AWS config and Configuration change notifications

Please see the below documentation for setting up notifications of AWS Config changes through Amazon SNS. The solution uses EventBridge to receive AWS Config events and have EventBridge rules send messages to SNS (AWS Config -> EventBridge -> SNS). I recommend starting with the sample from the documentation and customize fields as needed.

• How can I be notified when an AWS resource is non-compliant using AWS Config?

In AWS Config you will want to take a look at your settings and make sure you setup an SNS Topic that AWS Config can send notifications to and then subscribe to that Topic. Then you will want to make sure you are getting Configuration Item Changes for AWS::SSM::ManagedInstanceInventory resources. If you want filter a bit more, you can use EventBridge Rules to send notifications or you can do something with a Custom Config Rule, included a link to a Manager Config rule for checking for applications in the inventory. Depending on how many changes are happening in your environment, these notifications may end up being too much noise so using a rule to catch a specific change might be better.

https://docs.aws.amazon.com/config/latest/developerguide/manual-setup.title.html#gs-settings.title

https://docs.aws.amazon.com/config/latest/developerguide/example-sns-notification.html

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory-setting-up-eventbridge.html

https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-blacklisted.html