Questions tagged with AWS Config
Content language: English
Sort by most recent
I am trying to deploy aws-config conformance pack: Operational-Best-Practices-for-FedRAMP-Low via sample template through console however it's failing with the below error message:
The required parameter alarmActionRequired, insufficientDataActionRequired, okActionRequired is not present in the inputParameters (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 59828ea1-f4af-4577-a325-5f8b19966aeb; Proxy: null)
Hi all,
We are using **AWS Control Tower** to manage **AWS Accounts** in our **Landing Zone**,
Unfortunately one of our principal regions (**eu-south-1**) isn't governed by **Control Tower**, so in this case we need to setup/create resoures manually or using Terraform.
What we are trying to achieve is to setup a **Terraform Pipeline** which will enable ** AWS Config** and Create some **Config Rules** we are using usually in the regions **Not-Governed** by **Control Tower**.
But the main issue right now is the following statement of an **SCP** created by **Control Tower** to prevent any modifications to **AWS Config** within the AWS Organization :
```
{
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
}
},
"Action": [
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DeleteRetentionConfiguration",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:PutRetentionConfiguration",
"config:StopConfigurationRecorder"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Sid": "GRCOXXXXXX"
}
```
We tried to disable the ***Deny Regions*** feature in out Landing Zone but no success, the SCP is still there !!
Does anyone have idea how to overcome this issue ?
any help would be greatly appreciated
Thanks
Peter
Hello,
I'm trying to prevent AWS Config from recording resources with a specific tag in my organization. The end result I'm looking for is that I have EC2 instances, DynamoDB tables, etc with a tag "awsconfig" and a value of "disable" and these are not recorded in AWS config.
I have found that you can configure the recorder to not record specific resources, however that wouldn't work since I have resources that I do want to capture that are the same type of resources I don't want to capture.
Additionally I have found the [AWS RDK](https://github.com/awslabs/aws-config-rdk) which is cool, but acts on rules and has no effect on recording of resources. I also have found [this question](https://repost.aws/questions/QUBXSScAzLSH60lu4DcVaW5w/exclude-resources-from-aws-config-managed-rules) but it seems geared towards still recording the resources, just not having a rule run against them.
Is what I'm looking to do possible or am I out of luck?
Thanks
I am trying to use an Athena table for Config data that is supposed to be partitioned. The partition is not getting created because of 'non-partition columns'.
ALTER TABLE aws_config_configuration_snapshot ADD PARTITION (accountid='444453583253', dt='latest', region='us-east-1')
location 's3://config-bucket-444453583253-us-east-1/AWSLogs/444453583253/Config/us-east-1/2023/1/24/ConfigSnapshot/'
The error shown in Athena is:
[ErrorCategory:USER_ERROR, ErrorCode:SYNTAX_ERROR], Detail:FAILED: SemanticException Partition spec {accountid=444453583253, dt=latest, region=us-east-1} contains non-partition columns
This query ran against the "cost" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: a9974a89-2ae7-4416-97de-02a6ee5ee5f2
The external table syntax is as follows:
CREATE EXTERNAL TABLE aws_config_configuration_snapshot (
fileversion STRING,
configsnapshotid STRING,
configurationitems ARRAY < STRUCT < configurationItemVersion: STRING,
configurationItemCaptureTime: STRING,
configurationStateId: BIGINT,
awsAccountId: STRING,
configurationItemStatus: STRING,
resourceType: STRING,
resourceId: STRING,
resourceName: STRING,
ARN: STRING,
awsRegion: STRING,
availabilityZone: STRING,
configurationStateMd5Hash: STRING,
configuration: STRING,
supplementaryConfiguration: MAP < STRING,
STRING >,
tags: MAP < STRING,
STRING >,
resourceCreationTime: STRING > >
)
PARTITIONED BY (dt STRING, region STRING)
ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe'
WITH SERDEPROPERTIES (
'case.insensitive' = 'false',
'mapping.fileversion' = 'fileVersion',
'mapping.configsnapshotid' = 'configSnapshotId',
'mapping.configurationitems' = 'configurationItems',
'mapping.configurationitemversion' = 'configurationItemVersion',
'mapping.configurationitemcapturetime' = 'configurationItemCaptureTime',
'mapping.configurationstateid' = 'configurationStateId',
'mapping.awsaccountid' = 'awsAccountId',
'mapping.configurationitemstatus' = 'configurationItemStatus',
'mapping.resourcetype' = 'resourceType',
'mapping.resourceid' = 'resourceId',
'mapping.resourcename' = 'resourceName',
'mapping.arn' = 'ARN',
'mapping.awsregion' = 'awsRegion',
'mapping.availabilityzone' = 'availabilityZone',
'mapping.configurationstatemd5hash' = 'configurationStateMd5Hash',
'mapping.supplementaryconfiguration' = 'supplementaryConfiguration',
'mapping.configurationstateid' = 'configurationStateId'
)
LOCATION 's3://config-bucket-444453583253-us-east-1/AWSLogs/';
A similar problem is noted here: https://repost.aws/questions/QU43lhf9JOSv6Ew6QT5y4fZg/not-able-to-get-the-data-in-query-result-in-the-athena-for-the-aws-config-from-s-3-bucket
asked 2 months ago
I have gone through this article to **generate architecture diagrams of AWS Cloud workloads** there is no certain guideline on where to start and how to start to build this to get architecture diagrams of any size live workload of aws account to reside.
Does anyone use this feature to create architecture diagrams of AWS Cloud workloads?
In my Control Tower I have some small projects account that have some EC2/ECS that are periodically (every 1-6 hours) started to do some task and than stopped.
AWS Config costs me a lot more than EC2/ECS itself.
For me it is not sustainable.
I state that I have never used AWS Config outside of Control Tower.
How can I disable entirely (or at least for EC2/ECS start/stop events) for some (or all accounts) in my Control Tower?
I can run my program as localhost but when I try to run it through AWS it fails to connect.
I am very much a rookie at AWS but my developer took a look and couldn't figure it out. Not sure what to think about that but regardless I am stuck and wondered if anyone else has seen this issue.
He did say the issue was likely caused by me turning the server off, then restarting a few days later which we didn't know updates your AWS IP addresses.
We are running 2 ec2 instances and one RDS server.
There are 6 Python APIs:
Short string is returned well;
long string is not returned.
Any assistance is appreciated.
Does
[AWS Config proactive compliance](https://aws.amazon.com/about-aws/whats-new/2022/11/aws-config-rules-support-proactive-compliance/) work with Terraform ?
asked 3 months ago
I am trying to enable AWS config as trusted service from AWS Organizations as mentioned in official documentation. However, i see a note that AWS recommend to enable trusted service from AWS Config service and not from AWS Organizations.
How do i enable trusted service from AWS Conifg so that any rule or pack i enable in management account get automatically replicated to member accounts?
Hi all,
Tricky one here, but seems possible.
I am attempting to create an AWS EC2 inventory csv file across our AWS Organization.
Requirements are to include the EC2 Instance Name and the ENI Network Interface Id's.
Using the AWS Config Query editor appears to be the fastest method in a multi-account Organization.
Here is my query so far:
```
SELECT
resourceId,
resourceName,
resourceType,
accountId,
configuration.instanceType,
configuration.state.name,
tags,
configuration.networkInterfaces,
configuration.publicIp,
configuration.privateIpAddress
WHERE
resourceType = 'AWS::EC2::Instance'
AND configuration.state.name = 'running'
```
**Questions:**
1. How can I get the tags.key "Name" property to display in the output?
2. How can I get the configuration.networkInterfaces "networkInterfaceId" property to display in the output?
Screenshot attached for reference illustrating the problem.
Here is a link for reference.
[https://www.virtualbonzo.com/2022/08/08/a-quick-and-easy-ec2-inventory-using-aws-config/](https://www.virtualbonzo.com/2022/08/08/a-quick-and-easy-ec2-inventory-using-aws-config/)
Hi everyone,
Can anyone guide me why my instance is getting down so many time, i have started to use aws services since 2 3 months and facing this problem again and again.
**My instance is initiated with "WordPress by Bitnami".** and hosted with EC2 Medium in London region
When it happened me first time, I have rebooted my instance and it just got started suddenly and the same thing happened again so initially it gone through with the rebooting then i have started getting an error of 503 & unreachability so I have done many things to resolve this like DNS updates, .html file update and etc.
Today, again my website is down and i am wondering what's the actual reason behind and to how to resolve this. Just to remember site status and monitoring seems fine in AWS console.
Looking forward to hearing from you guys soon.
How do I recreate my Config Delivery Channel, if AWS region does not have AWS support cloud shell or AWS CLI configured?