Why are changes to resources not detected in AWS Config?
The issue
I set up rules in AWS Config and made changes to the resources, but the changes are not being detected.
I clicked "Re-evaluate" from the console, but an error occurred stating that you do not have access permissions.
The IAM user I am operating in the console has been granted AdministratorAccess permissions.
Why are changes to resources not detected in AWS Config?
The resolution
Please confirm the following points.
- The IAM role used in AWS Config
In the default settings, a service-linked role named AWSServiceRoleForConfig is used, but if you are using a custom role, please check whether it has the necessary write permissions for Config. -
AWS Organizations' SCP
If you are using an administrator account or a service-linked role, you are not affected by SCP.
However, if you are using a custom role for AWS Config in a member account, please check if the permissions are not restricted by SCP.
Additionally, the role used in AWS Config can be checked by clicking on "Settings" in the AWS Config console.
If the PutEvaluations action is restricted, it becomes impossible to detect changes to resources.
If the StartConfigRulesEvaluation action is restricted, you will not be able to execute "Re-evaluate" from the console.