How can I recreate an AWS Config delivery channel?

Last updated: 2022-09-21

I deleted my AWS Config delivery channel. How can I recreate it?

Short description

When you set up AWS Config using the AWS Config console, a set-up process guides you to configure AWS resources to send notifications to the delivery channel. AWS Config setup includes configuring an Amazon Simple Storage Service (Amazon S3) bucket, an Amazon Simple Notification Service (Amazon SNS) topic, an AWS Identity and Access Management (IAM) role, and the resource types to record.

If you delete an AWS Config delivery channel using the AWS Command Line Interface (AWS CLI) command delete-delivery-channel, then the configuration recorder turns off. Trying to turn on the configuration recorder again returns the error "AWS Config cannot start recording because the delivery channel was not found."

Note: You can't recreate the delivery channel using the AWS Config console.

Resolution

Follow these instructions to manually recreate the AWS Config delivery channel and turn on the configuration recorder.

Note: If you didn't delete the Amazon S3 bucket, S3 topic, and IAM role associated with the deleted AWS Config delivery channel, you can skip these steps.

Create the Amazon S3 bucket

1.    Open the Amazon S3 console in the same Region as your AWS Config service, and choose Create bucket.

2.    In Bucket name, enter a name for the S3 bucket, and then choose Next.

3.    Choose Next, Next, and then Create bucket.

4.    In S3 buckets, choose the S3 bucket that you just created in step 3.

5.    Choose Permissions, and then choose Bucket Policy.

6.    Copy and paste the following example bucket policy, and then choose Save.

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "AWSConfigBucketPermissionsCheck",
   "Effect": "Allow",
   "Principal": {
    "Service": "config.amazonaws.com"
   },
   "Action": "s3:GetBucketAcl",
   "Resource": "arn:aws:s3:::targetBucketName",
   "Condition": {
    "StringEquals": {
     "AWS:SourceAccount": "sourceAccountID"
    }
   }
  },
  {
   "Sid": "AWSConfigBucketExistenceCheck",
   "Effect": "Allow",
   "Principal": {
    "Service": "config.amazonaws.com"
   },
   "Action": "s3:ListBucket",
   "Resource": "arn:aws:s3:::targetBucketName",
   "Condition": {
    "StringEquals": {
     "AWS:SourceAccount": "sourceAccountID"
    }
   }
  },
  {
   "Sid": "AWSConfigBucketDelivery",
   "Effect": "Allow",
   "Principal": {
    "Service": "config.amazonaws.com"
   },
   "Action": "s3:PutObject",
   "Resource": "arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID/Config/*",
   "Condition": {
    "StringEquals": {
     "s3:x-amz-acl": "bucket-owner-full-control",
     "AWS:SourceAccount": "sourceAccountID"
    }
   }
  }
 ]
}

Create the SNS topic

1.    Open the Amazon SNS console in the same Region as your AWS Config service, and then choose Topics.

2.    Choose Create topic.

3.    For Name, enter a name for your SNS topic. Then, choose Create topic.

4.    Choose Create subscription.

5.    For Protocol, choose Email.

6.    For Endpoint, enter the email address that you want to associate with this SNS topic, and then choose Create subscription.

7.    Check your email for the subscription confirmation, and then choose Confirm subscription.

8.    You receive the message Subscription confirmed!

Note: To use your SNS topic, make sure you have the required permissions.

Create the IAM role

1.    Open the IAM console.

2.    Choose Roles, and then choose Create role.

3.    In Select type of trusted entity, choose AWS service.

4.    Under Use cases for other AWS services, choose Config.

5.    In Select your use case, choose Config - Customizable, and then choose Next: Permissions.

6.    Choose Next: Tags, and then choose Next: Review.

7.    In Role name, enter a name, and then choose Create role.

8.    Choose the role that you created in step 7, choose Add inline policy, and then choose the JSON tab.

9.    Copy and paste the following example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID-WithoutHyphens/*"
      ],
      "Condition": {
        "StringLike": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketAcl"
      ],
      "Resource": "arn:aws:s3:::targetBucketName"
    },
    {
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:region:account_number:targetTopicName"
    }
  ]
}

Create the KMS Key

It's a best practice to use AWS Key Management Service (AWS KMS) based encryption on objects delivered by AWS Config to an Amazon S3 bucket. Create a KMS key in the same Region as your AWS Config service. Be sure you have the required permissions for your KMS key.

If you choose not to encrypt the objects, skip these steps and continue to the Create the delivery channel section.

1.    Open AWS KMS Console.

2.    In the navigation pane, choose Customer managed keys.

3.    Choose Create key.

4.    For Key type, choose Symmetric to create a symmetric encryption KMS key. For information about on asymmetric KMS keys, see Creating asymmetric KMS keys (console).

5.    For Key usage, the Encrypt and decrypt option is selected by default. Confirm this option, and then choose Next.

6.    Enter an alias for your KMS key. Then, choose Next. Note: Your alias name can't begin with aws/.

7.    Select the IAM users and roles that can administer the KMS key. Then, choose Next.

8.    Select the IAM users and roles that can use the key in cryptographic operations. Then, choose Next.

9.    Choose Finish to create the KMS key.

10.    Choose Customer managed keys in the navigation pane. Then, under Customer managed keys, select the key that you just created

11.    In the Key Policy tab, choose Switch to policy view. Then, choose Edit.

12.    If you are using a custom IAM role for AWS Config, then copy and paste this policy statement as additional key policy statement. Then, choose Save changes.

{
  "Statement": [
    {
      "Sid": "AWSConfigKMSPolicy",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Effect": "Allow",
      "Resource": "myKMSKeyARN",
      "Principal": {
        "AWS": [
          "arn:aws:iam:account_id:role/my-config-role-name"
        ]
      }
    }
  ]
}

-or-

If you are using Service Linked Roles (SLR) for AWS Config, then use the following policy statement to update the KMS key policy:

{
  "Statement": [
    {
      "Sid": "AWSConfigKMSPolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "myKMSKeyARN",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "sourceAccountID"
        }
      }
    }
  ]
}

Create the delivery channel

1.    Using a text editor, copy and paste the following example template, and then save it as a JSON file. You can change the deliveryFrequency value to match your use case. If you choose not to activate encryption, omit the s3KmsKeyArn value from the JSON file.

Important: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

{
    "name": "default",
    "s3BucketName": "targetBucketName",
    "s3KeyPrefix": "Optionalprefix",
    "snsTopicARN": "arn:aws:sns:region:account_ID:targetTopicName",
    "s3KmsKeyArn": "arn:aws:kms:region:account_ID:KmsKey",
    "configSnapshotDeliveryProperties": {
        "deliveryFrequency": "Twelve_Hours"
    }
}

Note: The s3KeyPrefix must be provided if the S3 bucket policy restricts PutObject to a certain prefix, rather than the default.

2.    Run the following AWS CLI command:

$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

3.    Run the following AWS CLI command to confirm that the Delivery Channel created:

$ aws configservice describe-delivery-channels

Start the configuration recorder

1.    Open the AWS Config console.

2.    In the navigation pane, choose Settings.

3.    In Recording is off, choose Turn on, and then choose Continue.

-or-

Run the following AWS CLI command:

$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName