01 Run create-bucket command (OSX/Linux/UNIX) to create an S3 bucket in the selected region. The bucket will be used by AWS Config for storing configuration history and configuration snapshot files:
aws s3api create-bucket
--bucket MyConfigS3Bucket
--region us-east-1
--create-bucket-configuration LocationConstraint=us-east-1
02 The command output should return the new S3 bucket location (URL):
{
"Location": "http://myconfigs3bucket.s3.amazonaws.com/"
}
03 Run create-topic command (OSX/Linux/UNIX) to create an SNS topic in the selected region. The SNS topic will be used by AWS Config for sending notifications each time a new snapshot of the current configuration is taken or each time it detects a resource config change:
aws sns
--region us-east-1 create-topic
--name MyConfigSNSTopic
04 The command output should return the new SNS topic ARN (Amazon Resource Name):
{
"TopicArn": "arn:aws:sns:us-east-1:123456789012:MyConfigSNSTopic"
}
05 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification-endpoint (in this case the endpoint is an email address):
aws sns subscribe
--topic-arn arn:aws:sns:us-east-1:123456789012: MyConfigSNSTopic
--protocol email
--notification-endpoint admin@domain.com
06 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint selected:
aws sns confirm-subscription
--topic-arn arn:aws:sns:us-east-1:123456789012:MyConfigSNSTopic
--token 6554392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19328d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da717458
07 Create a trust policy for the new IAM role required by AWS Config. Make a new policy document called config-role-trust-policy.json and paste the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
08 Run create-role command (OSX/Linux/UNIX) to create the new IAM role called MyConfigRole. This role enables AWS Config to send configuration history and configuration snapshots to the MyConfigS3Bucket S3 bucket and stream messages to the MyConfigSNSTopic SNS topic created earlier:
aws iam create-role
--role-name MyConfigRole
--assume-role-policy-document file://config-role-trust-policy.json
09 Create the necessary policy for the IAM role instantiated at the previous step. Make a new policy document called config-role-policy.json and paste the following (replace the highlighted details with your details):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"appstream:Get*",
"autoscaling:Describe*",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Put*",
"directconnect:Describe*",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticache:Describe*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:Describe*",
"elastictranscoder:Read*",
"elastictranscoder:List*",
"iam:List*",
"iam:Get*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"opsworks:Describe*",
"opsworks:Get*",
"route53:Get*",
"route53:List*",
"redshift:Describe*",
"redshift:ViewQueriesInConsole",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:Get*",
"s3:List*",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"storagegateway:List*",
"storagegateway:Describe*",
"trustedadvisor:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::MyConfigS3Bucket/AWSLogs/123456789012/*"
],
"Condition": {
"StringLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3::: MyConfigS3Bucket"
},
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:
123456789012:MyConfigSNSTopic"
}
]
}
10 Run put-role-policy command (OSX/Linux/UNIX) to apply the policy document saved in the config-role-policy.json file to the MyConfigRole role:
aws iam put-role-policy
--role-name MyConfigRole
--policy-name config-policy
--policy-document file://config-role-policy.json
11 Run subscribe command (OSX/Linux/UNIX) to create the AWS Config default delivery channel and configuration recorder for the selected region. The following example describes the S3 bucket and SNS topic to which AWS Config will deliver configuration data using the IAM role created earlier:
aws configservice subscribe
--region us-east-1
--s3-bucket MyConfigS3Bucket
--sns-topic arn:aws:sns:us-east-1:123456789012:MyConfigSNSTopic
--iam-role arn:aws:iam::123456789012:role/MyConfigRole
12 The command output should return the new AWS Config delivery channel and configuration recorder metadata:
Using existing S3 bucket: MyConfigS3Bucket
Using existing SNS topic: arn:aws:sns:us-east-1:
123456789012:MyConfigSNSTopic
Subscribe succeeded:
Configuration Recorders: [
{
"recordingGroup": {
"allSupported": true,
"resourceTypes": [],
"includeGlobalResourceTypes": true
},
"roleARN": "arn:aws:iam::123456789012:role/MyConfigRole",
"name": "default"
}
]
Delivery Channels: [
{
"snsTopicARN": "arn:aws:sns:us-east-1:
123456789012:MyConfigSNSTopic",
"name": "default",
"s3BucketName": "MyConfigS3Bucket"
}
]