Menu
AWS Config
Developer Guide

Monitoring AWS Config Resource Changes by Email

If you have set up AWS Config to stream configuration changes and notifications to an Amazon SNS topic, you can monitor those changes by email. These emails can include configuration history, rule compliance, snapshot information, and change notifications. You can also set up email filters based on the subject line or message body to look for specific changes.

To monitor resource changes by email

  1. If you haven't done so already, set up AWS Config to deliver notifications to an Amazon SNS topic. For more information, see Setting up AWS Config with the Console or Setting up AWS Config with the AWS CLI.

  2. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v2/home.

  3. In the navigation pane of the Amazon SNS console, choose Topics.

  4. On the Topics page, open the Amazon SNS topic you specified when you set up AWS Config by choosing its name in the ARN column.

  5. On the Topic details page, under Subscriptions, choose Create subscription.

  6. In the Create subscription dialog box, for Protocol, choose Email.

  7. For Endpoint, type the email address where you want the notifications sent.

  8. Choose Create subscription.

    Check your email for an email confirmation. In the meantime, the console displays PendingConfirmation in the Subscription ID column.

  9. Open the email from "AWS Notifications" and choose Confirm subscription.

    Tip

    If you want to monitor specific resources or other important changes, you can set up email filters in your email application.

Example Email Format and Filters

If you created an email subscription to your Amazon SNS topic, you can filter the email you receive based on information in the subject line and message body. To create a subscription for an Amazon SNS topic, see Monitoring AWS Config Resource Changes by Email.

The subject line of an email looks like the following example:

[AWS Config:us-west-2] AWS::EC2::Instance i-12abcd3e Created in Account 123456789012

In your email client application, you can set up email filters or rules to watch for specific changes or to organize your notifications. For example, you can organize email notifications by region, resource type, resource name, or AWS account. Email filters can help you manage notifications from multiple accounts or if you have many resources in your account.

The message body of an email subscription created with the Email protocol contains information about create, update, and delete events for your AWS resources. The following example shows an email message body created with the Email protocol. The notification contains the configuration item change for the resource.

View the Timeline for this Resource in AWS Config Management Console: https://console.aws.amazon.com/config/home?region=us-west-2#/timeline/AWS:: EC2::Instance/i-12abcd3e New State and Change Record: ---------------------------- { "configurationItemDiff": { "changedProperties": {}, "changeType": "CREATE" }, "configurationItem": { "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2015-03-19T21:20:35.737Z", "configurationStateId": 1, "relatedEvents": [ "4f8abc4f-6def-4g42-hi03-46j3b48k0lmn" ], "awsAccountId": "123456789012", "configurationItemStatus": "ResourceDiscovered", "resourceId": "i-92aeda5b", "ARN": "arn:aws:ec2:us-west-2:123456789012:instance/i-12abcd3e", "awsRegion": "us-west-2", "availabilityZone": "us-west-2c", "configurationStateMd5Hash": "123456789e0f930642026053208e", "resourceType": "AWS::EC2::Instance", "resourceCreationTime": "2015-03-19T21:13:05.000Z", "tags": {}, "relationships": [ { "resourceId": "abc-1234de56", "resourceType": "AWS::EC2::NetworkInterface", "name": "Contains NetworkInterface" }, { "resourceId": "ab-c12defg3", "resourceType": "AWS::EC2::SecurityGroup", "name": "Is associated with SecurityGroup" }, { "resourceId": "subnet-a1b2c3d4", "resourceType": "AWS::EC2::Subnet", "name": "Is contained in Subnet" }, { "resourceId": "vol-a1bc234d", "resourceType": "AWS::EC2::Volume", "name": "Is attached to Volume" }, { "resourceId": "vpc-a12bc345", "resourceType": "AWS::EC2::VPC", "name": "Is contained in Vpc" } ], "configuration": { "instanceId": "i-12abcd3e", "imageId": "ami-123a4567", "state": { "code": 16, "name": "running" }, "privateDnsName": "ip-000-00-0-000.us-west-2.compute.internal", "publicDnsName": "ec2-12-345-678-910.us-west-2.compute.amazonaws.com", "stateTransitionReason": "", "keyName": null, "amiLaunchIndex": 0, "productCodes": [], "instanceType": "t2.micro", "launchTime": "2015-03-19T21:13:05.000Z", "placement": { "availabilityZone": "us-west-2c", "groupName": "", "tenancy": "default" }, "kernelId": null, "ramdiskId": null, "platform": null, "monitoring": { "state": "disabled" }, "subnetId": "subnet-a1b2c3d4", "vpcId": "vpc-a12bc345", "privateIpAddress": "000.00.0.000", "publicIpAddress": "00.000.000.000", "stateReason": null, "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/abcd", "blockDeviceMappings": [ { "deviceName": "/dev/abcd", "ebs": { "volumeId": "vol-a1bc234d", "status": "attached", "attachTime": "2015-03-19T21:13:07.000Z", "deleteOnTermination": true } } ], "virtualizationType": "hvm", "instanceLifecycle": null, "spotInstanceRequestId": null, "clientToken": "ab1234c5-6d78-910-1112-13ef14g15hi16", "tags": [], "securityGroups": [ { "groupName": "default", "groupId": "sg-a12bcde3" } ], "sourceDestCheck": true, "hypervisor": "xen", "networkInterfaces": [ { "networkInterfaceId": "eni-1234ab56", "subnetId": "subnet-a1b2c3d4", "vpcId": "vpc-a12bc345", "description": "", "ownerId": "123456789012", "status": "in-use", "macAddress": "1a:23:45:67:b8", "privateIpAddress": "000.00.0.000", "privateDnsName": "ip-000-00-0-000.us-west-2.compute.internal", "sourceDestCheck": true, "groups": [ { "groupName": "default", "groupId": "sg-a12bcde3" } ], "attachment": { "attachmentId": "eni-attach-123a4b5c", "deviceIndex": 0, "status": "attached", "attachTime": "2015-03-19T21:13:05.000Z", "deleteOnTermination": true }, "association": { "publicIp": "00.000.000.000", "publicDnsName": "ec2-00-000-000-000.us-west-2.compute.amazonaws.com", "ipOwnerId": "amazon" }, "privateIpAddresses": [ { "privateIpAddress": "000.00.0.000", "privateDnsName": "ip-000-00-0-000.us-west-2.compute.internal", "primary": true, "association": { "publicIp": "00.000.000.000", "publicDnsName": "ec2-000-00-0-000.us-west-2.compute.amazonaws.com", "ipOwnerId": "amazon" } } ] } ], "iamInstanceProfile": null, "ebsOptimized": false, "sriovNetSupport": null } }, "notificationCreationTime": "2015-03-19T21:20:36.808Z", "messageType": "ConfigurationItemChangeNotification", "recordVersion": "1.2" }