示例过大配置项变更通知 - Amazon Config
如何访问超大配置项目工作方式
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

示例过大配置项变更通知

当 Amazon Config 检测到资源的配置更改时,它会发送配置项目 (CI) 通知。如果通知超过了 Amazon Simple Notification Service (Amazon SNS) 允许的最大大小,则通知会包含配置项的简短摘要。

您可以在 s3BucketLocation 字段中指定的 Amazon S3 存储桶位置查看完整通知。

以下示例通知显示了 Amazon EC2 实例的 CI。通知中包含变更摘要以及通知在 Amazon S3 存储桶中的位置。

View the Timeline for this Resource in the Console:
    https://console.aws.amazon.com/config/home?region=us-west-2#/timeline/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80?time=2016-10-06T16:46:16.261Z
    
    The full configuration item change notification for this resource exceeded the maximum size allowed by Amazon Simple Notification Service (SNS). A summary of the configuration item is provided here. You can view the complete notification in the specified Amazon S3 bucket location.
    
    New State Record Summary:
    ----------------------------
    {
      "configurationItemSummary": {
        "changeType": "UPDATE",
        "configurationItemVersion": "1.2",
        "configurationItemCaptureTime": "2016-10-06T16:46:16.261Z",
        "configurationStateId": 0,
        "awsAccountId": "123456789012",
        "configurationItemStatus": "OK",
        "resourceType": "AWS::EC2::Instance",
        "resourceId": "resourceId_14b76876-7969-4097-ab8e-a31942b02e80",
        "resourceName": null,
        "ARN": "arn:aws:ec2:us-west-2:123456789012:instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80",
        "awsRegion": "us-west-2",
        "availabilityZone": null,
        "configurationStateMd5Hash": "8f1ee69b287895a0f8bc5753eca68e96",
        "resourceCreationTime": "2016-10-06T16:46:10.489Z"
      },
      "s3DeliverySummary": {
        "s3BucketLocation": "amzn-s3-demo-bucket/AWSLogs/123456789012/Config/us-west-2/2016/10/6/OversizedChangeNotification/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80/123456789012_Config_us-west-2_ChangeNotification_AWS::EC2::Instance_resourceId_14b76876-7969-4097-ab8e-a31942b02e80_20161006T164616Z_0.json.gz",
        "errorCode": null,
        "errorMessage": null
      },
      "notificationCreationTime": "2016-10-06T16:46:16.261Z",
      "messageType": "OversizedConfigurationItemChangeNotification",
      "recordVersion": "1.0"
    }

如何访问超大配置项目

当配置项目过大时,只会向 Amazon SNS 发送摘要。完整的配置项目 (CI) 存储在 Amazon S3 中

以下代码示例显示了如何访问完整的 CI。

import boto3
import json

def handle_oversized_configuration_item(event):
    """
    Example of handling an oversized configuration item notification
    
    When a configuration item is oversized:
    1. AWS Config sends a summary notification through SNS
    2. The complete configuration item is stored in S3
    3. Use get_resource_config_history API to retrieve the complete configuration
    """
    
    # Extract information from the summary notification
    if event['messageType'] == 'OversizedConfigurationItemChangeNotification':
        summary = event['configurationItemSummary']
        resource_type = summary['resourceType']
        resource_id = summary['resourceId']
        
        # Initialize AWS Config client
        config_client = boto3.client('config')
        
        # Retrieve the complete configuration item
        response = config_client.get_resource_config_history(
            resourceType=resource_type,
            resourceId=resource_id
        )
        
        if response['configurationItems']:
            config_item = response['configurationItems'][0]
            
            # For EC2 instances, the configuration contains instance details
            configuration = json.loads(config_item['configuration'])
            print(f"Instance Configuration: {configuration}")
            
            # Handle supplementary configuration if present
            if 'supplementaryConfiguration' in config_item:
                for key, value in config_item['supplementaryConfiguration'].items():
                    if isinstance(value, str):
                        config_item['supplementaryConfiguration'][key] = json.loads(value)
                print(f"Supplementary Configuration: {config_item['supplementaryConfiguration']}")
            
            return config_item
            
        # If needed, you can also access the complete notification from S3
        s3_location = event['s3DeliverySummary']['s3BucketLocation']
        print(f"Complete notification available in S3: {s3_location}")
    
    return None

工作方式

  1. 该函数接受包含 Amazon Config 通知的事件参数。

  2. 它会检查消息类型是否为超大配置通知。

  3. 该函数从摘要中提取资源类型和 ID。

  4. 它使用 Amazon Config 客户端,检索完整的配置历史记录。

  5. 该函数同时处理主配置和补充配置。

  6. 如果需要,您可以从提供的 S3 位置访问完整的通知。