What Is AWS Config? Recording and Evaluating Resource Configurations
When managing AWS, you often need to track "who changed what configuration, and when." AWS Config is the service built for exactly that — it automatically records configuration snapshots of your resources and lets you review change history and evaluate compliance against rules. It serves as the foundation for audit readiness and security hardening.
What Is AWS Config? - AWS Config
Use AWS Config to get a detailed view of the configuration of the AWS resources in your account, ana...
docs.aws.amazon.comKey Concepts in AWS Config
Here are the core concepts to understand before working with AWS Config. Refer to the official documentation for details on each.
AWS Config terminology and concepts - AWS Config
Get started with AWS Config by learning basic concepts like configuration items, resource relationsh...
docs.aws.amazon.com| Concept | Description |
|---|---|
| Configuration Item | A point-in-time snapshot of a resource's configuration |
| Configuration History | A time-series collection of configuration items for a resource |
| Configuration Snapshot | A collection of configuration items for all resources in an account |
| Configuration Recorder | The component that records configuration items. One recorder is enabled per region |
| Delivery Channel | The mechanism that sends configuration items and snapshots to S3 and SNS |
| AWS Config Rule | A definition of the desired configuration that resources should conform to |
When you enable the configuration recorder, changes to your resources are recorded automatically. The recorded data can be stored in an S3 bucket, and you can receive real-time notifications via SNS.
AWS Config Rules
Config rules let you automatically evaluate whether your resource configurations meet your organization's policies and standards. Evaluation results are reported as either Compliant or Non-compliant. Rules can be triggered on configuration changes (change-triggered) or run on a schedule (periodic).
Managed Rules
Managed rules are pre-built rules provided by AWS. Hundreds of rules are available — just enable the ones you need. Here are some commonly used examples:
| Rule Name | What It Evaluates |
|---|---|
s3-bucket-public-access-prohibited | Whether public access to the S3 bucket is blocked |
ec2-instance-no-public-ip | Whether EC2 instances have no public IP assigned |
iam-user-mfa-enabled | Whether MFA is enabled for IAM users |
root-account-mfa-enabled | Whether MFA is configured for the root account |
encrypted-volumes | Whether EBS volumes are encrypted |
Custom Rules
When you need to define rules with your own logic, use custom rules. There are two implementation options:
| Type | Description |
|---|---|
| Lambda-based | Define custom logic using a Lambda function |
| Guard-based | Write policies as code using AWS CloudFormation Guard |
Conformance Packs
A conformance pack is a collection of Config rules bundled into a single package. AWS provides sample templates aligned with industry security benchmarks — you can immediately apply standards like PCI DSS and CIS AWS Foundations Benchmark.
Conformance Packs for AWS Config - AWS Config
A conformance pack is a collection of AWS Config rules and remediation actions that can be easily de...
docs.aws.amazon.comConformance packs are defined as CloudFormation templates, so you can manage your rule sets as code. Combined with AWS Organizations, you can apply them across multiple accounts at once.
Pricing
AWS Config pricing is based on two main factors. As the configuration recorder runs, configuration items accumulate based on the number of resources tracked and how frequently they change. To optimize costs, consider narrowing the resource types included in your recording scope.
| Billing Factor | Price (US East / N. Virginia) |
|---|---|
| Configuration items recorded | $0.003 / configuration item |
| Rule evaluations | $0.001 / rule evaluation |
AWS Config Pricing
aws.amazon.comTry AWS Config with the AWS CLI
Let's walk through the full workflow using the AWS CLI — from enabling the configuration recorder to reviewing change history and disabling it.
Enable
To enable the configuration recorder, you need to create a service-linked role, create the recorder, configure a delivery channel, and start the recorder.
First, create the service-linked role that Config uses. If it already exists, you can skip this step.
❯ aws iam create-service-linked-role --aws-service-name config.amazonaws.com
Next, create the configuration recorder. Use --recording-group to specify that all resource types should be recorded.
❯ aws configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig \
--recording-group allSupported=true,includeGlobalResourceTypes=true
Now configure the delivery channel. Because Config needs write access to the S3 bucket, set up the bucket policy first. Create the policy file with the following content.
❯ cat > config-bucket-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": { "Service": "config.amazonaws.com" },
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::exrecord-test-bucket"
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": { "Service": "config.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::exrecord-test-bucket/AWSLogs/123456789012/Config/*",
"Condition": {
"StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" }
}
}
]
}
EOF
Apply the policy to your bucket.
❯ aws s3api put-bucket-policy \
--bucket exrecord-test-bucket \
--policy file://config-bucket-policy.json
After applying the policy, configure the delivery channel.
❯ aws configservice put-delivery-channel \
--delivery-channel name=default,s3BucketName=exrecord-test-bucket
Once the delivery channel is set up, start the configuration recorder.
❯ aws configservice start-configuration-recorder \
--configuration-recorder-name default
Check Status
Verify that the configuration recorder is running correctly. When recording is true and lastStatus is SUCCESS, your resource configuration changes are being recorded successfully.
❯ aws configservice describe-configuration-recorder-status
{
"ConfigurationRecordersStatus": [
{
"arn": "arn:aws:config:us-east-1:123456789012:configuration-recorder/default/0a1b2c3d4e5f67890",
"name": "default",
"lastStartTime": "2026-05-01T20:37:49.863000+09:00",
"lastStopTime": "2026-05-01T20:37:43.408000+09:00",
"recording": true,
"lastStatus": "SUCCESS",
"lastStatusChangeTime": "2026-05-01T22:14:00.343000+09:00"
}
]
}
Add Config Rules
The configuration recorder records resource configuration changes, but to evaluate compliance you need to add rules separately. Use put-config-rule to add a managed rule.
❯ aws configservice put-config-rule \
--config-rule '{"ConfigRuleName":"s3-bucket-public-access-prohibited","Source":{"Owner":"AWS","SourceIdentifier":"S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED"}}'
Confirm the rule was added.
❯ aws configservice describe-config-rules
{
"ConfigRules": [
{
"ConfigRuleName": "s3-bucket-public-access-prohibited",
"ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-0a1b2c3d4e5f67890",
"ConfigRuleId": "config-rule-0a1b2c3d4e5f67890",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED"
},
"ConfigRuleState": "ACTIVE",
"EvaluationModes": [
{
"Mode": "DETECTIVE"
}
]
}
]
}
To check compliance details for a specific rule at the resource level, use get-compliance-details-by-config-rule.
❯ aws configservice get-compliance-details-by-config-rule \
--config-rule-name s3-bucket-public-access-prohibited
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"EvaluationResultQualifier": {
"ConfigRuleName": "s3-bucket-public-access-prohibited",
"ResourceType": "AWS::S3::Bucket",
"ResourceId": "exrecord-test-bucket",
"EvaluationMode": "DETECTIVE"
},
"OrderingTimestamp": "2026-05-01T22:14:00.665000+09:00"
},
"ComplianceType": "COMPLIANT",
"ResultRecordedTime": "2026-05-02T00:30:13.147000+09:00",
"ConfigRuleInvokedTime": "2026-05-02T00:30:12.340000+09:00"
}
]
}
Get Change History
First, use list-discovered-resources to see the resources Config is tracking and get their resource IDs.
❯ aws configservice list-discovered-resources --resource-type AWS::S3::Bucket
{
"resourceIdentifiers": [
{
"resourceType": "AWS::S3::Bucket",
"resourceId": "exrecord-test-bucket",
"resourceName": "exrecord-test-bucket"
}
]
}
Pass the resource ID to get-resource-config-history to retrieve the change history.
❯ aws configservice get-resource-config-history \
--resource-type AWS::S3::Bucket \
--resource-id exrecord-test-bucket
Output
{
"configurationItems": [
{
"version": "1.3",
"accountId": "123456789012",
"configurationItemCaptureTime": "2026-05-01T22:14:00.665000+09:00",
"configurationItemStatus": "ResourceDiscovered",
"configurationStateId": "1777641240665",
"configurationItemMD5Hash": "",
"arn": "arn:aws:s3:::exrecord-test-bucket",
"resourceType": "AWS::S3::Bucket",
"resourceId": "exrecord-test-bucket",
"resourceName": "exrecord-test-bucket",
"awsRegion": "us-east-1",
"availabilityZone": "Regional",
"resourceCreationTime": "2026-05-01T19:42:16+09:00",
"tags": {},
"relatedEvents": [],
"relationships": [],
"configuration": "{\"name\":\"exrecord-test-bucket\",\"owner\":{\"displayName\":null,\"id\":\"0a1b2c3d4e5f67890\"},\"creationDate\":\"2026-05-01T10:42:16.000Z\",\"region\":\"us-east-1\"}",
"supplementaryConfiguration": {
"AbacStatus": "{\"status\":\"Disabled\"}",
"AccessControlList": "\"{\\\"grantSet\\\":null,\\\"grantList\\\":[{\\\"grantee\\\":{\\\"id\\\":\\\"0a1b2c3d4e5f67890\\\",\\\"displayName\\\":null},\\\"permission\\\":\\\"FullControl\\\"}],\\\"owner\\\":{\\\"displayName\\\":null,\\\"id\\\":\\\"0a1b2c3d4e5f67890\\\"},\\\"isRequesterCharged\\\":false}\"",
"BucketAccelerateConfiguration": "{\"status\":null,\"isRequesterCharged\":false}",
"BucketLoggingConfiguration": "{\"destinationBucketName\":null,\"logFilePrefix\":null,\"targetObjectKeyFormat\":null}",
"BucketNotificationConfiguration": "{\"configurations\":{},\"eventBridgeConfiguration\":null}",
"BucketPolicy": "{\"policyText\":\"{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Sid\\\":\\\"AWSConfigBucketPermissionsCheck\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":{\\\"Service\\\":\\\"config.amazonaws.com\\\"},\\\"Action\\\":\\\"s3:GetBucketAcl\\\",\\\"Resource\\\":\\\"arn:aws:s3:::exrecord-test-bucket\\\"},{\\\"Sid\\\":\\\"AWSConfigBucketDelivery\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":{\\\"Service\\\":\\\"config.amazonaws.com\\\"},\\\"Action\\\":\\\"s3:PutObject\\\",\\\"Resource\\\":\\\"arn:aws:s3:::exrecord-test-bucket/AWSLogs/123456789012/Config/*\\\",\\\"Condition\\\":{\\\"StringEquals\\\":{\\\"s3:x-amz-acl\\\":\\\"bucket-owner-full-control\\\"}}}]}\"}",
"BucketVersioningConfiguration": "{\"status\":\"Off\",\"isMfaDeleteEnabled\":null}\n",
"IsRequesterPaysEnabled": "false",
"PublicAccessBlockConfiguration": "{\"blockPublicAcls\":true,\"ignorePublicAcls\":true,\"blockPublicPolicy\":true,\"restrictPublicBuckets\":true}",
"ServerSideEncryptionConfiguration": "{\"rules\":[{\"applyServerSideEncryptionByDefault\":{\"sseAlgorithm\":\"AES256\",\"kmsMasterKeyID\":null},\"bucketKeyEnabled\":false}]}"
}
}
]
}
Disable
To stop the configuration recorder, use stop-configuration-recorder. After stopping, no new configuration items will be recorded, but existing history is retained in the S3 bucket.
❯ aws configservice stop-configuration-recorder \
--configuration-recorder-name default
Even after stopping the recorder, any remaining Config rules may continue to run periodic evaluations, resulting in ongoing charges. To fully stop all billing, delete the rules as well.
❯ aws configservice delete-config-rule \
--config-rule-name s3-bucket-public-access-prohibited
Summary
- AWS Config automatically records resource configuration changes and enables you to review change history and evaluate compliance
- Config rules let you automatically evaluate whether resources meet your requirements — choose between managed rules and custom rules (Lambda-based or Guard-based)
- Conformance packs let you manage multiple rules together and efficiently verify compliance with industry standards
- Pricing is based on the number of configuration items recorded and the number of rule evaluations performed