How do I understand the configurationItemDiff field in Amazon SNS ConfigurationItemChangeNotification notifications?
I received a ConfigurationItemChangeNotification Amazon Simple Notification Service (Amazon SNS) notification, and I want to know what it means.
Resolution
AWS Config creates a configuration item whenever the configuration of a resource changes, such as to create, update, or delete. For a list of resources that AWS Config supports, see Supported resource types for AWS Config. AWS Config uses Amazon SNS to deliver a notification as the changes occur. The Amazon SNS notification payload includes fields that help you track the resource changes in an AWS Region. For more information, see Example configuration item change notifications.
To understand why you receive a ConfigurationItemChangeNotification notification, review the configurationItemDiff details. The fields vary depending on the change type, and can form different combinations such as UPDATE-UPDATE, UPDATE-CREATE, and DELETE-DELETE. The following are explanations of common combinations.
UPDATE-CREATE and UPDATE-UPDATE
The following example includes changes in the resource direct relationships and resource configurations. The configurationItemDiff details show the following information:
- Action performed: You attached a managed policy present in the account to an AWS Identity and Access Management (IAM) role.
- Basic operation performed: The UPDATE operation updates the number of associations of the resource type AWS::IAM::Policy in an account.
The following are the change type combinations that can occur:
- Resource direct relationship change UPDATE-CREATE: You create a new attachment or association between an IAM policy and an IAM role.
- Resource configuration change UPDATE-UPDATE: The number of IAM policy associations increases from 2 to 3 when the policy is attached to the IAM role.
Example UPDATE-CREATE and UPDATE-UPDATE configurationItemDiff notification:
{ "configurationItemDiff": { "changedProperties": { "Relationships.0": { "previousValue": null, "updatedValue": { "resourceId": "AROA6D3M4S53*********", "resourceName": "Test1", "resourceType": "AWS::IAM::Role", "name": "Is attached to Role" }, "changeType": "CREATE" >>>>>>>>>>>>>>>>>>>> 1 }, "Configuration.AttachmentCount": { "previousValue": 2, "updatedValue": 3, "changeType": "UPDATE" >>>>>>>>>>>>>>>>>>>> 2 } }, "changeType": "UPDATE" } }
UPDATE-DELETE
The following example includes changes in the resource direct relationships. The configurationItemDiff details show the following information:
- Action performed: You detached a managed policy present in the account from an IAM user.
- Basic operation performed: The UPDATE operation updates the permissions policy associated with the resource type AWS::IAM::User.
The following change type combination can occur: Resource direct relationship change UPDATE-DELETE. The operation deletes the association between an IAM user and an IAM policy in an account.
Example UPDATE-DELETE configurationItemDiff notification:
{ "configurationItemDiff": { "changedProperties": { "Configuration.UserPolicyList.0": { "previousValue": { "policyName": "Test2", "policyDocument": "{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "aws:RequestTag/VPCId": "*" } } } ] }" }, "updatedValue": null, "changeType": "DELETE" >>>>>>>>>>>>>>>>>>>> 3 } }, "changeType": "UPDATE" } }
DELETE-DELETE
The following example includes changes in the resource direct relationships and resource configurations. The configurationItemDiff details show the following information:
- Action performed: You deleted an IAM role present in an account.
- Basic operation performed: The DELETE operation deleted a resource of the resource type AWS::IAM::Role.
The following change type combination can occur: Resource direct relationship change and resource configuration change DELETE-DELETE. The deletion of the IAM role also deletes the association of the IAM policy with the IAM role.
Example DELETE-DELETE configurationItemDiff notification:
{ "configurationItemDiff": { "changedProperties": { "Relationships.0": { "previousValue": { "resourceId": "ANPAIJ5MXUKK*********", "resourceName": "AWSCloudTrailAccessPolicy", "resourceType": "AWS::IAM::Policy", "name": "Is attached to CustomerManagedPolicy" }, "updatedValue": null, "changeType": "DELETE" }, "Configuration": { "previousValue": { "path": "/", "roleName": "CloudTrailRole", "roleId": "AROAJITJ6YGM*********", "arn": "arn:aws:iam::123456789012:role/CloudTrailRole", "createDate": "2017-12-06T10:27:51.000Z", "assumeRolePolicyDocument": "{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"sts:ExternalId":"123456"}}}]}", "instanceProfileList": [], "rolePolicyList": [], "attachedManagedPolicies": [ { "policyName": "AWSCloudTrailAccessPolicy", "policyArn": "arn:aws:iam::123456789012:policy/AWSCloudTrailAccessPolicy" } ], "permissionsBoundary": null, "tags": [], "roleLastUsed": null }, "updatedValue": null, "changeType": "DELETE" } }, "changeType": "DELETE" }
Related information
- Topics
- Management & Governance
- Tags
- AWS Config
- Language
- English
Relevant content
- asked 7 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 months ago
