Permissions needed in order to deploy and maintain AWS cofnig service

HI, Service-linked roles are predefined by AWS Config and include all the permissions that the service requires to call other AWS services. Pre-existing AWS Config role If you have used an AWS service that uses AWS Config, such as AWS Security Hub or AWS Control Tower, and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected.

For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service (Amazon S3) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config. Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config, see AWS Identity and Access Management.

please take a look at the blog post links below as it provides guidance depending on your current setup.

Quick Setup AWS Config: https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html AWS Config Manual Setup: https://docs.aws.amazon.com/config/latest/developerguide/manual-setup.title.html

Permissions for the IAM Role Assigned to AWS Config https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html