By using AWS re:Post, you agree to the Terms of Use
/How to run AWS CONFIG advanced queries using Lambda Function/

How to run AWS CONFIG advanced queries using Lambda Function

0

My requirement is to generate a report to list all AWS resource by executing AWS Config advanced queries using Lambda function on regular basis . Could you please assist how to achieve it

2 Answers
1

You can query the AWS Config API for advanced queries with the SelectResourceConfig API call. See the AWS documentation for an (CLI) example.

answered 13 days ago
  • I created lambda function and invoking the SelectResourceConfig API using aws cli using below query and it is failing with "Syntax error in module 'lambda_function': invalid syntax (lambda_function.py, line 23)".

    import subprocess import logging import boto3

    logger = logging.getLogger() logger.setLevel(logging.INFO)

    def run_command(command): command_list = command.split(' ') #print(command_list) try: logger.info("Running shell command: "{}"".format(command)) result = subprocess.run(command_list, stderr=subprocess.STDOUT, stdout=subprocess.PIPE); #print(result) logger.info("Command output:\n---\n{}\n---".format(result.stdout.decode('UTF-8'))) except Exception as e: logger.error("Exception: {}".format(e)) return False

    return result
    

    def lambda_handler(event, context):

    run_command('/opt/aws configservice select-resource-config --expression "SELECT 
    resourceId,
    

    resourceName, resourceType, configuration.tags.value, configuration.vpcId, configuration.subnetId, configuration.publicDnsName, configuration.privateIpAddress, configuration.imageId, configuration.iamInstanceProfile.arn, configuration.instanceId, configuration.instanceType, configuration.securityGroups, configuration.platform, configuration.architecture, configuration.availabilityZone, configuration.state.name WHERE resourceType = 'AWS::EC2::Instance' order by resourceId, resourceName, resourceType, configuration.state.name"')

1

You could use AWS Eventbridge (what used to be called Cloudwatch Events earlier) to create a Scheduler rule that will trigger at periodic intervals. You can define a lambda function as the target of the Lambda function.

Inside the lambda function you can call the relevant API that will give you what you want. For example, if you want to use the AWS Config API ListDiscoveredResources, then you can call the API from inside your lambda function. There are samples provided in the documentation for supported languages - https://docs.aws.amazon.com/config/latest/APIReference/API_ListDiscoveredResources.html. You could write the output to a file and save it on S3.

answered 14 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions