How can I be notified when an AWS resource is non-compliant using AWS Config?

3 minute read
0

I created an Amazon EventBridge rule to trigger notifications when AWS resources are non-compliant, but the responses are in JSON format. How can I receive an email with a customized notification?

Short description

Use an EventBridge rule with a custom event pattern and an input transformer to match an AWS Config evaluation rule output as NON_COMPLIANT. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

In the following example, SNS notifications are received when the ec2-security-group-attached-to-eni managed rule reports AWS resources as NON_COMPLIANT for an Amazon Elastic Compute Cloud (Amazon EC2) security group.

Note: You can replace the AWS Config resource type and rule for your specific AWS service and the AWS Config rules.

1.    If you haven't already created an Amazon SNS topic, follow the instructions for Getting started with Amazon SNS.

Important: The Amazon SNS topic must be in the same Region as your AWS Config service.

2.    Open the EventBridge console.

3.    Choose Create rule.

4.    Name, enter a name for your rule. If needed, enter a Description.

5.    For Rule type, choose Rule with an event pattern. Then, choose Next.

6.    For Event source, choose AWS events or EventBridge partner events.

7.    In the Event pattern pane, choose Custom patterns (JSON editor), and then copy and paste the following example event pattern:

{
  "source": [
    "aws.config"
  ],
  "detail-type": [
    "Config Rules Compliance Change"
  ],
  "detail": {
    "messageType": [
      "ComplianceChangeNotification"
    ],
    "configRuleName": [
      "ec2-security-group-attached-to-eni"
    ],
    "resourceType": [
      "AWS::EC2::SecurityGroup"
    ],
    "newEvaluationResult": {
      "complianceType": [
        "NON_COMPLIANT"
      ]
    }
  }
}

8.    Choose Next.

9.    For Target types, select AWS service.

10.    For Select a target, choose SNS topic.

11.    For Topic, choose your SNS topic.

12.    Expand Additional settings. Then, for Configure target input, choose Input transformer.

  1. Choose Configure input transformer. Under Target input transformer, for the Input Path text box, copy and paste the following example path:
{
  "awsRegion": "$.detail.awsRegion",
  "resourceId": "$.detail.resourceId",
  "awsAccountId": "$.detail.awsAccountId",
  "compliance": "$.detail.newEvaluationResult.complianceType",
  "rule": "$.detail.configRuleName",
  "time": "$.detail.newEvaluationResult.resultRecordedTime",
  "resourceType": "$.detail.resourceType"
}

14.    In the Template text box, copy and paste the following example template. Enter the time, rule, resource type, resource ID, AWS account ID and AWS Region, compliance, and resource information as required by your use case.

"On <time> AWS Config rule <rule> evaluated the <resourceType> with Id <resourceId> in the account <awsAccountId> region <awsRegion> as <compliance> For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resourceType>/<resourceId>/configuration"

15.    Choose Confirm. Then, choose Next.

16.    Optionally, you can Add new tag. Then, choose Next.

17.    Choose Create rule.

18.    After an event type is triggered, you receive an SNS email notification with the custom fields populated from step 13 similar to the following:

"On ExampleTime AWS Config rule ExampleRuleName evaluated the ExampleResourceType with Id ExampleResource_ID in the account ExampleAccount_Id in Region ExampleRegion as ExamplecomplianceType. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=ExampleRegion#/timeline/ExampleResourceType/ExampleResource_ID/configuration"

Related information

How can I be notified when changes are made to Route 53 hosted zone records?

How can I receive custom email notifications when a resource is created in my AWS account using AWS Config service?

How can I configure an EventBridge rule for GuardDuty to send custom SNS notifications if specific AWS service event types trigger?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago