What is AWS Config?
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
That’s what AWS say. It’s basically compliance and auditing tool for your AWS resources. You can track your resources are compliant or not, according to the rules. Here are some sample rules;
- Ssh port disabled off all my instances?
- Deletion protection enabled on all my RDS instances?
- IAM Access Keys rotating every 90 day?
But there aren’t only 3 rules, there are too many rules. You can’t track all rules by manually. You want to get notified when a rule change status to non-compliant.
We will do this by Amazon Eventbridge and little python code.
Here our python code.
import json, boto3, requests
def lambda_handler(event, context):
time = event['time']
region = event['region']
rule = event["detail"]["configRuleName"]
resource_type = event["detail"]["newEvaluationResult"]["evaluationResultIdentifier"]["evaluationResultQualifier"]["resourceType"]
resource_id = event["detail"]["resourceId"]
compliance = event["detail"]["newEvaluationResult"]["complianceType"]
webhook_url = "YOUR SLACK WEBHOOK URL"
slack_data = slack_data = {
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "\n*Config Compliance Change* :alert_:"
}
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*`Compliance:`* " + compliance + "\n*`Time:`* " + time + "\n*`Region:`* " + region + "\n*`Rule:`* " + rule +"\n*`Resource Type:`* "+resource_type+"\n*`Resource ID:`* "+ resource_id
},
"accessory": {
"type": "image",
"image_url": "https://i.ibb.co/BjWcWKt/Picture1.png",
"alt_text": "thumbnail"
}
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "For more details."
},
"accessory": {
"type": "button",
"text": {
"type": "plain_text",
"text": "AWS Config"
},
"value": "click_me_123",
"url": "https://console.aws.amazon.com/config/home?region="+region+"#/timeline/"+resource_type+"/"+resource_id+"/configuration",
"action_id": "button-action"
}
}
]
}
response = requests.post(
webhook_url, data=json.dumps(slack_data),
headers={'Content-Type': 'application/json'}
)
if response.status_code != 200:
raise ValueError(
'Request to slack returned an error %s, the response is:\n%s'
% (response.status_code, response.text)
)
After uploading our code to lambda, we open the Eventbridge console. First we need event pattern.
{
"source": ["aws.config"],
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"messageType": ["ComplianceChangeNotification"],
"newEvaluationResult": {
"complianceType": ["NON_COMPLIANT"]
}
}
}
This event will trigger our lambda function when “complianceType” goes “NON_COMPLIANT” status.
Everything is ready now it’s time to see the results.
AWS Config always checks your resources and rules and if a NON_COMPLIANT type event occurs you will get notification like this.
Thank you for taking the time and reading. I hope it was useful.
Top comments (0)