Embedded Files
Option 1 : Config Recorder
Option 1 : Config Recorder
So what Observes for change in every resource in all our accounts ?
This service feature within AWS Config is called config recorder ,for our requirement we will create a Custom recorder setup to deliver events to SNS Topic. for more details on other options relating to configuration of recording for details see FAQ section.
Why Custom Recorder :
In custom recorder we have full control on what recourse types we need to record this enabling only RDS and EC2 and Filter all other events.
Keep costs optimised
Message Format of Change Notification
{
"Type": "Notification",
"MessageId": "8b945cb0-db34-5b72-b032-1724878af488",
"TopicArn": "arn:aws:sns:us-west-2:123456789012:example",
"Message": {
"MessageVersion": "1.0",
"NotificationCreateTime": "2014-03-18T10:11:00Z",
"messageType": "ConfigurationItemChangeNotification",
"configurationItem": [
{
"configurationItemVersion": "1.0",
"configurationItemCaptureTime": "2014-03-07T23:47:08.918Z",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc",
"resourceId": "vol-ce676ccc",
"accountId": "123456789012",
"configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [],
"availabilityZone": "us-west-2b",
"resourceType": "AWS::EC2::VOLUME",
"resourceCreationTime": "2014-02-27T21:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::INSTANCE",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T21:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [],
"volumeType": "standard"
}
}
],
"configurationItemDiff": {
"changeType": "UPDATE",
"changedProperties": {
"Configuration.State": {
"previousValue": "available",
"updatedValue": "in-use",
"changeType": "UPDATE"
},
"Configuration.Attachments.0": {
"updatedValue": {
"VolumeId": "vol-ce676ccc",
"InstanceId": "i-344c463d",
"Device": "/dev/sdf",
"State": "attached",
"AttachTime": "FriMar0723: 46: 28UTC2014",
"DeleteOnTermination": "false"
},
"changeType": "CREATE"
}
}
}
},
"Timestamp": "2014-03-07T23:47:10.001Z",
"SignatureVersion": "1",
"Signature": "LgfJNB5aOk/w3omqsYrv5cUFY8yvIJvO5ZZh46/KGPApk6HXRTBRlkhjacnxIXJEWsGI9mxvMmoWPLJGYEAR5FF/+/Ro9QTmiTNcEjQ5kB8wGsRWVrk/whAzT2lVtofc365En2T1Ncd9iSFFXfJchgBmI7EACZ28t+n2mWFgo57n6eGDvHTedslzC6KxkfWTfXsR6zHXzkB3XuZImktflg3iPKtvBb3Zc9iVbNsBEI4FITFWktSqqomYDjc5h0kgapIo4CtCHGKpALW9JDmP+qZhMzEbHWpzFlEzvFl55KaZXxDbznBD1ZkqPgno/WufuxszCiMrsmV8pUNUnkU1TA==",
"SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-e372f8ca30337fdb084e8ac449342c77.pem",
"UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:example:a6859fee-3638-407c-907e-879651c9d143"
}
Note : depending on the Service Integration configuration the Message would be further wrapped e.g if the SNS is directly configured with lambda the message received would be as below
sns Subscription filter policy
{
"Message": {
"configurationItemDiff": [
{
"exists": true
}
],
"configurationItem": [
{
"exists": true
}
],
"messageType": [
"ConfigurationItemChangeNotification"
]
}
}
Message received by Lambda : Notice the message has Records array with Sns object and Message contains the above message details
{
"Records": [
{
"EventSource": "aws:sns",
"EventVersion": "1.0",
"EventSubscriptionArn": "arn:aws:sns:eu-west-1:094312144437:config-topic:8e",
"Sns": {
"Type": "Notification",
"MessageId": "85bae3de-0a11-5726-90f6-bc2908b42571",
"TopicArn": "arn:aws:sns:eu-west-1:094312144437:config-topic",
"Subject": "[AWS Config:eu-west-1] AWS::RDS::DBInstance parkingdbinstance Updated in Account 094312144437",
"Message": "{\"configurationItemDiff\":{\"changedProperties\":{\"Configuration.LatestRestorableTime\":{\"previousValue\":\"2025-01-07T09:55:00.000Z\",\"updatedValue\":\"2025-01-07T10:20:01.000Z\",
\"changeType\":\"UPDATE\"},
\"notificationCreationTime\":\"2025-01-07T10:22:28.895Z\",
\"messageType\":\"ConfigurationItemChangeNotification\",\"recordVersion\":\"1.3\"}",
"Timestamp": "2025-01-07T10:22:29.119Z",
"SignatureVersion": "1",
"Signature": "pJJS/C/AqsGcHepmH/3XsC4d==",
"SigningCertUrl": "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-9c6465fa7f48f5cacd23014631ec1136.pem",
"UnsubscribeUrl": "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1:094312144437:config-topic:6f",
"MessageAttributes": {}
}
}
]
}
In this Option we have ability to filter the message at SNS Topic
example only pass messageType: ConfigurationItemChangeNotification AND resourceType:AWS::RDS:: to The RDS SQS
Page updated
Google Sites
Report abuse