I received a ConfigurationItemChangeNotification Amazon Simple Notification Service (Amazon SNS) notification. Why did I get this notification, and how do I interpret the information in the configurationItemDiff field?
Resolution
AWS Config creates a configuration item whenever the configuration of a resource changes (create/update/delete). For a list of resources that AWS Config supports, see Supported resource types. AWS Config uses Amazon SNS to deliver a notification as the changes occur. The Amazon SNS notification payload includes fields to help you track the resource changes in a given AWS Region. For more information, see Example configuration item change notifications.
To understand why you receive a ConfigurationItemChangeNotification notification, review the configurationItemDiff details. The fields vary depending on the change type and can form different combinations such as UPDATE-UPDATE, UPDATE-CREATE, and DELETE-DELETE. The following are explanations of some common combinations.
UPDATE-CREATE and UPDATE-UPDATE
The following example includes changes in the resource direct relationships and resource configurations. The configurationItemDiff details reveal the following information:
Action performed: A managed policy present in the account was attached to an AWS Identity and Access Management (IAM) role.
Basic operation performed: UPDATE (updating the number of associations of the resource type AWS::IAM::Policy in an account).
Change type combinations:
- Resource direct relationship change UPDATE-CREATE. A new attachment or association was created between an IAM policy and an IAM role.
- Resource configuration change UPDATE-UPDATE. The number IAM policy associations increased from 2 to 3 when the policy was attached to the IAM role.
Example UPDATE-CREATE and UPDATE-UPDATE configurationItemDiff notification:
{
"configurationItemDiff": {
"changedProperties": {
"Relationships.0": {
"previousValue": null,
"updatedValue": {
"resourceId": "AROA6D3M4S53*********",
"resourceName": "Test1",
"resourceType": "AWS::IAM::Role",
"name": "Is attached to Role"
},
"changeType": "CREATE" >>>>>>>>>>>>>>>>>>>> 1
},
"Configuration.AttachmentCount": {
"previousValue": 2,
"updatedValue": 3,
"changeType": "UPDATE" >>>>>>>>>>>>>>>>>>>> 2
}
},
"changeType": "UPDATE"
}
}
UPDATE-DELETE
The following example includes changes in the resource direct relationships. The configurationItemDiff details reveal the following information:
Action performed: A managed policy present in the account was detached from an IAM user.
Basic operation performed: UPDATE (updating the permissions policy associated with the resource type AWS::IAM::User).
Change type combination: Resource direct relationship change UPDATE-DELETE. The association between an IAM user and an IAM policy in an account was deleted.
Example UPDATE-DELETE configurationItemDiff notification:
{
"configurationItemDiff": {
"changedProperties": {
"Configuration.UserPolicyList.0": {
"previousValue": {
"policyName": "Test2",
"policyDocument": "{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"aws:RequestTag/VPCId": "*"
}
}
}
]
}"
},
"updatedValue": null,
"changeType": "DELETE" >>>>>>>>>>>>>>>>>>>> 3
}
},
"changeType": "UPDATE"
}
}
DELETE-DELETE
The following example includes changes in the resource direct relationships and resource configurations. The configurationItemDiff details reveal the following information:
Action performed: An IAM role present in an account was deleted.
Basic operation performed: DELETE (a resource of the resource type AWS::IAM::Role was deleted).
Change type combination: Resource direct relationship change and resource configuration change DELETE-DELETE. The deletion of the IAM role also deleted the association of the IAM policy with the IAM role.
Example DELETE-DELETE configurationItemDiff notification:
{
"configurationItemDiff": {
"changedProperties": {
"Relationships.0": {
"previousValue": {
"resourceId": "ANPAIJ5MXUKK*********",
"resourceName": "AWSCloudTrailAccessPolicy",
"resourceType": "AWS::IAM::Policy",
"name": "Is attached to CustomerManagedPolicy"
},
"updatedValue": null,
"changeType": "DELETE"
},
"Configuration": {
"previousValue": {
"path": "/",
"roleName": "CloudTrailRole",
"roleId": "AROAJITJ6YGM*********",
"arn": "arn:aws:iam::123456789012:role/CloudTrailRole",
"createDate": "2017-12-06T10:27:51.000Z",
"assumeRolePolicyDocument": "{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"sts:ExternalId":"123456"}}}]}",
"instanceProfileList": [],
"rolePolicyList": [],
"attachedManagedPolicies": [
{
"policyName": "AWSCloudTrailAccessPolicy",
"policyArn": "arn:aws:iam::123456789012:policy/AWSCloudTrailAccessPolicy"
}
],
"permissionsBoundary": null,
"tags": [],
"roleLastUsed": null
},
"updatedValue": null,
"changeType": "DELETE"
}
},
"changeType": "DELETE"
}
Related information
Notifications that AWS Config sends to an Amazon SNS topic