AWS Config Configuration Recorder
This page shows how to write Terraform and CloudFormation for AWS Config Configuration Recorder and write them securely.
aws_config_configuration_recorder (Terraform)
The Configuration Recorder in AWS Config can be configured in Terraform with the resource name aws_config_configuration_recorder
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_configuration_recorder" "my_config_configuration_recorder" {
name = "example"
role_arn = "arn:aws:iam::123456789012:role/role"
}
resource "aws_config_configuration_recorder" "my_config_configuration_recorder_usage" {
resource "aws_config_configuration_recorder" "my_config_configuration_recorder" {
name = "example"
role_arn = aws_iam_role.r.arn
}
resource "aws_iam_role" "r" {
resource "aws_config_configuration_recorder" "main" {
name = var.name
role_arn = aws_iam_role.config_role[0].arn
count = var.config_recorder_not_configured ? 1 : 0
}
resource "aws_config_configuration_recorder" "main" {
name = var.name
role_arn = aws_iam_role.config_role[0].arn
count = var.config_recorder_not_configured ? 1 : 0
}
resource "aws_config_configuration_recorder" "config-recorder" {
name = var.name
role_arn = var.role_arn
recording_group {
all_supported = var.all_supported
Parameters
-
id
optional computed - string -
name
optional - string -
role_arn
required - string -
recording_group
list block-
all_supported
optional - bool -
include_global_resource_types
optional - bool -
resource_types
optional - set of string
-
Explanation in Terraform Registry
Provides an AWS Config Configuration Recorder. Please note that this resource does not start the created recorder automatically.
Note: Starting the Configuration Recorder requires a delivery channel (while delivery channel creation requires Configuration Recorder). This is why
aws_config_configuration_recorder_status
is a separate resource.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::ConfigurationRecorder (CloudFormation)
The ConfigurationRecorder in Config can be configured in CloudFormation with the resource name AWS::Config::ConfigurationRecorder
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Config::ConfigurationRecorder
Properties:
RoleARN: !Sub "arn:aws:iam::${AWS::AccountId}:role/config-recorder-role"
RecordingGroup:
AllSupported: True
IncludeGlobalResourceTypes: True
Type: 'AWS::Config::ConfigurationRecorder'
Properties:
RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/service-role/config.amazonaws.com/ServiceRoleForConfig_default-config'
RecordingGroup:
AllSupported: True
IncludeGlobalResourceTypes: True
Type: AWS::Config::ConfigurationRecorder
ConfigRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
Type: AWS::Config::ConfigurationRecorder
Condition: MainRegion
Properties:
Name: !Sub 'AWSConfig-${AWS::Region}'
RecordingGroup:
AllSupported: True
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: !Sub ${ManagedResourcePrefix}config-recorder
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: !If [InHomeRegion, true, false]
"resourceType" : "AWS::Config::ConfigurationRecorder",
"properties" : [ {
"propertyName" : "Name",
"propertyType" : "String",
"required" : false
}, {
"Type": "AWS::Config::ConfigurationRecorder",
"Properties": {
"Name": "default",
"RecordingGroup": {
"AllSupported": true,
"IncludeGlobalResourceTypes": false
"ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
}
},
{
"op": "add",
"path": "/PropertyTypes/AWS::Config::ConfigRule.Source/Properties/Owner/Value",
"ValueType": "AWS::Config::ConfigurationRecorder.ResourceTypes"
}
},
{
"op": "add",
"path": "/PropertyTypes/AWS::Config::ConfigRule.Source/Properties/Owner/Value",
"Type": "AWS::Config::ConfigurationRecorder",
"Properties": {
"Name": {
"Ref": "AWS::AccountId"
},
"RecordingGroup": {
Parameters
-
Name
optional - String -
RecordingGroup
optional - RecordingGroup -
RoleARN
required - String
Explanation in CloudFormation Registry
The AWS::Config::ConfigurationRecorder resource describes the AWS resource types for which AWS Config records configuration changes. The configuration recorder stores the configurations of the supported resources in your account as configuration items. Note To enable AWS Config, you must create a configuration recorder and a delivery channel. AWS Config uses the delivery channel to deliver the configuration changes to your Amazon S3 bucket or Amazon SNS topic. For more information, see AWS::Config::DeliveryChannel.
AWS CloudFormation starts the recorder as soon as the delivery channel is available.
To stop the recorder and delete it, delete the configuration recorder from your stack. To stop the recorder without deleting it, call the StopConfigurationRecorder action of the AWS Config API directly.
For more information, see Configuration Recorder in the AWS Config Developer Guide.
Frequently asked questions
What is AWS Config Configuration Recorder?
AWS Config Configuration Recorder is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Configuration Recorder?
For Terraform, the infracost/infracost, gilyas/infracost and nccgroup/sadcloud source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the jimrazmus/aws-stacks, rafikurnia/matools and aws-samples/arc325-multiple-accounts-workshop source code examples are useful. See the CloudFormation Example section for further details.