AWS Config¶
About¶
AWS Config uses Amazon SNS to deliver notifications to subscription endpoints. These notifications provide the delivery status for configuration snapshots and configuration histories, and they provide each configuration item that AWS Config creates when the configurations of recorded AWS resources change. AWS Config also sends notifications that show whether resources are compliant against rules. If notifications sent by email is chosen, filters can be used in the email client application based on the subject line and message body of the email.
The following is an example payload of an Amazon SNS notification that is generated when AWS Config detects that the Amazon Elastic Block Store volume vol-ce676ccc is attached to the instance with an ID of i-344c463d. The notification contains the configuration item change for the resource.
Product Details¶
Vendor URL: AWS Resource Configurations
Product Type: AWS
Product Tier: Tier II
Integration Method: Custom
Integration URL: AWS Config - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: AWS_CONFIG
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| configurationItemDiff.changeType | metadata.event_type |
| configurationItemStatus | metadata.event_type |
| configItem.tags.Contact | principal.user.email_addresses |
| configItem.tags.Contact | principal.user.user_display_name |
| configItem.awsAccountId | principal.user.userid |
| relationship.resourceId | target.asset.attribute.cloud.vpc.id |
| configItem.configurationItemStatus | target.asset.attribute.labels |
| configItem.resourceCreationTime | target.asset.creation_time |
| configurationItem.configurationItemCaptureTime | target.asset.creation_time |
| configItem.awsRegion | target.asset.location.country_or_region |
| configurationItem.awsRegion | target.asset.location.country_or_region |
| configItem.tags.OS | target.asset.platform_software.platform |
| configItem.configuration.privateIpAddress | target.ip |
| configItem.configuration.publicIpAddress | target.ip |
| configItem.ARN | target.resource.id |
| configurationItem.resourceId | target.resource.id |
| configItem.resourceName | target.resource.name |
| configItem.resourceType | target.resource.resource_subtype |
| configurationItem.resourceType | target.resource.resource_subtype |
Product Event Types¶
Some products we only support certain event types. Here are the supported AWS Config events.
| Event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
| CREATE | RESOURCE_DELETION |
| OK | RESOURCE_READ |
| ResourceDeleted | RESOURCE_DELETION |
| ResourceDiscovered | RESOURCE_DELETION |
| UPDATE | RESOURCE_WRITTEN |
Log Sample¶
{"fileVersion":"1.0","configurationItems":[{"relatedEvents":[],"relationships":[],"supplementaryConfiguration":{},"tags":{},"configurationItemVersion":"1.3","configurationItemCaptureTime":"2021-11-03T06:02:20.039Z","configurationStateId":1635919340039,"awsAccountId":"1234","configurationItemStatus":"ResourceDeleted","resourceType":"AWS::AutoScaling::LaunchConfiguration","resourceId":"arn:aws:autoscaling:us-east-1:1234:launchConfiguration:330dfa:launchConfigurationName/alerting_location-group-matching-Test-1234.6474662","resourceName":"alerting_location-group-matching-Test-1234.662","ARN":"arn:aws:autoscaling:us-east-1:1234:launchConfiguration:330dfa:launchConfigurationName/alerting_location-group-matching-Test-1234.662","awsRegion":"us-east-1","configurationStateMd5Hash":""}]}
Sample Parsing¶
metadata.event_timestamp = "2021-11-03T11:47:49.339214Z"
metadata.event_type = "RESOURCE_DELETION"
metadata.vendor_name = "AMAZON"
metadata.product_name = "AWS_CONFIG"
metadata.ingested_timestamp = "2021-11-03T11:47:49.339214Z"
principal.user.userid = "1234"
target.resource.id = "arn:aws:autoscaling:us-east-1:1234:launchConfiguration:330dfa:launchConfigurationName/alerting_location-group-matching-Test-1234.662"
target.resource.name = "alerting_location-group-matching-Test-1234.662"
target.resource.resource_type = "VIRTUAL_MACHINE"
target.resource.resource_subtype = "AWS::AutoScaling::LaunchConfiguration"
target.asset.location.country_or_region = "us-east-1"
target.asset.attribute.cloud.environment = "AMAZON_WEB_SERVICES"
target.asset.attribute.labels.key = "Configuration Item Status"
target.asset.attribute.labels.value = "ResourceDeleted"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon