AWS Config Configuration Recorder Status
This page shows how to write Terraform and CloudFormation for AWS Config Configuration Recorder Status and write them securely.
aws_config_configuration_recorder_status (Terraform)
The Configuration Recorder Status in AWS Config can be configured in Terraform with the resource name aws_config_configuration_recorder_status. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_configuration_recorder_status" "configs_recorder_status" {
name = aws_config_configuration_recorder.configs_recorder.name
is_enabled = true
depends_on = [aws_config_delivery_channel.configs_channel]
}
resource "aws_config_configuration_recorder_status" "default" {
name = aws_config_configuration_recorder.default.name
is_enabled = true
depends_on = [aws_config_delivery_channel.default]
}
resource "aws_config_configuration_recorder_status" "config-recorder" {
name = var.name
is_enabled = var.is_enabled
}
resource "aws_config_configuration_recorder_status" "this" {
is_enabled = var.is_enabled
name = var.name
}
resource "aws_config_configuration_recorder_status" "main" {
name = var.config_name
is_enabled = true
depends_on = [aws_config_delivery_channel.main]
}
Parameters
-
idoptional computed - string -
is_enabledrequired - bool -
namerequired - string
Explanation in Terraform Registry
Manages status (recording / stopped) of an AWS Config Configuration Recorder.
Note: Starting Configuration Recorder requires a Delivery Channel to be present. Use of
depends_on(as shown below) is recommended to avoid race conditions.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::ConfigurationRecorder (CloudFormation)
The ConfigurationRecorder in Config can be configured in CloudFormation with the resource name AWS::Config::ConfigurationRecorder. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Config::ConfigurationRecorder
Properties:
RoleARN: !Sub "arn:aws:iam::${AWS::AccountId}:role/config-recorder-role"
RecordingGroup:
AllSupported: True
IncludeGlobalResourceTypes: True
Type: 'AWS::Config::ConfigurationRecorder'
Properties:
RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/service-role/config.amazonaws.com/ServiceRoleForConfig_default-config'
RecordingGroup:
AllSupported: True
IncludeGlobalResourceTypes: True
Type: AWS::Config::ConfigurationRecorder
ConfigRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
Type: AWS::Config::ConfigurationRecorder
Condition: MainRegion
Properties:
Name: !Sub 'AWSConfig-${AWS::Region}'
RecordingGroup:
AllSupported: True
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: !Sub ${ManagedResourcePrefix}config-recorder
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: !If [InHomeRegion, true, false]
"resourceType" : "AWS::Config::ConfigurationRecorder",
"properties" : [ {
"propertyName" : "Name",
"propertyType" : "String",
"required" : false
}, {
"Type": "AWS::Config::ConfigurationRecorder",
"Properties": {
"RecordingGroup": {
"AllSupported": true,
"IncludeGlobalResourceTypes": true
},
"Type": "AWS::Config::ConfigurationRecorder",
"Properties": {
"RecordingGroup": {
"AllSupported": true,
"IncludeGlobalResourceTypes": true
},
"ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
}
},
{
"op": "add",
"path": "/PropertyTypes/AWS::Config::ConfigRule.Source/Properties/Owner/Value",
"ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
}
},
{
"op": "add",
"path": "/PropertyTypes/AWS::Config::ConfigRule.Source/Properties/Owner/Value",
Parameters
-
Nameoptional - String -
RecordingGroupoptional - RecordingGroup -
RoleARNrequired - String
Explanation in CloudFormation Registry
The AWS::Config::ConfigurationRecorder resource describes the AWS resource types for which AWS Config records configuration changes. The configuration recorder stores the configurations of the supported resources in your account as configuration items. Note To enable AWS Config, you must create a configuration recorder and a delivery channel. AWS Config uses the delivery channel to deliver the configuration changes to your Amazon S3 bucket or Amazon SNS topic. For more information, see AWS::Config::DeliveryChannel.
AWS CloudFormation starts the recorder as soon as the delivery channel is available.
To stop the recorder and delete it, delete the configuration recorder from your stack. To stop the recorder without deleting it, call the StopConfigurationRecorder action of the AWS Config API directly.
For more information, see Configuration Recorder in the AWS Config Developer Guide.
Frequently asked questions
What is AWS Config Configuration Recorder Status?
AWS Config Configuration Recorder Status is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Configuration Recorder Status?
For Terraform, the bradleyc4rt3r/bc-helpers, tmknom/example-cloud-bankruptcy-iac and wellcometrust/ncw-terraform-modules source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the jimrazmus/aws-stacks, rafikurnia/matools and aws-samples/arc325-multiple-accounts-workshop source code examples are useful. See the CloudFormation Example section for further details.
