Email notification of only those AWS Config resource change history data that match EventBridge rules via SNS
The following page shows how to email AWS Config resource change history data via SNS.
However, with the configuration on the above page, you will receive an email every time a change occurs to a resource.
In this article, we will use EventBridge rules to create a configuration that sends email notifications only when a specific event occurs.
Environment
The configuration is generally similar to the page introduced at the beginning of this article.
The only difference is that we will put EventBridge between AWS Config and SNS.
The EventBridge rule is configured to send an email notification when an event occurs that disables the SSE settings in the S3 bucket.
CloudFormation template files
The above configuration is built using CloudFormation.
The CloudFormation templates are located at the following URL
Explanation of key points of the template files
Basically the same as the page introduced at the beginning of this document.
In this page, AWS Config data is received by EventBridge and email notifications are sent via SNS.
SNS Topic
Resources:
Topic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref MailAddress
Protocol: email
TopicName: !Ref Prefix
Code language: YAML (yaml)Create an SNS topic and specify your email address as the subscriber.
For more information, please see the following page
AWS Config
Resources:
DeliveryChannel:
Type: AWS::Config::DeliveryChannel
Properties:
Name: !Sub "${Prefix}-DeliveryChannel"
S3BucketName: !Ref ConfigBucket
ConfigurationRecorder:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: !Sub "${Prefix}-ConfigurationRecorder"
RecordingGroup:
AllSupported: false
IncludeGlobalResourceTypes: false
ResourceTypes:
- AWS::S3::Bucket
RoleARN: !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/${AWSServiceRoleForConfig}"
AWSServiceRoleForConfig:
Type: AWS::IAM::ServiceLinkedRole
DeletionPolicy: Delete
Properties:
AWSServiceName: config.amazonaws.com
Code language: YAML (yaml)No special configuration is required to deliver AWS Config data to EventBridge.
For basic information on AWS Config, please see the following page
In this case, we will configure it to collect data about S3 buckets.
EventBridge Rules
Resources:
EventsRule:
Type: AWS::Events::Rule
Properties:
EventBusName: !Ref EventBusName
EventPattern:
source:
- aws.config
detail-type:
- Config Configuration Item Change
detail:
messageType:
- ConfigurationItemChangeNotification
configurationItem:
resourceType:
- AWS::S3::Bucket
configurationItemDiff:
changedProperties:
SupplementaryConfiguration.ServerSideEncryptionConfiguration:
changeType:
- DELETE
Name: !Sub "${Prefix}-EventsRule"
State: ENABLED
Targets:
- Arn: !Ref TopicArn
Id: !Ref TopicName
InputTransformer:
InputPathsMap:
"awsRegion": "$.detail.configurationItem.awsRegion"
"awsAccountId": "$.detail.configurationItem.awsAccountId"
"resource_ID": "$.detail.configurationItem.resourceId"
"configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime"
InputTemplate: |
"On <configurationItemCaptureTime> S3 Bucket <resource_ID> recorded a deletion of ServerSideEncryptionConfiguration in the account <awsAccountId> region <awsRegion>."
Code language: YAML (yaml)When handling AWS Config data with EventBridge rules, two properties are key.
The first is the EventPattern property.
Refer to the following page to specify the various parameters of the data to be received.
The values for “source,” “detail-type,” and “messageType” are identical to those on the above page.
For “configurationItemDiff,” we used the event data generated when the SSE setting is disabled as a reference.
The following is an excerpt of the relevant section.
{
"detail": {
"recordVersion": "1.3",
"messageType": "ConfigurationItemChangeNotification",
"configurationItemDiff": {
"changedProperties": {
"SupplementaryConfiguration.ServerSideEncryptionConfiguration": {
"previousValue": {
"rules": [
{
"applyServerSideEncryptionByDefault": {
"sseAlgorithm": "AES256"
},
"bucketKeyEnabled": false
}
]
},
"changeType": "DELETE"
}
},
"changeType": "UPDATE"
},
...
}
}
Code language: JSON / JSON with Comments (json)In other words, in addition to source, detail-type, etc., if the configurationItemDiff.changedProperties.SupplementaryConfiguration.ServerSideEncryptionConfiguration. If the changeType item is present and its value is “DELETE”, then the data satisfies the condition.
In order to link EventBridge with SNS, it is necessary to give EventBridge permission to publish messages to SNS.
Resources:
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Principal:
Service: events.amazonaws.com
Action: sns:Publish
Effect: Allow
Resource: !Ref TopicArn
Topics:
- !Ref TopicArn
Code language: YAML (yaml)Resource-based policies are used to grant SNS-related access privileges to EventBridge.
For more information, please refer to the following page.
(Reference) S3 bucket
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${Prefix}-encryption-enabled"
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Code language: YAML (yaml)Prepare an S3 bucket as a verification resource.
Enable SSE.
Architecting
Use CloudFormation to build this environment and verify actual behavior.
Create CloudFormation stacks and verify resources in stacks
Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page
After checking the resources in each stack, information on the main resources created this time is as follows
- SNS topic: fa-103
- EventBridge rule: fa-103-EventRule
- Bucket for verification: fa-103-encryption-enabled
Authentication of email address
If an email address is specified as a subscriber to an SNS topic, the email address must be authenticated.
The following authentication email will be sent to the specified email address.
Click “Confirm subscription” to proceed with the authentication.
The above page will appear, indicating that the authentication has been completed.
Resource Confirmation
Check each resource from the AWS Management Console.
First, check the SNS topic.
You can see that the SNS topic has been successfully created.
In addition, you can see that the email address you registered as a subscriber is registered.
The Status value of the email address is “Confirmed,” indicating that the authentication has been completed.
The access policy shows that EventBridge is allowed to publish messages to this topic.
Check the AWS Config settings.
We can see that the AWS Config is working properly and that data collection has started.
Looking at the item related to SNS in Delivery method, we see that no settings have been made.
This indicates that there is no direct integration between AWS Config and SNS.
Check EventBridge.
We see that the EventBridge rule has been successfully created.
Looking at the Event Pattern, we see that the pattern is defined as per the CloudFormation template.
This means that if AWS Config sends event data regarding the deletion of the SSE settings of the S3 bucket, the condition is satisfied.
Looking at Target, we can see that the SNS topic mentioned earlier is specified.
This means that if event data that satisfies the aforementioned pattern is sent, it will be notified by e-mail via SNS.
Looking at the Input transformer, a template for the string to be sent by email and the parameters to be embedded are defined.
Check the S3 bucket for verification.
You can see that the SSE setting is indeed enabled.
Checking Operation
Now that everything is ready, let’s check the Operation.
Disable the SSE setting for the S3 bucket.
After waiting for a while, the following e-mail arrives.
The body of the email is indeed a string with various parameters embedded in the template as specified in the Input Transformer.
The event data has been generated by AWS Config following the deactivation of the SSE setting in the S3 bucket.
This event data met the requirements of the EventBridge rule, so the event data was forwarded to the target SNS topic.
A message was created using a portion of the event data, and the message was sent to the email address of the SNS subscriber.
Summary
We have shown how to use EventBridge rules to configure email notifications only when a specific event occurs.