Logging and Monitoring in AWS Config - AWS Config

Logging and Monitoring in AWS Config

AWS Config is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Config. Monitoring is an important part of maintaining the reliability, availability, and performance of AWS Config and your AWS solutions.

Logging AWS Config API Calls with AWS CloudTrail

CloudTrail captures all API calls for AWS Config as events. The calls captured include calls from the AWS Config console and code calls to the AWS Config API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Config. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to AWS Config, the IP address from which the request was made, who made the request, when it was made, and additional details.

To learn more about CloudTrail, see the AWS CloudTrail User Guide.

AWS Config Information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS Config, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. You can view, search, and download recent events in your AWS account. For more information, see Viewing Events with CloudTrail Event History.

For an ongoing record of events in your AWS account, including events for AWS Config, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:

All AWS Config operations are logged by CloudTrail and are documented in the AWS Config API Reference. For example, calls to the DeliverConfigSnapshot, DeleteDeliveryChannel, and DescribeDeliveryChannels operations generate entries in the CloudTrail log files.

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:

  • Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.

  • Whether the request was made with temporary security credentials for a role or federated user.

  • Whether the request was made by another AWS service.

For more information, see the CloudTrail userIdentity Element.

Understanding AWS Config Log File Entries

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.

Monitoring

You can use other AWS services to monitor AWS Config resources.

  • You can use Amazon Simple Notification Service (SNS) to send you notifications every time a supported AWS resource is created, updated, or otherwise modified as a result of user API activity.

  • You can use Amazon CloudWatch Events to detect and react to changes in the status of AWS Config events.

Monitoring AWS Resource Changes with Amazon SQS

AWS Config uses Amazon Simple Notification Service (SNS) to send you notifications every time a supported AWS resource is created, updated, or otherwise modified as a result of user API activity. However, you might be interested in only certain resource configuration changes. For example, you might consider it critical to know when someone modifies the configuration of a security group, but not need to know every time there is a change to tags on your Amazon EC2 instances. Or, you might want to write a program that performs specific actions when specific resources are updated. For example, you might want to start a certain workflow when a security group configuration is changed. If you want to programmatically consume the data from AWS Config in these or other ways, use an Amazon Simple Queue Service queue as the notification endpoint for Amazon SNS.

Note

Notifications can also come from Amazon SNS in the form of an email, a Short Message Service (SMS) message to SMS-enabled mobile phones and smartphones, a notification message to an application on a mobile device, or a notification message to one or more HTTP or HTTPS endpoints.

You can have a single SQS queue subscribe to multiple topics, whether you have one topic per region or one topic per account per region. You must subscribe the queue to your desired SNS topic. (You can subscribe multiple queues to one SNS topic.) For more information, see Sending Amazon SNS Messages to Amazon SQS Queues.

Permissions for Amazon SQS

To use Amazon SQS with AWS Config, you must configure a policy that grants permissions to your account to perform all actions that are allowed on an SQS queue. The following example policy grants the account number 111122223333 and account number 444455556666 permission to send messages pertaining to each configuration change to the queue named arn:aws:sqs:us-east-2:444455556666:queue1.

{ "Version": "2012-10-17", "Id": "Queue1_Policy_UUID", "Statement": { "Sid":"Queue1_SendMessage", "Effect": "Allow", "Principal": { "AWS": ["111122223333","444455556666"] }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-2:444455556666:queue1" } }

You must also create a policy that grants permissions for connections between an SNS topic and the SQS queue that subscribes to that topic. The following is an example policy that permits the SNS topic with the Amazon Resource Name (ARN) arn:aws:sns:us-east-2:111122223333:test-topic to perform any actions on the queue named arn:aws:sqs:us-east-2:111122223333:test-topic-queue.

Note

The account for the SNS topic and the SQS queue must be in the same region.

{ "Version": "2012-10-17", "Id": "SNStoSQS", "Statement": { "Sid":"rule1", "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Action": "SQS:SendMessage", "Resource": "arn:aws:sqs:us-east-2:111122223333:test-topic-queue", "Condition" : { "StringEquals" : { "aws:SourceArn":"arn:aws:sns:us-east-2:111122223333:test-topic" } } } }

Each policy can include statements that cover only a single queue, not multiple queues. For information about other restrictions on Amazon SQS policies, see Special Information for Amazon SQS Policies.

Monitoring AWS Config with Amazon EventBridge

Amazon EventBridge delivers a near real-time stream of system events that describe changes in AWS resources. Use Amazon EventBridge to detect and react to changes in the status of AWS Config events.

You can create a rule that runs whenever there is a state transition, or when there is a transition to one or more states that are of interest. Then, based on rules you create, Amazon EventBridge invokes one or more target actions when an event matches the values you specify in a rule. Depending on the type of event, you might want to send notifications, capture event information, take corrective action, initiate events, or take other actions.

Before you create event rules for AWS Config, however, you should do the following:

Amazon EventBridge format for AWS Config

The EventBridge event for AWS Config has the following format:

{ "version": "0", "id": "cd4d811e-ab12-322b-8255-872ce65b1bc8", "detail-type": "event type", "source": "aws.config", "account": "111122223333", "time": "2018-03-22T00:38:11Z", "region": "us-east-1", "resources": [ resources ], "detail": { specific message type } }

Creating Amazon EventBridge Rule for AWS Config

Use the following steps to create an EventBridge rule that triggers on an event emitted by AWS Config. Events are emitted on a best effort basis.

  1. In the navigation pane, choose Rules.

  2. Choose Create rule.

  3. Enter a name and description for the rule.

    A rule can't have the same name as another rule in the same Region and on the same event bus.

  4. For Define pattern, choose Event pattern.

  5. Choose Pre-defined pattern by service

  6. For Service provider, choose AWS.

  7. For Service name, choose Config.

  8. For Event Type, choose the event type that triggers the rule:

  9. Choose Any message type to receive notifications of any type. Choose Specific message type(s) to receive the following types of notifications:

    • If you choose ConfigurationItemChangeNotification, you receive messages when AWS Config successfully delivers the configuration snapshot to your Amazon S3 bucket.

    • If you choose ComplianceChangeNotification, you receive messages when the compliance type of a resource that AWS Config evaluates has changed.

    • If you choose ConfigRulesEvaluationStarted, you receive messages when AWS Config starts evaluating your rule against the specified resources.

    • If you choose ConfigurationSnapshotDeliveryCompleted, you receive messages when AWS Config successfully delivers the configuration snapshot to your Amazon S3 bucket.

    • If you choose ConfigurationSnapshotDeliveryFailed, you receive messages when AWS Config fails to deliver the configuration snapshot to your Amazon S3 bucket.

    • If you choose ConfigurationSnapshotDeliveryStarted, you receive messages when AWS Config starts delivering the configuration snapshot to your Amazon S3 bucket.

    • If you choose ConfigurationHistoryDeliveryCompleted, you receive messages when AWS Config successfully delivers the configuration history to your Amazon S3 bucket.

  10. If you chose a specific event type from the Event Type dropdown list, choose Any resource type to make a rule that applies to all AWS Config supported resource types.

    Or choose Specific resource type(s), and then type the AWS Config supported resource type (for example, AWS::EC2::Instance).

  11. If you chose a specific event type from the Event Type dropdown list, choose Any resource ID to include any AWS Config supported resource ID.

    Or choose Specific resource ID(s), and then type the AWS Config supported resource ID (for example, i-04606de676e635647).

  12. If you chose a specific event type from the Event Type dropdown list, choose Any rule name to include any AWS Config supported rule.

    Or choose Specific rule name(s), and then type the AWS Config supported rule (for example, required-tags).

  13. For Select event bus, choose the event bus that you want to associate with this rule. If you want this rule to match events that come from your account, select AWS default event bus. When an AWS service in your account emits an event, it always goes to your account’s default event bus.

  14. For Select targets, choose the type of target you have prepared to use with this rule, and then configure any additional options required by that type.

  15. The fields displayed vary depending on the service you choose. Enter information specific to this target type as needed.

  16. For many target types, EventBridge needs permissions to send events to the target. In these cases, EventBridge can create the IAM role needed for your rule to run.

    • To create an IAM role automatically, choose Create a new role for this specific resource.

    • To use an IAM role that you created earlier, choose Use existing role.

  17. For Retry policy and dead-letter queue:, under Retry policy:

    • For Maximum age of event, enter a value between one minute (00:01) and 24 hours (24:00).

    • For Retry attempts, enter a number between 0 and 185.

  18. For Dead-letter queue, choose whether to use a standard Amazon SQS queue as a dead-letter queue. EventBridge sends events that match this rule to the dead-letter queue if they are not successfully delivered to the target. Do one of the following:

    • Choose None to not use a dead-letter queue.

    • Choose Select an Amazon SQS queue in the current AWS account to use as the dead-letter queue and then select the queue to use from the dropdown list.

    • Choose Select an Amazon SQS queue in an other AWS account as a dead-letter queue and then enter the ARN of the queue to use. You must attach a resource-based policy to the queue that grants EventBridge permission to send messages to it. For more information, see Event retry policy and using dead-letter queues.

  19. (Optional) Choose Add target to add another target for this rule.

  20. (Optional) Enter one or more tags for the rule. For more information, see Amazon EventBridge tags.

  21. Review your rule setup to make sure it meets your event-monitoring requirements.

  22. Choose Create to confirm your selection.