How do I set up custom email notifications when AWS Config detects new resources?

Resolution

Note: In the following example, you receive Amazon Simple Notification Service (Amazon SNS) notifications when you create a new Amazon Elastic Compute Cloud (Amazon EC2) instance. The notification occurs when you create the EC2 instance in an AWS Region where the AWS Config service is active. AWS Config records new EC2 instances and uses the resource type AWS::EC2::Instance to identify these instances.

Create an Amazon SNS topic

Create an Amazon SNS topic in the same Region as your AWS Config service.

Create an EventBridge rule

1. Open the Amazon EventBridge console.

2. In the navigation pane, choose Rules, and then choose Create rule.

3. Enter the following information:
   For Name, enter a name for your rule.
   (Optional) For Description, enter a description for the rule.
   For Rule type, choose Rule with an event pattern.

4. Choose Next.

5. For Event source, choose AWS events or EventBridge partner events.

6. Under Event pattern, choose Custom pattern (JSON editor).

7. Enter the following example event pattern:

   {
     "source": [
       "aws.config"
     ],
     "detail-type": [
       "Config Configuration Item Change"
     ],
     "detail": {
       "messageType": [
         "ConfigurationItemChangeNotification"
       ],
       "configurationItem": {
         "resourceType": [
           "AWS::EC2::Instance"
         ],
         "configurationItemStatus": [
           "ResourceDiscovered"
         ]
       }
     }
   }

   Note: Replace the EC2::Instance resource type with your resource type. For a list of available resource types, see the resourceType section in ResourceIdentifier. For information about supported resource types, see Supported resource types for AWS Config.

8. Choose Next.

9. Enter the following information:
   For Target types, select AWS service.
   For Select a target, select SNS topic from the dropdown list.
   For Topic, select your SNS topic.

10. Under Additional settings, for Configure target input, choose Input transformer.

11. Choose Configure input transformer. Then, under Target input transformer in the Input path text box, enter the following example path:

    {
        "awsRegion": "$.detail.configurationItem.awsRegion",
        "awsAccountId": "$.detail.configurationItem.awsAccountId",
        "resource_type": "$.detail.configurationItem.resourceType",
        "resource_ID": "$.detail.configurationItem.resourceId",
        "configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime"
    }
    

12. In the Template text box, enter the following example template:

    "On <configurationItemCaptureTime> AWS Config service recorded a creation of a new <resource_type> with Id <resource_ID> in the account <awsAccountId> region <awsRegion>. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resource_type>/<resource_ID>/configuration"

13. Choose Confirm, and then choose Next.

14. Choose Create rule.

Example notification:

"On ExampleTime AWS Config service recorded a creation of a new AWS::EC2::Instance with Id ExampleID in the account AccountID region ExampleRegion. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=*ExampleRegion*#/timeline/AWS::EC2::Instance/*ExampleID*/configuration"

Related information

How do I configure EventBridge rules for GuardDuty to send custom SNS notifications for specific service finding types?

How can I use AWS Config to receive custom email notifications when a resource is deleted in my AWS account?