How can I recreate an AWS Config delivery channel?

6 minute read
0

I deleted my AWS Config delivery channel and I want to recreate the channel.

Short description

When you use the AWS Config console to set up AWS Config, a set-up process guides you to configure AWS resources. The resources are configured to send notifications to the delivery channel. AWS Config setup includes configuring the following resources:

  • Amazon Simple Storage Service (Amazon S3) bucket
  • Amazon Simple Notification Service (Amazon SNS) topic
  • AWS Identity and Access Management (IAM) role
  • The resource types to record

If you use the AWS Command Line Interface (AWS CLI) delete-delivery-channel command to delete an AWS Config delivery channel, then the configuration recorder turns off. If you try to turn on the configuration recorder, you get the following error:

"Delivery channel is not available to start configuration recorder."

Note: You can't use the AWS Config console to recreate the delivery channel.

Resolution

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps to manually recreate the AWS Config delivery channel and turn on the configuration recorder.

Note: If you didn't delete the Amazon S3 bucket, S3 topic, and IAM role associated with the deleted AWS Config delivery channel, you can skip these steps.

Create the Amazon S3 bucket

Complete the following steps:

  1. Open the Amazon S3 console in the same AWS Region as your AWS Config service.
  2. In the navigation pane, choose Create bucket.
  3. For Bucket name, enter a name for the S3 bucket, and then choose Create bucket.
  4. In S3 buckets, choose the S3 bucket that you just created.
  5. Choose Permissions, and then choose Bucket Policy.
  6. Enter the following example bucket policy, and then choose Save:
    {
     "Version": "2012-10-17",
     "Statement": [
      {
       "Sid": "AWSConfigBucketPermissionsCheck",
       "Effect": "Allow",
       "Principal": {
        "Service": "config.amazonaws.com"
       },
       "Action": "s3:GetBucketAcl",
       "Resource": "arn:aws:s3:::targetBucketName",
       "Condition": {
        "StringEquals": {
         "AWS:SourceAccount": "sourceAccountID"
        }
       }
      },
      {
       "Sid": "AWSConfigBucketExistenceCheck",
       "Effect": "Allow",
       "Principal": {
        "Service": "config.amazonaws.com"
       },
       "Action": "s3:ListBucket",
       "Resource": "arn:aws:s3:::targetBucketName",
       "Condition": {
        "StringEquals": {
         "AWS:SourceAccount": "sourceAccountID"
        }
       }
      },
      {
       "Sid": "AWSConfigBucketDelivery",
       "Effect": "Allow",
       "Principal": {
        "Service": "config.amazonaws.com"
       },
       "Action": "s3:PutObject",
       "Resource": "arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID/Config/*",
       "Condition": {
        "StringEquals": {
         "s3:x-amz-acl": "bucket-owner-full-control",
         "AWS:SourceAccount": "sourceAccountID"
        }
       }
      }
     ]
    }

Create the SNS topic

Complete the following steps:

  1. Open the Amazon SNS console in the same Region as your AWS Config service.
  2. In the navigation pane, choose Topics, and then choose Create topic.
  3. For Name, enter a name for your SNS topic. Then, choose Create topic.
  4. Choose Create subscription.
  5. For Protocol, choose Email.
  6. For Endpoint, enter the email address that you want to associate with this SNS topic, and then choose Create subscription.
  7. Check your email for the subscription confirmation, and then choose Confirm subscription.

After you confirm your subscription, you receive the message Subscription confirmed!

Note: To use your SNS topic, make sure you have the required permissions.

Create the IAM role

Complete the following steps:

  1. Open the IAM console.

  2. Choose Roles, and then choose Create role.

  3. For Select type of trusted entity, choose AWS service.

  4. Under Use cases for other AWS services, choose Config.

  5. For Select your use case, choose Config - Customizable, and then choose Next: Permissions.

  6. Choose Next, enter a Role name, and then choose Create role.

  7. Select the role that you created, choose Create inline policy, and then choose the JSON tab.

  8. Enter the following example policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl"
          ],
          "Resource": [
            "arn:aws:s3:::arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID-WithoutHyphens/*"
          ],
          "Condition": {
            "StringLike": {
              "s3:x-amz-acl": "bucket-owner-full-control"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetBucketAcl"
          ],
          "Resource": "arn:aws:s3:::targetBucketName"
        },
        {
          "Effect": "Allow",
          "Action": "sns:Publish",
          "Resource": "arn:aws:sns:region:account_number:targetTopicName"
        }
      ]
    }
  9. For Policy name, enter a name, and then choose Create policy.

Create the KMS Key

It's a best practice to use AWS Key Management Service (AWS KMS) based encryption on objects delivered by AWS Config to an Amazon S3 bucket. Create a KMS key in the same Region as your AWS Config service.

Complete the following steps:

  1. Open AWS KMS Console.
  2. In the navigation pane, choose Customer managed keys, and then choose Create key.
  3. For Key type, choose Symmetric to create a symmetric encryption KMS key.
  4. For Key usage, choose the Encrypt and decrypt option, and then choose Next.
  5. Enter an alias for your KMS key. Then, choose Next.
    Note: Your alias name can't begin with aws/.
  6. Select the IAM users and roles that can administer the KMS key. Then, choose Next.
  7. Select the IAM users and roles that can use the key in cryptographic operations. Then, choose Next.
  8. Choose Finish to create the KMS key.
  9. In the navigation pane, choose Customer managed keys. Then, under Customer managed keys, select the key that you created.
  10. Under the Key Policy tab, choose Switch to policy view. Then, choose Edit.
  11. If you use a custom IAM role for AWS Config, then enter the following policy statement as additional key policy statement. Then, choose Save changes.
    {
      "Statement": [
        {
          "Sid": "AWSConfigKMSPolicy",
          "Action": [
            "kms:Decrypt",
            "kms:GenerateDataKey"
          ],
          "Effect": "Allow",
          "Resource": "myKMSKeyARN",
          "Principal": {
            "AWS": [
              "arn:aws:iam:account_id:role/my-config-role-name"
            ]
          }
        }
      ]
    }

Or, if you use Service Linked Roles (SLR) for AWS Config, then use the following policy statement to update the KMS key policy:

{
  "Statement": [
    {
      "Sid": "AWSConfigKMSPolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "myKMSKeyARN",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "sourceAccountID"
        }
      }
    }
  ]
}

Create the delivery channel

Complete the following steps:

  1. Enter the following example template in to a text editor, and then save it as a JSON file:

    {
        "name": "default",
        "s3BucketName": "targetBucketName",
        "s3KeyPrefix": "Optionalprefix",
        "snsTopicARN": "arn:aws:sns:region:account_ID:targetTopicName",
        "s3KmsKeyArn": "arn:aws:kms:region:account_ID:KmsKey",
        "configSnapshotDeliveryProperties": {
            "deliveryFrequency": "Twelve_Hours"
        }
    }

    Note: You must provide the s3KeyPrefix if the S3 bucket policy restricts PutObject to a certain prefix instead of the default prefix. Change the deliveryFrequency value to match your use case. If you choose not to activate encryption, then omit the s3KmsKeyArn value from the JSON file.

  2. Run the put-delivery-channel AWS CLI command:

    $ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json
  3. To confirm that the Delivery Channel was created, run the describe-delivery-channels AWS CLI command:

    $ aws configservice describe-delivery-channels

Start the configuration recorder

Complete the following steps:

  1. Open the AWS Config console.
  2. In the navigation pane, choose Settings.
  3. In Recording is off, choose Turn on, and then choose Continue. Or, run the start-configuration-recorder AWS CLI command:
    $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName

For more information, see Managing the configuration recorder and Evaluating resources with AWS Config rules.

Related information

Setting up AWS Config with the console

How can I troubleshoot AWS Config console error messages?

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago