How can I use AWS Config to be notified when an AWS resource is non-compliant?

3 minute read
0

I want to create an Amazon EventBridge rule that sends a custom email notification to me when AWS resources are non-compliant.

Short description

To match an AWS Config evaluation rule output as NON_COMPLIANT, first create an EventBridge rule with a custom event pattern and an input transformer. Then, route the response from EventBridge to an Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

In the following example, SNS notifications are received when the ec2-security-group-attached-to-eni managed rule reports AWS resources as NON_COMPLIANT. The non-compliant resource is an Amazon Elastic Compute Cloud (Amazon EC2) security group.

Note: You can replace the AWS Config resource type and rule for your specific AWS service and the AWS Config rules.

Complete the following steps:

  1. Create an Amazon SNS topic. If you have an existing Amazon SNS topic, then continue to the next step.
    Important: The Amazon SNS topic must be in the same AWS Region as your AWS Config service.

  2. Open the EventBridge console.

  3. Select EventBridge Rule, and then choose Create rule.

  4. On the Define rule detail screen, under Rule detail, enter the following information:
    For Name, enter a name for your rule.
    (Optional) For Description, enter a description of the rule.
    For Rule type, choose Rule with an event pattern. Then, choose Next.

  5. For Event source, choose AWS events or EventBridge partner events.

  6. Under Creation method, choose Custom pattern (JSON editor), and then enter the following example event pattern:

    {
      "source": [
        "aws.config"
      ],
      "detail-type": [
        "Config Rules Compliance Change"
      ],
      "detail": {
        "messageType": [
          "ComplianceChangeNotification"
        ],
        "configRuleName": [
          "ec2-security-group-attached-to-eni"
        ],
        "resourceType": [
          "AWS::EC2::SecurityGroup"
        ],
        "newEvaluationResult": {
          "complianceType": [
            "NON_COMPLIANT"
          ]
        }
      }
    }
  7. Choose Next.

  8. On the Select target(s) screen, enter the following information:
    For Target types, choose AWS service.
    For Select a target, choose SNS topic.
    For Topic, choose your SNS topic.
    Under Additional settings, for Configure target input, choose Input transformer.
    Choose Configure input transformer.
    Under Target input transformer, for the Input Path text box, enter the following example path:

    {
      "awsRegion": "$.detail.awsRegion",
      "resourceId": "$.detail.resourceId",
      "awsAccountId": "$.detail.awsAccountId",
      "compliance": "$.detail.newEvaluationResult.complianceType",
      "rule": "$.detail.configRuleName",
      "time": "$.detail.newEvaluationResult.resultRecordedTime",
      "resourceType": "$.detail.resourceType"
    }

    For Template, enter the following example template:

    "On yourTime AWS Config rule yourRule evaluated the yourResourceType with Id yourResourceId in the account yourAWSAccountId Region yourAwsRegion as yourCompliance. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=yourAwsRegion#/timeline/yourResourceType/yourResourceId]/configuration"

    Note: In the preceding example, replace yourTime, yourRule, yourResourceType, yourResourceId, yourAWSAccountId, yourAWSRegion, and yourCompliance with your own values for time, rule, resource type, resource ID, AWS account ID and AWS Region, compliance, and resource information as required by your use case.
    Choose Confirm.

  9. Choose Next. Then, choose Next.

  10. Choose Create rule.

After an event type is triggered, you receive an SNS email notification with the custom fields populated.

Example:

"On ExampleTime AWS Config rule ExampleRuleName evaluated the ExampleResourceType with Id ExampleResource_ID in the account ExampleAccount_ID in Region ExampleRegion as ExampleComplianceType. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=ExampleRegion#/timeline/ExampleResourceType/ExampleResource_ID/configuration"

Related information

How can I be notified when changes are made to Amazon Route 53 hosted zone records?

How can I receive custom email notifications when a resource is created in my AWS account using AWS Config service?

How can I configure an EventBridge rule for GuardDuty to send custom SNS notifications for specific AWS service event types?

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
1 Comment

This doesn't work when you use Control Tower. When you try to create the filter, you get the error:

User: arn:aws:sts::0123456789:assumed-role/AWSReservedSSO_AWSAdministratorAccess_0123456789/user is not authorized to perform: SNS:SetTopicAttributes on resource: arn:aws:sns:us-west-2:0123456789:aws-controltower-AggregateSecurityNotifications with an explicit deny in a service control policy

The workaround of using a Lambda also doesn't work for the same reason. See also: https://repost.aws/questions/QUyHJeFC9vRVqRLd_ep7-OeQ/conflicts-between-control-tower-and-security-controls

replied 4 months ago