AWS Cloud Operations Blog

How to record resource configuration changes periodically with AWS Config

AWS Config is a service that tracks configuration changes of AWS resources in your AWS account or across your AWS Organizations. AWS Config uses the configuration recorder to detect changes of your resources and track them as configuration items (CIs). Given the increasing complexity of cloud infrastructure, the number of resource configuration changes being made has grown exponentially. Workloads are becoming more dynamic in nature as they involve creating, updating, and deleting resources over short time intervals. In the past, configuration recorder only supported continuous recording which captured every change to tracked resources as it happened, even for non-production.

Today, we are excited to announce periodic recording for AWS Config, a new feature which allows you the option to set the frequency of the configuration recorder to daily recording. Rather than recording and updating configuration items continuously, you will receive a configuration item representing the most recent state of the instance over the 24-hour period if it’s different from the previous state recorded. If you create and delete a resource that has periodic recording configured for its resource type within the 24-hour period, there will be no configuration item generated. With periodic recording, you have the option to set the default recording frequency to daily for all resource types with customizable overrides or you can configure it per resource type. This allows you to specify if a resource type should be continuously tracked, if it is important for compliance and security for example, or if a resource type can be tracked periodically instead, such as Amazon EC2 instances in a non-production account.

Some of the benefits of periodic recording include:

  • Cost Efficiency: Daily recording can provide you with the flexibility to record changes to your resources at a lower frequency, which can reduce costs related to the number of configuration changes recorded. It is important to note that periodic recording is priced differently from continuous recording. See the AWS Config pricing page for more details.
  • Minimal Disruption: Daily recording can provide you with a more manageable flow of information, which can reduce the frequency of notifications and alert fatigue.

It is important to note that the decision to use daily or continuous recording for a resource type should take security and compliance requirements into consideration. If you need real-time monitoring or detailed analysis of your resource types, we recommend using continuous recording instead. See the Recording Frequency page for more information.

In this post, we will demonstrate how to get started with AWS Config periodic recording by updating your existing configuration recorder in the AWS Console to record with daily frequency as opposed to continuous. Furthermore, we will demonstrate how to use periodic recording with customizable overrides in the AWS Console. Then, we will show you examples of how you can set up the configuration recorder for periodic recording using the AWS CLI. If you are setting up AWS Config for the first time, see 1-click setup to get started.

Setup periodic recording in AWS Config

Let’s discuss a scenario where an existing AWS Config user wants to update their configuration recorder settings to use periodic recording for some of their resource types. By default, all resource types within the recording scope will be recorded continuously unless you select daily recording.

You have two options for the recording strategy of your configuration recorder:

  • All resource types with customizable overrides: AWS Config will record configuration changes for all current and future supported resource types except the resource types that you specify to exclude from recording. If you are setting up AWS Config configuration recorder for the first time, this is the default option.
  • Specific resource types: AWS Config records configuration changes for only the resource types you specify. If you choose to stop recording for a resource type, the configuration items that were already recorded will remain unchanged.

The following steps will show you how to update your existing configuration recorder to use periodic recording:

  1. Navigate to the AWS Config console.
  2. Choose Settings in the navigation pane.
  3. Choose Edit. Depending on your current recording strategy proceed to either Step 4 (for All resources with customizable overrides) or Step 5 (for Specific resource types).
  4. If you currently have All resource types with customizable overrides configured as your recording strategy then:
    • You can select Continuous Recording or Daily Recording as the default frequency for all current and future resources. The default recording frequency is set to Continuous Recording.
    • You can add optional overrides to change the recording frequency for specific resource types, or exclude specific resource types from recording.

Note: To exclude All globally recorded IAM resource types, select this bundle type from the list and choose exclude from recording. See AWS Config Recording Method Settings for more details on bundles.

 

Override settings for specific resource types

Figure 1 – AWS Config recording method using All resource types with customizable overrides

  1. If you currently have Specific resource types configured as your recording strategy then:
    • You can add or remove the desired resource types to be recorded using the dropdown.
    • Under recording frequency, you can choose between Continuous or Daily for each resource type.
Setting recording method for specific resource types.

Figure 2 – AWS Config recording method for specific resource types

  1. Once you have updated your recording strategy, select Save.
  2. Under Settings, you can view the updated configuration recorder settings.
AWS Config recorder settings summary

Figure 3 – AWS Config configuration recorder settings summary

Update your existing configuration recorder using the AWS CLI

In this section, we will show you several examples of how to setup periodic recording using the AWS CLI.

Prerequisites

In order to update your existing configuration recorder using the AWS CLI, you will need the roleARN and name of your existing configuration recorder. To do this, you can use the describe-configuration-recorders command to look up the name and role ARN of your current configuration recorder:

$ aws configservice describe-configuration-recorders

{
    "ConfigurationRecorders": [
        {
            "roleARN": "arn:aws:iam::123456789012:role/config-role",
            "name": "default"         
        }
    ]
}

Apply periodic recording to all resource types

You can use the put-configuration-recorder command to configure your configuration recorder. In this example, you are passing in the configuration recorder name and roleARN that you noted in the prerequisite step to identify the recorder you want to update. You are setting the recording-group to all supported resources and all global resource types to be true. Finally, you are setting the recording-mode with a recording frequency of DAILY.

Input the below command in the terminal in order to apply periodic recording to all resource types:

Note: Replace the values for name and roleARN with the values from your AWS Config recorder.

aws configservice put-configuration-recorder 
--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role 
--recording-group allSupported=true,includeGlobalResourceTypes=true
--recording-mode recordingFrequency=DAILY

Apply periodic recording using customizable overrides

If you want to record all resource types continuously but specify certain resource types for periodic recording using customizable overrides, you can reference a JSON file when using the recording-mode option.

Note: Replace the values for name and roleARN with the values from your AWS Config recorder.

aws configservice put-configuration-recorder 
--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role 
--recording-group allSupported=true,includeGlobalResourceTypes=true
--recording-mode file://recordingMode.json

Here you can see an example of the JSON file file://recordingMode.json referenced in the command line after appending the recording-mode.

{
    "RecordingFrequency": "CONTINUOUS",
    "RecordingModeOverrides": [
        {
            "RecordingFrequency": "DAILY",
            "ResourceTypes": [
                "AWS::EC2::Instance",
                "AWS::DynamoDB::Table"
            ]
        }
    ]
}

You can see in the JSON example that the recording frequency is set to CONTINUOUS but you are defining two recording mode overrides for DAILY recording for EC2 Instance and DynamoDB Table. Using a JSON file allows you to specify which resource types will not be recording continuously by using the recordingModeOverrides.

For more information on command options, see AWS CLI Command Reference.

Conclusion

In this blog post, you learned how you can use AWS Config periodic recording to capture the latest configuration changes of your resources over a fixed time period, reducing the number of changes captured overall. Then you learned how to configure periodic recording using the AWS Management Console and AWS CLI. Please refer to Managing the Configuration Recorder to explore more information on the configuration recorder for AWS Config.

About the Authors

Abraham Musa author photo

Abraham Musa

Abraham is a Cloud Operations Specialist Solutions Architect with the Cloud Foundations team at AWS based out of New York. He specializes in AWS Control Tower, AWS Organizations, AWS Service Catalog, and AWS Config. Abraham is a United States Army Veteran and enjoys traveling.

Megan Velez Rivera author photo

Megan Velez Rivera

Megan is a Solutions Architect supporting Public Sector customers. With over 12 years of experience working with the US Government, Megan works with her customers to design, implement, and support complex cloud infrastructures. She also enjoys helping customers establish and improve their Cloud Operations and Observability strategies.

Chris Sordan author photo

Chris Sordan

Chris is a Solutions Architect based out of New York. He helps enterprise customers in the US Northeast accelerate their adoption to the AWS Cloud by providing architectural best practices to design solutions. Coming from a software development, he is excited about helping customers achieve their technical objectives in the cloud with innovative solutions. Outside of work, he enjoys jazz clubs and sporting events.

Craig Edwards author photo

Craig Edwards

Craig Edwards is a Cloud Operations Specialist Solutions Architect with the Cloud Foundations team at AWS based out of Boston Massachusetts. He specializes in AWS Config, AWS CloudTrail, AWS Audit Manager and AWS Systems Manager. Craig is a United States Air Force Veteran and when he is not building cloud solutions, he enjoys being a Father and electric vehicles.