How can I be notified when an AWS resource is non-compliant using AWS Config?

Last updated: 2020-24-04

I created an Amazon EventBridge rule to trigger notifications when AWS resources are non-compliant, but the responses are in JSON format. How can I receive an email with a customized notification?

Short Description

Use an EventBridge rule with a custom event pattern and an input transformer to match an AWS Config evaluation rule output as NON_COMPLIANT. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

In the following example, SNS notifications are received when the ec2-security-group-attached-to-eni managed rule reports AWS resources as NON_COMPLIANT for an Amazon Elastic Compute Cloud (Amazon EC2) security group.

Note: You can replace the AWS Config resource type and rule for your specific AWS service and the AWS Config rules.

1.    If you haven't already created an Amazon SNS topic, follow the instructions for Getting Started with Amazon SNS.

Important: The Amazon SNS topic must be in the same Region as your AWS Config service.

2.    Open the EventBridge console.

3.    Choose Create rule.

4.    In Name, enter a name for your rule.

5.    In Define Pattern, choose Event pattern.

6.    In Event Matching pattern, choose Custom pattern.

7.    In the Event pattern preview pane, copy and paste the following example event pattern:

{
    "source": [
        "aws.config"
    ],
    "detail-type": [
        "Config Rules Compliance Change"
    ],
    "detail": {
        "messageType": [
            "ComplianceChangeNotification"
        ],
        "configRuleName": [
            "ec2-security-group-attached-to-eni"
        ],
        "resourceType": [
            "AWS::EC2::SecurityGroup"
        ],
        "newEvaluationResult": {
            "complianceType": [
                "NON_COMPLIANT"
            ]
        }
    }
}

8.    Choose Save.

9.    In Select targets, choose SNS topic.

10.    In Topic, choose your SNS topic.

11.    Expand Configure input, and then choose Input transformer.

12.    In the Input Path text box, copy and paste the following example path:

{
    "awsRegion": "$.detail.awsRegion",
    "resourceId": "$.detail.resourceId",
    "awsAccountId": "$.detail.awsAccountId",
    "compliance": "$.detail.newEvaluationResult.complianceType",
    "rule": "$.detail.configRuleName",
    "time": "$.detail.newEvaluationResult.resultRecordedTime",
    "resourceType": "$.detail.resourceType"
}

13.    In the Input Template text box, copy and paste the following template:

"On <time> AWS Config rule <rule> evaluated the <resourceType> with Id <resourceId> in the account <awsAccountId> region <awsRegion> as <compliance> For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resourceType>/<resourceId>/configuration"

14.    Choose Create.

15.    When an event type triggers, you receive an SNS email notification with the custom fields populated from step 13 similar to the following:

"On ExampleTime AWS Config rule ExampleRuleName evaluated the ExampleResourceType with Id ExampleResource_ID in the account ExampleAccount_Id in Region ExampleRegion as ExamplecomplianceType. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=ExampleRegion#/timeline/ExampleResourceType/ExampleResource_ID/configuration"