AWS Config adds support for 8 new resource types. I tried it with VectorBucket in S3 Vectors.
This page has been translated by machine translation. View original
Introduction
On July 2, 2026, an update was announced adding support for 8 new resource types in AWS Config.
The 8 resource types added this time are as follows.
| Resource Type | Service |
|---|---|
| AWS::ApiGateway::DomainNameV2 | Amazon API Gateway |
| AWS::ApiGatewayV2::VpcLink | Amazon API Gateway |
| AWS::EC2::VPCEncryptionControl | Amazon EC2 |
| AWS::NetworkFirewall::ContainerAssociation | AWS Network Firewall |
| AWS::OpenSearchServerless::SecurityPolicy | Amazon OpenSearch Serverless |
| AWS::OSIS::Pipeline | Amazon OpenSearch Ingestion |
| AWS::S3Vectors::VectorBucket | Amazon S3 Vectors |
| AWS::S3Vectors::VectorBucketPolicy | Amazon S3 Vectors |
If you have recording enabled for all resource types, these will automatically be included as tracking targets.
This time, we focused on the S3 Vectors-related resource types among these, and verified that creating a VectorBucket is actually recorded in Config.
For more information about S3 Vectors, please also refer to the following articles.
Tried It Out
Environment
- Region: ap-northeast-1 (Tokyo)
- Config: Configured to record only specific resource types (INCLUSION_BY_RESOURCE_TYPES)
Since recording targets are limited, we first add the S3 Vectors resource types (this step is not required if recording all resources).
Adding S3 Vectors to Config Recording Targets
We updated the Config recorder settings using the AWS CLI. We added AWS::S3Vectors::VectorBucket and AWS::S3Vectors::VectorBucketPolicy to the recording targets.
aws configservice put-configuration-recorder \
--configuration-recorder '{
"name": "default",
"roleARN": "arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"recordingGroup": {
"allSupported": false,
"resourceTypes": [
"(existing resource types)",
"AWS::S3Vectors::VectorBucket",
"AWS::S3Vectors::VectorBucketPolicy"
],
"recordingStrategy": {
"useOnly": "INCLUSION_BY_RESOURCE_TYPES"
}
}
}'
※ Replace the (existing resource types) portion with the existing resource types you are actually recording.
Creating a VectorBucket
aws s3vectors create-vector-bucket \
--vector-bucket-name config-test-vector-bucket-20260703 \
--region ap-northeast-1
{
"vectorBucketArn": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703"
}
Verifying the Recording in Config
Approximately 1 minute after creating the VectorBucket, it was recorded in Config as ResourceDiscovered. Here are the verification steps.
aws configservice list-discovered-resources \
--resource-type AWS::S3Vectors::VectorBucket
{
"resourceIdentifiers": [
{
"resourceType": "AWS::S3Vectors::VectorBucket",
"resourceId": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703",
"resourceName": "config-test-vector-bucket-20260703"
}
]
}
We verified the configuration details using get-resource-config-history.
aws configservice get-resource-config-history \
--resource-type AWS::S3Vectors::VectorBucket \
--resource-id "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703"
{
"configurationItems": [
{
"version": "1.3",
"configurationItemCaptureTime": "2026-07-03T11:54:32.530000+09:00",
"configurationItemStatus": "ResourceDiscovered",
"arn": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703",
"resourceType": "AWS::S3Vectors::VectorBucket",
"resourceId": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703",
"resourceName": "config-test-vector-bucket-20260703",
"awsRegion": "ap-northeast-1",
"configuration": "{\"VectorBucketName\":\"config-test-vector-bucket-20260703\",\"VectorBucketArn\":\"arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703\",\"EncryptionConfiguration\":{\"SseType\":\"AES256\"},\"CreationTime\":\"2026-07-03T02:53:06Z\",\"Tags\":[]}"
}
]
}
Formatting the contents of the configuration field.
{
"VectorBucketName": "config-test-vector-bucket-20260703",
"VectorBucketArn": "arn:aws:s3vectors:ap-northeast-1:123456789012:bucket/config-test-vector-bucket-20260703",
"EncryptionConfiguration": {
"SseType": "AES256"
},
"CreationTime": "2026-07-03T02:53:06Z",
"Tags": []
}
The bucket name, ARN, encryption configuration (AES256 since it was not specified at creation), creation date and time, and tags are recorded.
Notes
Config Billing and Expansion of Recording Targets
Since AWS Config is billed based on the number of configuration items, increasing the number of recorded resource types also increases billable items.
The 8 resource types added this time are not frequently created or modified, so the impact on costs is considered to be minor. However, since the number of recorded resource types is expected to continue expanding in the future, regular monitoring is important.
When Recording All Resources
In environments with all resource recording enabled, new resource types are automatically included as recording targets when added. To avoid unexpected cost increases, we recommend periodically checking the following.
- Whether there are any unexpected resource types or sudden spikes in recorded item counts in Config cost reports
- Whether any of the newly added resource types could be modified at high frequency
When Using Limited Recording
In environments where recording targets are limited, new resource types are not automatically recorded when added. While this is reassuring from a cost perspective, there is a risk that important resources may be missed from recording targets.
Regularly check AWS Config updates, and when new resource types are added for services used in your environment, consider whether they should be included in the recording targets.
Summary
AWS Config now supports 8 new resource types including S3 Vectors. In this verification, we created an S3 Vectors VectorBucket and confirmed that it was recorded in Config as AWS::S3Vectors::VectorBucket approximately 1 minute after creation.
The recorded configuration item included the VectorBucket name, ARN, encryption configuration, creation date and time, and tags. This makes it easier to understand resource configurations using Config even in environments that use S3 Vectors.
It is worth noting that Config-based configuration management has now become an option even when adopting S3 Vectors for workloads with compliance requirements.
