .. 183 Using Amazon SQS .. 183 Permissions for Amazon SQS .. 183 Using Amazon CloudWatch Events .. 184 Amazon CloudWatch Events format for AWS Config .. 185 Creating Amazon CloudWatch Events Rule for AWS Config .. 185 Service-Linked AWS Config Rules .. 187 Using Service-Linked Roles .. 188 Service-Linked Role Permissions for AWS Config .. 188 Creating a Service-Linked Role for AWS Config .. 188 Editing a Service-Linked Role for AWS Config .. 188 Deleting a Service-Linked Role for AWS Config .. 189 Using AWS Config with Interface VPC Endpoints.
10 190 Availability .. 190 Create a VPC Endpoint for AWS Config .. 190 Logging AWS Config API Calls with AWS CloudTrail .. 191 AWS Config Information in CloudTrail .. 191 Understanding AWS Config Log File Entries .. 192 Example Log 192vAWS Config Developer GuideDeleteDeliveryChannel .. 192 DeliverConfigSnapshot .. 193 DescribeConfigurationRecorderStatus .. 193 DescribeConfigurationRecorders .. 194 DescribeDeliveryChannels .. 194 GetResourceConfigHistory .. 195 PutConfigurationRecorder .. 195 PutDeliveryChannel .. 196 StartConfigurationRecorder .. 196 StopConfigurationRecorder .. 197 AWS Config Resources .. 198 AWS Software Development Kits for AWS Config .. 198 Document History .. 200 AWS Glossary .. 218viAWS Config Developer GuideWays to Use AWS Config What Is AWS Config ?
