AWS Config is a service provided by Amazon Web Services (AWS) that enables you to assess, audit, and manage the configuration state of your AWS resources. Config provides a comprehensive view of the resource configuration across your AWS environment, helping you ensure compliance with security policies, track changes, and troubleshoot operational issues. Config continuously records configuration changes and allows you to retain a historical record of these changes.
LocalStack supports Config via the Community offering, allowing you to use the Config APIs in your local environment to assesses resource configurations and notifies you of any non-compliant items to mitigate potential security risks. The supported APIs are available on our API coverage page, which provides information on the extent of Config’s integration with LocalStack.
This guide is designed for users new to Config and assumes basic knowledge of the AWS CLI and our
awslocal wrapper script.
Start your LocalStack container using your preferred method. We will demonstrate how to specify the resource types you want Config to record and grant it the needful permissions to access an S3 bucket and SNS topic with the AWS CLI.
Create an S3 bucket and SNS topic
The S3 bucket will be used to receive a configuration snapshot on request and configuration history. The SNS topic will be used to notify you when a configuration snapshot is available. You can create a new S3 bucket and SNS topic using the AWS CLI:
$ awslocal s3 mb s3://config-test
$ awslocal sns create-topic --name config-test-topic
Create a new configuration recorder
You can now create a new configuration recorder to record configuration changes for specified resource types, using the
Run the following command to create a new configuration recorder:
$ awslocal configservice put-configuration-recorder \
We have specified the
roleARN parameter to grant the configuration recorder the needful permissions to access the S3 bucket and SNS topic.
In LocalStack, IAM roles are not enforced, so you can specify any role ARN you like.
name parameter has been set to
default, and you can optionally specify a
recordingGroup parameter to specify the resource types you want to record.
Create a delivery channel
You can now create a delivery channel object to deliver configuration information to an S3 bucket and an SNS topic.
You have already created the S3 bucket and SNS topic, so you can now create the delivery channel object using the
We’re going to create a delivery channel with the following configuration.
You can inline the JSON into the
Run the following command to create the delivery channel:
$ awslocal configservice put-delivery-channel \
Start the configuration recorder
You can now start recording configurations of the local AWS resources you have selected to record in your running LocalStack container.
You can use the
StartConfigurationRecorder API to start the configuration recorder.
Run the following command to start the configuration recorder:
$ awslocal configservice start-configuration-recorder \
$ awslocal configservice describe-delivery-channels
$ awslocal configservice describe-configuration-recorder-status
AWS Config is currently mocked in LocalStack. You can create, read, update, and delete AWS Config resources (like delivery channels or configuration recorders), but LocalStack will currently not record any configuration changes to service resources. If you need this feature, please consider opening a feature request on GitHub.