Questions tagged with AWS Config
Content language: English
Sort by most recent
Hello, how are you?
In the last three months, we noticed that AWS Config cost, increased more than 500% in average.
The most usage type agressor was **SAE1-ConfigurationItemRecorded**. We verified the AWS Config logs, and identified that has a lot of changes in EC2:Subnet, EC2:VPC, EC2:Security Group and EC2:Network interface resource type.
We noticed too, that it's look like, there is some connection between the items records, cost and the variation of the tasks numbers on the ECS cluster, some evidences below.
Someone can help me to explain what is the possibe root cause of this cost increase and why suddenly happened?
Thanks!
I tested in a PoC environment creating an AWS Config and then an eventbridge rule to send the config events (non-compliant) to a cloudwatch log group (and then to firehose to send a vendor) and it works great!.
But, I did the same in a config account in the production environment having a config with aggregator in all the accounts and regions and the eventbridge rule it doesn't track anything, it doesn't work.E
I need to send all the non-compliant events of the organization.
What could be the problem? How do i do it? Thank you.
The error goes like that :
{"errorType":"Runtime.ImportModuleError","errorMessage":"Error: Cannot find module 'hellolambdafnfirst'\nRequire stack:\n- /var/runtime/index.mjs","trace":["Runtime.ImportModuleError: Error: Cannot find module '**hellolambdafnfirst**'","Require stack:","- /var/runtime/index.mjs"," at _loadUserApp (file:///var/runtime/index.mjs:726:17)"," at async Object.module.exports.load (file:///var/runtime/index.mjs:741:21)"," at async file:///var/runtime/index.mjs:781:15"," at async file:///var/runtime/index.mjs:4:1"]}
Stack goes like that : very basic stack
```
const lmbdafromcode = new lambda.Function(this, 'lmbdafromcodeName', {
runtime: lambda.Runtime.NODEJS_16_X,
handler: 'hellolambdafnfirst.handler',//filenameoflmnda (.) then handlername..export.handlername
**code: lambda.Code.fromAsset(path.join(__dirname, '/../lmdaFun')),**
memorySize: 1024,
});
```
project starucure is simple like that
bin
lib
|-------------------HelloCdkStack.ts
lmdaFun
|-------------------hellolambdafnfirst.ts
node_modules
We are trying to deploy Organization Conformance Packs via CloudFormation. But the deployment always fails with the below exception:
`NoAvailableConfigurationRecorderException in 1 account(s)`
AWS Config recorder ist configured in the Management Account and we have completed the [Prerequisites](https://docs.aws.amazon.com/config/latest/developerguide/cpack-prerequisites.html#cpack-prerequisites-organizationcpack) for Organization Conformance Packs. Trusted service access for AWS Config is enabled in our Organization by [creating a multi-account aggregator and adding the organization](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html#integrate-enable-ta-config).
Our Cloud Landing Zone is created using Control Tower. Also we've followed [this](https://aws.amazon.com/blogs/mt/deploy-aws-config-rules-and-conformance-packs-using-a-delegated-admin/) blog post to try the same with a delegated Administrator account. Last but not least we've given the config recorder role admin access and excluded all account except the Management Account in our template. Still no luck. Anyone having an idea how to solve this issue?
The "DeleteUser" log has a "null" value on "responseElements" filed.
Is there any flag I can raise so that the delete_user action will return the "userId" in the response?
The scenario is:
create then delete in loop users with the same name.
I should determine the correlation between creating and deleting logs in real time.
I can determine what "create" action is related to what "delete" action since they all have the same name.
My requirement is to generate a report to list all AWS resource by executing AWS Config advanced queries using Lambda function on regular basis . Could you please assist how to achieve it
I've enabled AWS Control Tower in a personal development account in order to learn the platform and prepare for AWS exams. Since I have to pay for this myself, I am very conscious of any unreasonable costs. I am noticing right away that Control Tower has enabled more than 20 guard rails and is driving up AWS Config costs. How do I nip this in the bud, it's unacceptable for my purposes.
The AWS System Manager Inventory Collection & Managed Instances configurations never leaves 'Pending' Status when I run the Quick Setup. I've tried a number of times but it doesn't to work. I've also tried to follow the instructions on the Troubleshooting page (link below) to address insufficient permissions but that hasn't solved the problem either. Has anyone else had this problem and have a fix? Thanks in advance!
https://docs.aws.amazon.com/systems-manager/latest/userguide/syman-inventory-troubleshooting.html#sysman-inventory-troubleshooting-pending
Hi,We are using the RDK to build/test/deploy our config rules using multi-account architecture.We would like to perform the integration tests for our config rules deployed in the accounts , Hence i am looking for suggestions for any library or suggestion that can help me to test my rules . ( the ideas is to deploy the dummy resources in the test account and run the rule against the resources , then collect the test result of all the rules and send it back to pipeline ).
i'm trying to add several IP addresses from other countries, to sercuity group in RDS MYSQL database. Why would these not work? Is there a setting that restricts to host country, as i'm able to access here.
I'm trying to develop custom remediations using SSM documents. In some cases, when it goes wrong I can check it in the System Manager -> Automation console and see what's wrong with the code. But there are some situations where I cannot see anything, and I'm currently stuck in fixing this.
So basically I can only see this error: "Action execution failed" | [screenshot_anonymized.png](https://github.zendesk.com/attachments/token/qY5xjaWKaoJdbnB6m3Z4ErWp6/?name=170682139-886a03bc-3460-47b1-98e9-db95e44be813_anonymized.png)
Then when I look for it I can't find anything on the issue anywhere (System Manager, Cloudwatch, Config, etc...)
Does anyone know what this issue is? And/or a neat little trick to debug this?
I found here:
https://aws.amazon.com/blogs/mt/configuration-history-configuration-snapshot-files-aws-config/
" AWS Config delivers three types of configuration files to the S3 bucket:
Configuration history (A configuration history is a collection of the configuration items for a given resource over any time period. )
Configuration snapshot
OversizedChangeNotification"
However, in this docs: https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/delete-config-data-with-retention-period.html
It only said that retention period delete the "ConfigurationItems" (A configuration item represents a point-in-time view of the various attributes of a supported AWS resource that exists in your account. )
In this docs: https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-history: "The components of a configuration item include metadata, attributes, relationships, current configuration, and related events. AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording. "
I wonder that: Is ConfigurationItems a subset of Configuration history? Is the things that saved to S3 equal to ConfigurationItems? If not, where is ConfigurationItems stored? And if things stored in S3, is ConfigurationItems deleted or become damaged?
I am setting AWS S3 lifcycle is expire objects in 300 days and AWS Config retention period is 7 years. Therefore, I am wondering what is the relationship between those 2? Because S3 lifecycle period is 300 days, will AWS Config data is deleted in 300 days?
Thank you so much!