Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How to efficiently retrieve the ARN of non-compliant AWS resources detected by AWS Config?
I am trying to build a system that detects untagged AWS resources across our organization and automatically applies the required tags.
In my first attempt: I used AWS Config’s "required-tags" rule to detect resources missing mandatory tags, and I set up the "AWS-SetRequiredTags" remediation action to automatically apply the tags. However, this attempt failed for many resources because "AWS-SetRequiredTags" expects the resource ARN as an input, while the remediation action triggered by AWS Config passes the resource ID instead.
In my second attempt: I tried using EventBridge with the “AWS Config Rules Compliance Change” event to trigger an action, but it seems that the event does not contain the ARN information of the affected AWS resource. This means I need to implement an additional step to retrieve the ARN.
Given this situation, I would like to ask: What is the most efficient method or best practice to retrieve the ARN of non-compliant resources detected by AWS Config?
- Language
- English
- Newest
- Most votes
- Most comments
The most efficient way to retrieve the ARN of non-compliant AWS resources detected by AWS Config is to use the AWS SDK or AWS CLI to describe the resource using its ID. First, capture the non-compliant resource's ID from the AWS Config event. Then, call the appropriate describe API for the resource type (e.g., describe-instances for EC2, describe-buckets for S3) to obtain the ARN. Automating this in a Lambda function, triggered by EventBridge, can streamline the process by dynamically resolving ARNs based on resource IDs before applying the required tags.
Relevant content
- AWS OFFICIALUpdated 2 years ago
