Skip to content


General Info

  • Fully managed service that provides with an AWS resource inventory, configuration history, and configuration change notifications
  • Once turned on, it discovers supported AWS resources & generates a CONFIGURATION ITEM for each resource
  • Monitors resource configuration for drifts & can setup trigger to enforce drifts (like when using the wrong instance type)
  • Use Cases
    • Discovery of resources in accounts
    • Change management
    • Continuous audit & compliance
    • Troubleshooting
    • Security & incident analysis


Component Description
Configuration Item
  • Point-in-time attributes of a resource
  • Includes metadata, relationships, current configs, related events
  • Configuration Snapshots: collection of Config Items
  • Configuration Stream: stream of changed Config Items
  • Configuration History: collection of Config Items for a resource over time
Configuration Recorder Maintains historical records of the config items
Configuration Rule
  • Desired config settings for specific resources or an entire account
  • Checks if changes violate any of the conditions in your rules
  • If a resource violates a rule → Config flags the resource and the rule as non compliant and notifies via SNS
Delivery Channel
  • Acts as a proxy to where the configuration recorder can send the recorded configuration items
  • You can have only one delivery channel per region / per account


Similar to CloudWatch
  • When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config
  • Stores everything in S3 bucket
  • Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings
  • Lambda feeds back to Config
  • If rule has been broken, Config fires up an SNS

  • Sends notification when a CONFIGURATION HISTORY file is delivered to S3 & when customer initiates a CONFIGURATION SNAPSHOT
  • Automatically delivers a HISTORY FILE to S3 every 6 hours that contains all changes to the RESOURCE CONFIGURATION
  • Inspects software running on SSM managed EC2 instances (including OS version, installed apps, network config)
  • Configuration changes or deviations -> SNS, CloudWatch Events, console dashboard, S3
  • Regionality
    • regional, but can aggregate data across regions and accounts
    • can't centrally manage rules
  • Permissions
    • Managed audit role: AWSConfigRole
    • IAM role with Read only permissions to the recorded resources
    • Write access to S3 logging bucket
    • Publish access to SNS