Monitoring Amazon Config with Amazon EventBridge - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Monitoring Amazon Config with Amazon EventBridge

Amazon EventBridge delivers a near real-time stream of system events that describe changes in Amazon resources. Use Amazon EventBridge to detect and react to changes in the status of Amazon Config events.

You can create a rule that runs whenever there is a state transition, or when there is a transition to one or more states that are of interest. Then, based on rules you create, Amazon EventBridge invokes one or more target actions when an event matches the values you specify in a rule. Depending on the type of event, you might want to send notifications, capture event information, take corrective action, initiate events, or take other actions.

Before you create event rules for Amazon Config, however, you should do the following:

Amazon EventBridge format for Amazon Config

The EventBridge event for Amazon Config has the following format:

{ "version": "0", "id": "cd4d811e-ab12-322b-8255-872ce65b1bc8", "detail-type": "event type", "source": "aws.config", "account": "111122223333", "time": "2018-03-22T00:38:11Z", "region": "us-east-1", "resources": [ resources ], "detail": { specific message type } }

Creating Amazon EventBridge Rule for Amazon Config

Use the following steps to create an EventBridge rule that triggers on an event emitted by Amazon Config. Events are emitted on a best effort basis.

  1. In the navigation pane, choose Rules.

  2. Choose Create rule.

  3. Enter a name and description for the rule.

    A rule can't have the same name as another rule in the same Region and on the same event bus.

  4. For Define pattern, choose Event pattern.

  5. Choose Pre-defined pattern by service

  6. For Service provider, choose Amazon.

  7. For Service name, choose Config.

  8. For Event Type, choose the event type that triggers the rule:

  9. Choose Any message type to receive notifications of any type. Choose Specific message type(s) to receive the following types of notifications:

    • If you choose ConfigurationItemChangeNotification, you receive messages when Amazon Config successfully delivers the configuration snapshot to your Amazon S3 bucket.

    • If you choose ComplianceChangeNotification, you receive messages when the compliance type of a resource that Amazon Config evaluates has changed.

    • If you choose ConfigRulesEvaluationStarted, you receive messages when Amazon Config starts evaluating your rule against the specified resources.

    • If you choose ConfigurationSnapshotDeliveryCompleted, you receive messages when Amazon Config successfully delivers the configuration snapshot to your Amazon S3 bucket.

    • If you choose ConfigurationSnapshotDeliveryFailed, you receive messages when Amazon Config fails to deliver the configuration snapshot to your Amazon S3 bucket.

    • If you choose ConfigurationSnapshotDeliveryStarted, you receive messages when Amazon Config starts delivering the configuration snapshot to your Amazon S3 bucket.

    • If you choose ConfigurationHistoryDeliveryCompleted, you receive messages when Amazon Config successfully delivers the configuration history to your Amazon S3 bucket.

  10. If you chose a specific event type from the Event Type dropdown list, choose Any resource type to make a rule that applies to all Amazon Config supported resource types.

    Or choose Specific resource type(s), and then type the Amazon Config supported resource type (for example, AWS::EC2::Instance).

  11. If you chose a specific event type from the Event Type dropdown list, choose Any resource ID to include any Amazon Config supported resource ID.

    Or choose Specific resource ID(s), and then type the Amazon Config supported resource ID (for example, i-04606de676e635647).

  12. If you chose a specific event type from the Event Type dropdown list, choose Any rule name to include any Amazon Config supported rule.

    Or choose Specific rule name(s), and then type the Amazon Config supported rule (for example, required-tags).

  13. For Select event bus, choose the event bus that you want to associate with this rule. If you want this rule to match events that come from your account, select Amazon default event bus. When an Amazon service in your account emits an event, it always goes to your account’s default event bus.

  14. For Select targets, choose the type of target you have prepared to use with this rule, and then configure any additional options required by that type.

  15. The fields displayed vary depending on the service you choose. Enter information specific to this target type as needed.

  16. For many target types, EventBridge needs permissions to send events to the target. In these cases, EventBridge can create the IAM role needed for your rule to run.

    • To create an IAM role automatically, choose Create a new role for this specific resource.

    • To use an IAM role that you created earlier, choose Use existing role.

  17. For Retry policy and dead-letter queue:, under Retry policy:

    • For Maximum age of event, enter a value between one minute (00:01) and 24 hours (24:00).

    • For Retry attempts, enter a number between 0 and 185.

  18. For Dead-letter queue, choose whether to use a standard Amazon SQS queue as a dead-letter queue. EventBridge sends events that match this rule to the dead-letter queue if they are not successfully delivered to the target. Do one of the following:

    • Choose None to not use a dead-letter queue.

    • Choose Select an Amazon SQS queue in the current Amazon account to use as the dead-letter queue and then select the queue to use from the dropdown list.

    • Choose Select an Amazon SQS queue in an other Amazon account as a dead-letter queue and then enter the ARN of the queue to use. You must attach a resource-based policy to the queue that grants EventBridge permission to send messages to it. For more information, see Event retry policy and using dead-letter queues.

  19. (Optional) Choose Add target to add another target for this rule.

  20. (Optional) Enter one or more tags for the rule. For more information, see Amazon EventBridge tags.

  21. Review your rule setup to make sure it meets your event-monitoring requirements.

  22. Choose Create to confirm your selection.