AWS Cloud Operations Blog

Announcing AWS Config now supports recording exclusions by resource type

AWS Config is a service that tracks configuration changes of AWS resources in your AWS account. AWS Config uses the configuration recorder to detect these changes and then captures them as configuration items. The configuration recorder is created and started in each Region where you set up AWS Config. By default, the configuration recorder records all supported resources in the Region where AWS Config is running. Since AWS Config charges for each configuration item created, you could also create a customized configuration recorder that records only the resource types that you specify. This meant that in the past you had to maintain a list of included resource types and manually add any new supported resource types when you onboarded them to AWS Config.

Today, we’re excited to announce the general availability of a new feature within AWS Config that lets you exclude resource types in the configuration recorder. This launch will be particularly useful for customers who identify high volume resource types that they don’t need. You will also be able to continue to record all current and future supported resource types but exclude the ones you don’t want in the configuration recorder.

In this post, we will demonstrate how you can view the top 10 resource types (by volume of configuration items in AWS Config) in Amazon CloudWatch. Then, we will show you how you can start excluding specific resource types in the AWS Config configuration recorder.

Creating a CloudWatch graph to show the top 10 resource types

Metric math for CloudWatch allows you to query multiple CloudWatch metrics and use math expressions to evaluate the values for these metrics.  To create a CloudWatch metric to show the top 10 AWS Config resource types that have a high volume of configuration items, use the following steps:

  1. Navigate to the CloudWatch console.
  2. In the left navigation menu, click on Dashboards.
  3. Click Create dashboard.
  4. Name the dashboard aws-config-dashboard and click Create dashboard.
  5. Select Bar graph and then click by Next.
  6. Select Metrics and click Next.
  7. In the right hand section, select Add math and then select Start with empty expression.
  8. Enter in the below math expression and click Apply.

SORT(SEARCH('{AWS/Config,ResourceType} MetricName="ConfigurationItemsRecorded" NOT ResourceType="All"',"Sum",86400),SUM, DESC, 10)

  1. Under the Label column, change the name to Resource Type.
  2. In the upper left hand corner, Rename the graph to Top 10 Configuration Items Recorded by Resource Types.
  3. Click Create widget.
  4. Click Save, to then save the dashboard.
Amazon CloudWatch graph showing top 10 configuration items recorded.

Figure 1: Amazon CloudWatch graph showing top 10 configuration items recorded

Set up resource exclusion by resource type in AWS Config

In this section, we will setup resource exclusion by resource type in AWS Config to exclude specific resource types that you no longer wish to capture. This allows you to continue to record all other supported resource types but only exclude the ones you identified previously using the CloudWatch metric. The following steps will show you how to set up the configuration recorder:

  1. Navigate to the AWS Config console.
  2. Choose Settings.
  3. Choose Edit.
  4. Select Record all current and future resource types with exclusions.
  5. Under the Resource type section, select the pull down list and select the resource types you would like to exclude from being recorded by AWS Config. In this list, you can select multiple resource types to be excluded.
AWS Config settings for resource exclusion by resource type.

Figure 2: AWS Config settings for resource exclusion by resource type

Please Note: This is where you can add some of the resource types that were captured by your CloudWatch metric showing the top resource types with the most configuration items.

  1. Select Save.
  2. Under the General setting sections, you will see the list of excluded resources types.
AWS Config settings for the configuration recorder.

Figure 3: AWS Config settings for the configuration recorder

Clean up

If you like to remove the CloudWatch dashboard that was created in the previous section, you can do the following steps:

  1. Navigate to the CloudWatch console.
  2. Select the aws-config-dashboard dashboard and click Delete.

Conclusion

In this blog, we showed how you can use CloudWatch to display the top 10 resource types that have the highest volume of configuration items. We then showed how you can use the new feature of AWS Config to exclude specific resource types from being recorded that you decided were no longer needed for your business requirements. Please refer to Managing the Configuration Recorder to explore more information on the configuration recorder for AWS Config.

About the authors

Isaiah Salinas

Isaiah Salinas is a Senior Specialist Solution Architect with the Cloud Operations Team. With over 10 years of experience working with AWS technology, Isaiah works with customers to design, implement, and support complex cloud infrastructures. He also enjoys talking with others about how to use AWS services to provide solutions to their problems.

Brad Gilomen

Brad is a Principal Product Specialist for AWS CloudOps, focused on AWS Config and CloudTrail. His experience includes leading Federal Financial Enterprise Support at AWS for three years before becoming a Product Specialist in 2020. He currently works with our customers to reduce risk while staying secure and compliant while operating in the cloud.