AWS Config (IAM)

aws management

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.

Common permissions

config:DescribeConfigRulesconfig:ListDiscoveredResourcesconfig:GetResourceConfigHistoryconfig:PutEvaluationsconfig:StartConfigRulesEvaluationconfig:DescribeConformancePacksconfig:ListStoredQueriesconfig:GetStoredQuery

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "config:DescribeConfigRules",
        "config:ListDiscoveredResources",
        "config:GetResourceConfigHistory",
        "config:PutEvaluations",
        "config:StartConfigRulesEvaluation",
        "config:DescribeConformancePacks",
        "config:ListStoredQueries",
        "config:GetStoredQuery"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid config:* — grants full control including rule deletion and configuration recorder changes
Avoid config:DeleteConfigRule and config:DeleteConfigurationRecorder — can break compliance monitoring

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/config/config.json ↗

API

full doc /v1/iam/config