How do I understand the configurationItemDiff field in Amazon SNS ConfigurationItemChangeNotification notifications?

Resolution

AWS Config creates a configuration item whenever the configuration of a resource changes (create/update/delete). For a list of resources that AWS Config supports, see Supported resource types. AWS Config uses Amazon SNS to deliver a notification as the changes occur. The Amazon SNS notification payload includes fields to help you track the resource changes in a given AWS Region. For more information, see Example configuration item change notifications.

To understand why you receive a ConfigurationItemChangeNotification notification, review the configurationItemDiff details. The fields vary depending on the change type and can form different combinations such as UPDATE-UPDATE, UPDATE-CREATE, and DELETE-DELETE. The following are explanations of some common combinations.

UPDATE-CREATE and UPDATE-UPDATE

The following example includes changes in the resource direct relationships and resource configurations. The configurationItemDiff details reveal the following information:

Action performed: A managed policy present in the account was attached to an AWS Identity and Access Management (IAM) role.

Basic operation performed: UPDATE (updating the number of associations of the resource type AWS::IAM::Policy in an account).

Change type combinations:

1. Resource direct relationship change UPDATE-CREATE. A new attachment or association was created between an IAM policy and an IAM role.
2. Resource configuration change UPDATE-UPDATE. The number IAM policy associations increased from 2 to 3 when the policy was attached to the IAM role.

Example UPDATE-CREATE and UPDATE-UPDATE configurationItemDiff notification:

{
    "configurationItemDiff": {
        "changedProperties": {
            "Relationships.0": {
                "previousValue": null,
                "updatedValue": {
                    "resourceId": "AROA6D3M4S53*********",
                    "resourceName": "Test1",
                    "resourceType": "AWS::IAM::Role",
                    "name": "Is attached to Role"
                },
                "changeType": "CREATE"                >>>>>>>>>>>>>>>>>>>> 1
            },
            "Configuration.AttachmentCount": {
                "previousValue": 2,
                "updatedValue": 3,
                "changeType": "UPDATE"                 >>>>>>>>>>>>>>>>>>>> 2
            }
        },
        "changeType": "UPDATE"
    }
}

UPDATE-DELETE

The following example includes changes in the resource direct relationships. The configurationItemDiff details reveal the following information:

Action performed: A managed policy present in the account was detached from an IAM user.

Basic operation performed: UPDATE (updating the permissions policy associated with the resource type AWS::IAM::User).

Change type combination: Resource direct relationship change UPDATE-DELETE. The association between an IAM user and an IAM policy in an account was deleted.

Example UPDATE-DELETE configurationItemDiff notification:

{
  "configurationItemDiff": {
    "changedProperties": {
      "Configuration.UserPolicyList.0": {
        "previousValue": {
          "policyName": "Test2",
          "policyDocument": "{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/VPCId": "*"
                }
            }
        }
    ]
}"
        },
        "updatedValue": null,
        "changeType": "DELETE"                                >>>>>>>>>>>>>>>>>>>> 3
      }
    },
    "changeType": "UPDATE"
  }
}

DELETE-DELETE

The following example includes changes in the resource direct relationships and resource configurations. The configurationItemDiff details reveal the following information:

Action performed: An IAM role present in an account was deleted.

Basic operation performed: DELETE (a resource of the resource type AWS::IAM::Role was deleted).

Change type combination: Resource direct relationship change and resource configuration change DELETE-DELETE. The deletion of the IAM role also deleted the association of the IAM policy with the IAM role.

Example DELETE-DELETE configurationItemDiff notification:

{
  "configurationItemDiff": {
    "changedProperties": {
      "Relationships.0": {
        "previousValue": {
          "resourceId": "ANPAIJ5MXUKK*********",
          "resourceName": "AWSCloudTrailAccessPolicy",
          "resourceType": "AWS::IAM::Policy",
          "name": "Is attached to CustomerManagedPolicy"
        },
        "updatedValue": null,
        "changeType": "DELETE"
      },
      "Configuration": {
        "previousValue": {
          "path": "/",
          "roleName": "CloudTrailRole",
          "roleId": "AROAJITJ6YGM*********",
          "arn": "arn:aws:iam::123456789012:role/CloudTrailRole",
          "createDate": "2017-12-06T10:27:51.000Z",
          "assumeRolePolicyDocument": "{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"sts:ExternalId":"123456"}}}]}",
          "instanceProfileList": [],
          "rolePolicyList": [],
          "attachedManagedPolicies": [
            {
              "policyName": "AWSCloudTrailAccessPolicy",
              "policyArn": "arn:aws:iam::123456789012:policy/AWSCloudTrailAccessPolicy"
            }
          ],
          "permissionsBoundary": null,
          "tags": [],
          "roleLastUsed": null
        },
        "updatedValue": null,
        "changeType": "DELETE"
      }
    },
    "changeType": "DELETE"
  }

Related information

Notifications that AWS Config sends to an Amazon SNS topic