Why do I receive a MaxNumberOfConfigurationRecordersExceededException error when I create an AWS Config configuration recorder?

Last updated: 2021-04-20

When I try to create an AWS Config configuration recorder, I get a MaxNumberOfConfigurationRecordersExceededException error. How can I troubleshoot this issue?

Short description

AWS Config uses a configuration recorder to record changes in your resource configuration. AWS Config currently allows only one configuration recorder per Region in an account. The MaxNumberOfConfigurationRecordersExceededException error indicates that you can’t create a new configuration recorder because one is already present on your account for the Region. The error occurs regardless of whether the recorder is created using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or AWS CloudFormation.

Resolution

To resolve the MaxNumberOfConfigurationRecordersExceededException error and create a new configuration recorder, you must identify and then delete the existing configuration recorder.

Note: It's not possible to delete a configuration recorder from the console. Deletions must be performed programmatically.

First, verify that the correct AWS Identity and Access Management (IAM) permissions are in place to run the required commands. Then, you can identify and delete the existing configuration recorder using the AWS CLI or CloudFormation.

IAM permissions

To describe and delete a configuration recorder, add the following IAM permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "config:DescribeConfigurationRecorders",
                "config:DeleteConfigurationRecorder"
            ],
            "Resource": "*"
        }
    ]
}

To start and stop a configuration recorder, add the following IAM permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "config:PutConfigurationRecorder",
                "iam:PassRole",
                "config:DescribeConfigurationRecorders",
                "config:StopConfigurationRecorder",
                "config:StartConfigurationRecorder",
                "config:DeleteConfigurationRecorder"
            ],
            "Resource": "*"
        }
    ]
}

Identify and delete a configuration recorder (AWS CLI)

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Identify the existing configuration recorder name

Run the following command to identify the existing configuration recorder in a specific Region. Replace RegionID with your AWS Region.

$aws configservice describe-configuration-recorders --region RegionID

Review the output. The existing configuration recorder name is listed next to “name” in the output.

Delete the existing configuration recorder

Run the following command to delete the existing configuration recorder. Replace RecorderName and RegionID with your values.

$aws configservice delete-configuration-recorder --configuration-recorder-name RecorderName --region RegionID

Note: The delete-configuration-recorder command doesn't return an output when the recorder is successfully deleted.

API calls to start and stop the recorder

You can use API calls if you need to start or stop a configuration recorder.

Run the following command to start a configuration recorder. Replace RecorderName with the name of your configuration recorder.

$aws configservice start-configuration-recorder --configuration-recorder-name RecorderName

Run the following command to stop a configuration recorder. Replace RecorderName with the name of your configuration recorder.

$aws configservice stop-configuration-recorder --configuration-recorder-name RecorderName

Identify and delete a configuration recorder (CloudFormation)

If you enabled AWS Config using a CloudFormation StackSet template, then follow the guidance in this section to identify and delete a configuration recorder.

You can use an AWS Lambda-backed custom resource to write code logic to identify and delete a configuration recorder.

After the configuration recorder is deleted, you can use the cfn-response module for custom resources to continue creating a new configuration recorder.

After the new configuration recorder is created, you can run the StartConfigurationRecorder API to start the recorder.