AWS Config adds support for 8 new resource types. I tried it with VectorBucket in S3 Vectors.

AWS Config adds support for 8 new resource types. I tried it with VectorBucket in S3 Vectors.

AWS Config newly supports 8 resource types. This time, I created a VectorBucket for S3 Vectors, which is one of the newly added targets, and confirmed that it is recorded as ResourceDiscovered in AWS Config.
2026.07.03

This page has been translated by machine translation. View original

Introduction

On July 2, 2026, an update was announced adding support for 8 new resource types in AWS Config.

https://aws.amazon.com/jp/about-aws/whats-new/2026/06/aws-config-new-resource-types/

The 8 resource types added this time are as follows.

Resource Type Service
AWS::ApiGateway::DomainNameV2 Amazon API Gateway
AWS::ApiGatewayV2::VpcLink Amazon API Gateway
AWS::EC2::VPCEncryptionControl Amazon EC2
AWS::NetworkFirewall::ContainerAssociation AWS Network Firewall
AWS::OpenSearchServerless::SecurityPolicy Amazon OpenSearch Serverless
AWS::OSIS::Pipeline Amazon OpenSearch Ingestion
AWS::S3Vectors::VectorBucket Amazon S3 Vectors
AWS::S3Vectors::VectorBucketPolicy Amazon S3 Vectors

If you have recording enabled for all resource types, these will automatically be included as tracking targets.

This time, we focused on the S3 Vectors-related resource types among these, and verified that creating a VectorBucket is actually recorded in Config.

For more information about S3 Vectors, please also refer to the following articles.

https://dev.classmethod.jp/articles/s3-vectors-bedrock-semantic-search/

https://dev.classmethod.jp/articles/s3-vector-ga-tokyo-region-available-aws-reinvent/

Tried It Out

Environment

  • Region: ap-northeast-1 (Tokyo)
  • Config: Configured to record only specific resource types (INCLUSION_BY_RESOURCE_TYPES)

Since recording targets are limited, we first add the S3 Vectors resource types (this step is not required if recording all resources).

Adding S3 Vectors to Config Recording Targets

We updated the Config recorder settings using the AWS CLI. We added AWS::S3Vectors::VectorBucket and AWS::S3Vectors::VectorBucketPolicy to the recording targets.

aws configservice put-configuration-recorder \
  --configuration-recorder '{
    "name": "default",
    "roleARN": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
    "recordingGroup": {
      "allSupported": false,
      "resourceTypes": [
        "(existing resource types)",
        "AWS::S3Vectors::VectorBucket",
        "AWS::S3Vectors::VectorBucketPolicy"
      ],
      "recordingStrategy": {
        "useOnly": "INCLUSION_BY_RESOURCE_TYPES"
      }
    }
  }'

※ Replace the (existing resource types) portion with the existing resource types you are actually recording.

Creating a VectorBucket

aws s3vectors create-vector-bucket \
  --vector-bucket-name config-test-vector-bucket-20260703 \
  --region ap-northeast-1
{
    "vectorBucketArn": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703"
}

Verifying the Recording in Config

Approximately 1 minute after creating the VectorBucket, it was recorded in Config as ResourceDiscovered. Here are the verification steps.

aws configservice list-discovered-resources \
  --resource-type AWS::S3Vectors::VectorBucket
{
    "resourceIdentifiers": [
        {
            "resourceType": "AWS::S3Vectors::VectorBucket",
            "resourceId": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703",
            "resourceName": "config-test-vector-bucket-20260703"
        }
    ]
}

We verified the configuration details using get-resource-config-history.

aws configservice get-resource-config-history \
  --resource-type AWS::S3Vectors::VectorBucket \
  --resource-id "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703"
{
    "configurationItems": [
        {
            "version": "1.3",
            "configurationItemCaptureTime": "2026-07-03T11:54:32.530000+09:00",
            "configurationItemStatus": "ResourceDiscovered",
            "arn": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703",
            "resourceType": "AWS::S3Vectors::VectorBucket",
            "resourceId": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703",
            "resourceName": "config-test-vector-bucket-20260703",
            "awsRegion": "ap-northeast-1",
            "configuration": "{\"VectorBucketName\":\"config-test-vector-bucket-20260703\",\"VectorBucketArn\":\"arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703\",\"EncryptionConfiguration\":{\"SseType\":\"AES256\"},\"CreationTime\":\"2026-07-03T02:53:06Z\",\"Tags\":[]}"
        }
    ]
}

Formatting the contents of the configuration field.

{
    "VectorBucketName": "config-test-vector-bucket-20260703",
    "VectorBucketArn": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703",
    "EncryptionConfiguration": {
        "SseType": "AES256"
    },
    "CreationTime": "2026-07-03T02:53:06Z",
    "Tags": []
}

The bucket name, ARN, encryption configuration (AES256 since it was not specified at creation), creation date and time, and tags are recorded.

Notes

Config Billing and Expansion of Recording Targets

Since AWS Config is billed based on the number of configuration items, increasing the number of recorded resource types also increases billable items.

The 8 resource types added this time are not frequently created or modified, so the impact on costs is considered to be minor. However, since the number of recorded resource types is expected to continue expanding in the future, regular monitoring is important.

When Recording All Resources

In environments with all resource recording enabled, new resource types are automatically included as recording targets when added. To avoid unexpected cost increases, we recommend periodically checking the following.

  • Whether there are any unexpected resource types or sudden spikes in recorded item counts in Config cost reports
  • Whether any of the newly added resource types could be modified at high frequency

When Using Limited Recording

In environments where recording targets are limited, new resource types are not automatically recorded when added. While this is reassuring from a cost perspective, there is a risk that important resources may be missed from recording targets.

Regularly check AWS Config updates, and when new resource types are added for services used in your environment, consider whether they should be included in the recording targets.

Summary

AWS Config now supports 8 new resource types including S3 Vectors. In this verification, we created an S3 Vectors VectorBucket and confirmed that it was recorded in Config as AWS::S3Vectors::VectorBucket approximately 1 minute after creation.

The recorded configuration item included the VectorBucket name, ARN, encryption configuration, creation date and time, and tags. This makes it easier to understand resource configurations using Config even in environments that use S3 Vectors.

It is worth noting that Config-based configuration management has now become an option even when adopting S3 Vectors for workloads with compliance requirements.

Share this article

AWSのお困り事はクラスメソッドへ