How can I recreate an AWS Config Delivery Channel?

Last updated: 2019-11-06

I deleted my AWS Config delivery channel—how can I recreate it?

Short Description

When you set up AWS Config using the AWS Config console, a set-up process guides you to configure AWS resources to send notifications to the delivery channel. AWS Config setup includes configuring an Amazon Simple Storage Service (Amazon S3) bucket, an Amazon Simple Notification Service (Amazon SNS) topic, an AWS Identity and Access Management (IAM) role, and the resource types to record.

If you delete an AWS Config delivery channel using the AWS Command Line Interface (AWS CLI) command delete-delivery-channel, the configuration recorder turns off. Attempting to turn the configuration recorder on returns the error "AWS Config cannot start recording because the delivery channel was not found."

Note: You can't recreate the delivery channel using the AWS Config console.

Resolution

Follow these instructions to manually recreate the AWS Config delivery channel and turn the configuration recorder on.

Note: If you didn't delete the Amazon S3 bucket, S3 topic, and IAM role associated with the deleted AWS Config delivery channel, you can skip these steps.

Create the Amazon S3 bucket

1.    Open the Amazon S3 console in the same Region as your AWS Config service, and choose Create bucket.

2.    In Bucket name, enter a name for the S3 bucket, and then choose Next.

3.    Choose Next, Next, and then Create bucket.

4.    In S3 buckets, choose the S3 bucket that you just created in step 3.

5.    Choose Permissions, and then choose Bucket Policy.

6.    Copy and paste the following example bucket policy, and then choose Save.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSConfigBucketPermissionsCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": [
         "config.amazonaws.com"
        ]
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::targetBucketName"
    },
    {
      "Sid": "AWSConfigBucketExistenceCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "config.amazonaws.com"
        ]
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::targetBucketName"
    },
    {
      "Sid": " AWSConfigBucketDelivery",
      "Effect": "Allow",
      "Principal": {
        "Service": [
         "config.amazonaws.com"    
        ]
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID-WithoutHyphens/Config/*",
      "Condition": { 
        "StringEquals": { 
          "s3:x-amz-acl": "bucket-owner-full-control" 
        }
      }
    }
  ]
}  

Create the SNS topic

1.    Open the Amazon SNS console in the same Region as your AWS Config service, and then choose Topics.

2.    Choose Create topic.

3.    In Name, enter a name for your SNS topic, and then choose Create topic.

4.    Choose Create subscription.

5.    In Protocol, choose Email.

6.    In Endpoint, enter the email address that you want to associate with this SNS topic, and then choose Create subscription.

7.    Check your email for the subscription confirmation, and then choose Confirm subscription.

8.    You receive the message Subscription confirmed!

Create the IAM role

1.    Open the IAM console in the same Region as your AWS Config service.

2.    Choose Roles, and then choose Create role.

3.    In Select type of trusted entity, choose AWS service.

4.    In Lambda, Choose Config.

5.    In Select your use case, choose Config - Customizable, and then choose Next: Permissions.

6.    Choose Next: Tags, and then choose Next: Review.

7.    In Role name, enter a name, and then choose Create role.

8.    Choose the role that you created in step 7, choose Add inline policy, and then choose the JSON tab.

9.    Copy and paste the following example policy:

    {
	  "Version": "2012-10-17",
	  "Statement": [
	    {
	      "Effect": "Allow",
	      "Action": [
	        "s3:PutObject"
	      ],
	      "Resource": [
	        "arn:aws:s3:::arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID-WithoutHyphens/*"
	      ],
	      "Condition": {
	        "StringLike": {
	          "s3:x-amz-acl": "bucket-owner-full-control"
	        }
	      }
	    },
	    {
	      "Effect": "Allow",
	      "Action": [
	        "s3:GetBucketAcl"
	      ],
	      "Resource": "arn:aws:s3:::targetBucketName"
	    },
	    {
	      "Effect": "Allow",
	      "Action": "sns:Publish",
	      "Resource": "arn:aws:sns:region:account_number:targetTopicName"
	    }
	  ]
	}

Create the delivery channel

1.    Using your favorite text editor, copy and paste the following example template, and then save it as a JSON file.

Important: Before you begin, be sure you have installed and configured the AWS CLI.

Note: You can change the deliveryFrequency value to match your use case.

    {
	  "name": "default",
	  "s3BucketName": "targetBucketName",
	  "snsTopicARN": "arn:aws:sns:region:account_number:targetTopicName",
	  "configSnapshotDeliveryProperties": {
	    "deliveryFrequency": "Twelve_Hours"
	  }
	}

2.    Run the following AWS CLI command:

$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

3.    Run the following AWS CLI command to confirm that the Delivery Channel created:

$ aws configservice describe-delivery-channels

Start the configuration recorder

1.    Open the AWS Config console.

2.    In the navigation pane, choose Settings.

3.    In Recording is off, choose Turn on, and then choose Continue.

- Or -

Run the following AWS CLI command:

$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName