diff --git a/aws/rust-runtime/aws-config/additional-ci b/aws/rust-runtime/aws-config/additional-ci
index 00522a9e0c77aa635e86dadc09ca4c080d5328b0..596270766a0c70f7d8b08375205c206468288298 100755
--- a/aws/rust-runtime/aws-config/additional-ci
+++ b/aws/rust-runtime/aws-config/additional-ci
@@ -8,6 +8,9 @@
 
 set -e
 
+echo "### Checking for external types in public API"
+cargo "+${RUST_NIGHTLY_VERSION:-nightly}" api-linter --all-features --config api-linter.toml
+
 echo "### Checking for duplicate dependency versions in the normal dependency graph with all features enabled"
 cargo tree -d --edges normal --all-features
 
diff --git a/aws/rust-runtime/aws-config/api-linter.toml b/aws/rust-runtime/aws-config/api-linter.toml
new file mode 100644
index 0000000000000000000000000000000000000000..6c4f533567ae73ea3ef76e913a45637088fbeccf
--- /dev/null
+++ b/aws/rust-runtime/aws-config/api-linter.toml
@@ -0,0 +1,25 @@
+# IMPORTANT: Types from `aws-sdk-*` crates MUST NOT be allowed to be
+# exposed in `aws-config`'s public API. Otherwise, `aws-config` will
+# require manual version bumping every time an automated version bump
+# to the exposed SDK crates happens.
+allowed_external_types = [
+   "aws_smithy_async::rt::sleep::AsyncSleep",
+   "aws_smithy_client::bounds::SmithyConnector",
+   "aws_smithy_client::erase::DynConnector",
+   "aws_smithy_client::erase::boxclone::BoxCloneService",
+   "aws_smithy_client::http_connector::HttpConnector",
+   "aws_smithy_client::http_connector::HttpSettings",
+   "aws_smithy_http::body::SdkBody",
+   "aws_smithy_http::result::SdkError",
+   "aws_smithy_types::retry::RetryConfig*",
+   "aws_smithy_types::timeout::config::Config",
+   "aws_smithy_types::timeout::error::ConfigError",
+   "aws_types::*",
+   "http::response::Response",
+   "http::uri::InvalidUri",
+   "http::uri::Uri",
+   "hyper::client::connect::Connection",
+   "tokio::io::async_read::AsyncRead",
+   "tokio::io::async_write::AsyncWrite",
+   "tower_service::Service",
+]