How can I receive custom email notifications when AWS Config is used to create a resource?

Resolution

Use a custom event pattern with the EventBridge rule to match an AWS Config supported resource type. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

In the following example, you receive SNS notifications when the AWS::EC2::Instance resource type is used to create new Amazon Elastic Compute Cloud (Amazon EC2) instances.

Note: Replace the resource type with your specific AWS service.

Complete the following steps:

1. Create an Amazon SNS topic.
   Note: The Amazon SNS topic must be in the same AWS Region as your AWS Config service.

2. Open the EventBridge console.

3. In the navigation pane, choose Rules, and then choose Create rule.

4. Enter the following information:
   For Name, enter a name for your rule.
   (Optional) For Description, enter a description for the rule.
   For Rule type, choose Rule with an event pattern, and then choose Next.
   For Event source, choose AWS events or EventBridge partner events.

5. Under Event pattern, choose Custom patterns (JSON editor). Then, enter the following example event pattern:

   {
     "source": [
       "aws.config"
     ],
     "detail-type": [
       "Config Configuration Item Change"
     ],
     "detail": {
       "messageType": [
         "ConfigurationItemChangeNotification"
       ],
       "configurationItem": {
         "resourceType": [
           "AWS::EC2::Instance"
         ],
         "configurationItemStatus": [
           "ResourceDiscovered"
         ]
       }
     }
   }

   Note: Replace the EC2::Instance resource type with your resource type. For a list of available resource types, see the resourceType section in ResourceIdentifier.

6. Choose Next.

7. Enter the following information:
   For Target types, select AWS service.
   For Select a target, choose SNS topic.
   For Topic, choose your SNS topic.
   Under Additional settings, for Configure target input, choose Input transformer.

8. Choose Configure input transformer. Then, under Target input transformer for the Input Path text box, enter the following example path:

   {
       "awsRegion": "$.detail.configurationItem.awsRegion",
       "awsAccountId": "$.detail.configurationItem.awsAccountId",
       "resource_type": "$.detail.configurationItem.resourceType",
       "resource_ID": "$.detail.configurationItem.resourceId",
       "configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime"
   }

9. For the Template text box, enter the following example template:

   "On <configurationItemCaptureTime> AWS Config service recorded a creation of a new <resource_type> with Id <resource_ID> in the account <awsAccountId> region <awsRegion>. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resource_type>/<resource_ID>/configuration"

10. Choose Confirm. Then, choose Next.

11. Choose Create rule.

When an event type is initiated, you receive an SNS email notification with the custom fields populated.

Example:

"On ExampleTime AWS Config service recorded a creation of a new AWS::EC2::Instance with Id ExampleID in the account AccountID region ExampleRegion. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=*ExampleRegion*#/timeline/AWS::EC2::Instance/*ExampleID*/configuration"

Related information

How can I configure an EventBridge rule for GuardDuty to send custom SNS notifications for specific AWS service event types?

How can I receive custom email notifications when a resource is deleted in my AWS account using AWS Config service?