Cookie の設定を選択する

当社は、当社のサイトおよびサービスを提供するために必要な必須 Cookie および類似のツールを使用しています。当社は、パフォーマンス Cookie を使用して匿名の統計情報を収集することで、お客様が当社のサイトをどのように利用しているかを把握し、改善に役立てています。必須 Cookie は無効化できませんが、[カスタマイズ] または [拒否] をクリックしてパフォーマンス Cookie を拒否することはできます。

お客様が同意した場合、AWS および承認された第三者は、Cookie を使用して便利なサイト機能を提供したり、お客様の選択を記憶したり、関連する広告を含む関連コンテンツを表示したりします。すべての必須ではない Cookie を受け入れるか拒否するには、[受け入れる] または [拒否] をクリックしてください。より詳細な選択を行うには、[カスタマイズ] をクリックしてください。

設定
お問い合わせ
フィードバック
AWS Documentation
今すぐ無料サインアップ »

Compliance notifications by SNS in the audit account

PDF
フォーカスモード
Compliance notifications by SNS in the audit account - AWS Control Tower
The AWS Config SNS topic policy
このページはお客様の言語に翻訳されていません。 翻訳のリクエスト

To receive compliance change notifications in email sent to your audit account, subscribe to this Amazon SNS topic:

arn:aws:sns:AWSRegion:AuditAccount:aws-controltower-AggregateSecurityNotifications

When subscribing, substitute your actual AWS Control Tower home Region and audit account information into the topic name shown. You can subscribe to SNS topics that receive notifications about each supported AWS Region in which you run AWS Control Tower.

SNS topics and notifications you can receive

  • The aws-controltower-AllConfigNotifications topic:

    It receives notifications from AWS Config regarding compliance, noncompliance, and change. It also receives notification from AWS CloudTrail on log file delivery.

  • The aws-controltower-SecurityNotifications topic:

    One of these topics exists for each supported AWS Region. It receives compliance, noncompliance, and change notifications from AWS Config in that Region. It forwards all incoming notifications to aws-controltower-AggregateSecurityNotifications

  • The aws-controltower-AggregateSecurityNotifications topic:

    This topic exists in each supported AWS Region. It receives compliance change notifications from the region-specific aws-controltower-SecurityNotifications topics. Additionally, in the home Region, it also receives drift notifications.

Other considerations about SNS topics:

  • All of these topics exist and receive notifications in the Audit account.

  • By default, the Audit account email address is subscribed to the aws-controltower-AggregateSecurityNotifications SNS topic.

  • SNS topics in AWS Control Tower are extremely noisy, by design. For example, AWS Config sends a notification every time AWS Config discovers a new resource.

  • Administrators who wish to filter out specific types of notifications from an SNS topic can create an AWS Lambda function and subscribe it to the SNS topic. Alternatively, you can set up an EventBridge rule to filter notifications, as described in this support article, How can I be notified when an AWS resource is non-compliant using AWS Config?

  • AWS Config notifications contain a JSON object.

  • AWS Control Tower drift notifications appear in plain text.

The AWS Config SNS topic policy

The AWS Config SNS topic policy contains the aws:SourceOrgID condition key. The policy is shown in the following example.

 SNSAllConfigurationTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref SNSAllConfigurationTopic
      PolicyDocument:
        Statement:
          - Sid: AWSSNSPolicy
            Action:
              - sns:Publish
            Effect: Allow
            Resource: !Ref SNSAllConfigurationTopic
            Principal:
              Service:
                - cloudtrail.amazonaws.com
                - config.amazonaws.com            
            Condition:
              StringEquals:
                aws:SourceOrgID: !Ref OrganizationId

このページの内容

プライバシーサイト規約Cookie の設定
© 2025, Amazon Web Services, Inc. or its affiliates.All rights reserved.