Under Creation method, choose Custom pattern (JSON editor), and then enter the following example event pattern:
{
"source": [
"aws.config"
],
"detail-type": [
"Config Rules Compliance Change"
],
"detail": {
"messageType": [
"ComplianceChangeNotification"
],
"configRuleName": [
"ec2-security-group-attached-to-eni"
],
"resourceType": [
"AWS::EC2::SecurityGroup"
],
"newEvaluationResult": {
"complianceType": [
"NON_COMPLIANT"
]
}
}
}
On the Select target(s) screen, enter the following information:
For Target types, choose AWS service.
For Select a target, choose SNS topic.
For Topic, choose your SNS topic.
Under Additional settings, for Configure target input, choose Input transformer.
Choose Configure input transformer.
Under Target input transformer, for the Input Path text box, enter the following example path:
{
"awsRegion": "$.detail.awsRegion",
"resourceId": "$.detail.resourceId",
"awsAccountId": "$.detail.awsAccountId",
"compliance": "$.detail.newEvaluationResult.complianceType",
"rule": "$.detail.configRuleName",
"time": "$.detail.newEvaluationResult.resultRecordedTime",
"resourceType": "$.detail.resourceType"
}
For Template, enter the following example template:
"On yourTime AWS Config rule yourRule evaluated the yourResourceType with Id yourResourceId in the account yourAWSAccountId Region yourAwsRegion as yourCompliance. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=yourAwsRegion#/timeline/yourResourceType/yourResourceId]/configuration"
Note: In the preceding example, replace yourTime, yourRule, yourResourceType, yourResourceId, yourAWSAccountId, yourAWSRegion, and yourCompliance with your own values for time, rule, resource type, resource ID, AWS account ID and AWS Region, compliance, and resource information as required by your use case.
Choose Confirm.