本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
範例組態項目變更通知
AWS Config 使用 Amazon SNS 向訂閱端點傳遞通知。這些通知提供組態快照和組態歷史記錄的傳遞狀態,並提供每個組態項目,這些設定項目會在記錄的 AWS 資源組態變更時 AWS Config 建立。 AWS Config 還會傳送通知,顯示您的資源是否符合您的規則。如果您選擇透過電子郵件傳送通知,則可以根據電子郵件的主旨行和訊息本文以在電子郵件用戶端應用程式中使用篩選條件。
下列 Amazon SNS 通知承載範例是在 AWS Config
偵測到 Amazon Elastic Block Store 磁碟區 vol-ce676ccc 連接至 ID 為 i-344c463d 的執行個體時所產生。通知包含資源的組態項目變更。
{ "Type": "Notification", "MessageId": "8b945cb0-db34-5b72-b032-1724878af488", "TopicArn": "arn:aws:sns:us-west-2:123456789012:example", "Message": { "MessageVersion": "1.0", "NotificationCreateTime": "2014-03-18T10:11:00Z", "messageType": "ConfigurationItemChangeNotification", "configurationItem": [ { "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2014-03-07T23:47:08.918Z", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "resourceId": "vol-ce676ccc", "accountId": "123456789012", "configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [], "availabilityZone": "us-west-2b", "resourceType": "AWS::EC2::VOLUME", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::INSTANCE", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [], "volumeType": "standard" } } ], "configurationItemDiff": { "changeType": "UPDATE", "changedProperties": { "Configuration.State": { "previousValue": "available", "updatedValue": "in-use", "changeType": "UPDATE" }, "Configuration.Attachments.0": { "updatedValue": { "VolumeId": "vol-ce676ccc", "InstanceId": "i-344c463d", "Device": "/dev/sdf", "State": "attached", "AttachTime": "FriMar0723: 46: 28UTC2014", "DeleteOnTermination": "false" }, "changeType": "CREATE" } } } }, "Timestamp": "2014-03-07T23:47:10.001Z", "SignatureVersion": "1", "Signature": "LgfJNB5aOk/w3omqsYrv5cUFY8yvIJvO5ZZh46/KGPApk6HXRTBRlkhjacnxIXJEWsGI9mxvMmoWPLJGYEAR5FF/+/Ro9QTmiTNcEjQ5kB8wGsRWVrk/whAzT2lVtofc365En2T1Ncd9iSFFXfJchgBmI7EACZ28t+n2mWFgo57n6eGDvHTedslzC6KxkfWTfXsR6zHXzkB3XuZImktflg3iPKtvBb3Zc9iVbNsBEI4FITFWktSqqomYDjc5h0kgapIo4CtCHGKpALW9JDmP+qZhMzEbHWpzFlEzvFl55KaZXxDbznBD1ZkqPgno/WufuxszCiMrsmV8pUNUnkU1TA==", "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-e372f8ca30337fdb084e8ac449342c77.pem", "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:example:a6859fee-3638-407c-907e-879651c9d143" }
含關係的資源組態項目
如果資源與其他資源相關,則變更該資源可能會產生多個組態項目。下列範例顯示如何為具有關係的資源 AWS Config 建立組態項目。
-
您有 ID 為
i-007d374c8912e3e90的 Amazon EC2 執行個體,而且執行個體與 Amazon EC2 安全群組sg-c8b141b4建立關聯。 -
您更新 EC2 執行個體,以將安全群組變更為另一個安全群組
sg-3f1fef43。 -
由於 EC2 執行個體與其他資源相關,因此 AWS Config 會建立多個組態項目,如下列範例所示:
此通知包含 EC2 執行個體在取代安全群組時的組態項目變更。
{ "Type": "Notification", "MessageId": "faeba85e-ef46-570a-b01c-f8b0faae8d5d", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] AWS::EC2::Instance i-007d374c8912e3e90 Updated in Account 123456789012", "Message": { "configurationItemDiff": { "changedProperties": { "Configuration.NetworkInterfaces.0": { "previousValue": { "networkInterfaceId": "eni-fde9493f", "subnetId": "subnet-2372be7b", "vpcId": "vpc-14400670", "description": "", "ownerId": "123456789012", "status": "in-use", "macAddress": "0e:36:a2:2d:c5:e0", "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "sourceDestCheck": true, "groups": [{ "groupName": "example-security-group-1", "groupId": "sg-c8b141b4" }], "attachment": { "attachmentId": "eni-attach-85bd89d9", "deviceIndex": 0, "status": "attached", "attachTime": "2017-01-09T19:36:02.000Z", "deleteOnTermination": true }, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" }, "privateIpAddresses": [{ "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "primary": true, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" } }] }, "updatedValue": null, "changeType": "DELETE" }, "Relationships.0": { "previousValue": { "resourceId": "sg-c8b141b4", "resourceName": null, "resourceType": "AWS::EC2::SecurityGroup", "name": "Is associated with SecurityGroup" }, "updatedValue": null, "changeType": "DELETE" }, "Configuration.NetworkInterfaces.1": { "previousValue": null, "updatedValue": { "networkInterfaceId": "eni-fde9493f", "subnetId": "subnet-2372be7b", "vpcId": "vpc-14400670", "description": "", "ownerId": "123456789012", "status": "in-use", "macAddress": "0e:36:a2:2d:c5:e0", "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "sourceDestCheck": true, "groups": [{ "groupName": "example-security-group-2", "groupId": "sg-3f1fef43" }], "attachment": { "attachmentId": "eni-attach-85bd89d9", "deviceIndex": 0, "status": "attached", "attachTime": "2017-01-09T19:36:02.000Z", "deleteOnTermination": true }, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" }, "privateIpAddresses": [{ "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "primary": true, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" } }] }, "changeType": "CREATE" }, "Relationships.1": { "previousValue": null, "updatedValue": { "resourceId": "sg-3f1fef43", "resourceName": null, "resourceType": "AWS::EC2::SecurityGroup", "name": "Is associated with SecurityGroup" }, "changeType": "CREATE" }, "Configuration.SecurityGroups.1": { "previousValue": null, "updatedValue": { "groupName": "example-security-group-2", "groupId": "sg-3f1fef43" }, "changeType": "CREATE" }, "Configuration.SecurityGroups.0": { "previousValue": { "groupName": "example-security-group-1", "groupId": "sg-c8b141b4" }, "updatedValue": null, "changeType": "DELETE" } }, "changeType": "UPDATE" }, "configurationItem": { "relatedEvents": [], "relationships": [ { "resourceId": "eni-fde9493f", "resourceName": null, "resourceType": "AWS::EC2::NetworkInterface", "name": "Contains NetworkInterface" }, { "resourceId": "sg-3f1fef43", "resourceName": null, "resourceType": "AWS::EC2::SecurityGroup", "name": "Is associated with SecurityGroup" }, { "resourceId": "subnet-2372be7b", "resourceName": null, "resourceType": "AWS::EC2::Subnet", "name": "Is contained in Subnet" }, { "resourceId": "vol-0a2d63a256bce35c5", "resourceName": null, "resourceType": "AWS::EC2::Volume", "name": "Is attached to Volume" }, { "resourceId": "vpc-14400670", "resourceName": null, "resourceType": "AWS::EC2::VPC", "name": "Is contained in Vpc" } ], "configuration": { "instanceId": "i-007d374c8912e3e90", "imageId": "ami-9be6f38c", "state": { "code": 16, "name": "running" }, "privateDnsName": "ip-172-31-16-84.ec2.internal", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "stateTransitionReason": "", "keyName": "ec2-micro", "amiLaunchIndex": 0, "productCodes": [], "instanceType": "t2.micro", "launchTime": "2017-01-09T20:13:28.000Z", "placement": { "availabilityZone": "us-east-2c", "groupName": "", "tenancy": "default", "hostId": null, "affinity": null }, "kernelId": null, "ramdiskId": null, "platform": null, "monitoring": {"state": "disabled"}, "subnetId": "subnet-2372be7b", "vpcId": "vpc-14400670", "privateIpAddress": "172.31.16.84", "publicIpAddress": "54.175.43.43", "stateReason": null, "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/xvda", "blockDeviceMappings": [{ "deviceName": "/dev/xvda", "ebs": { "volumeId": "vol-0a2d63a256bce35c5", "status": "attached", "attachTime": "2017-01-09T19:36:03.000Z", "deleteOnTermination": true } }], "virtualizationType": "hvm", "instanceLifecycle": null, "spotInstanceRequestId": null, "clientToken": "bIYqA1483990561516", "tags": [{ "key": "Name", "value": "value" }], "securityGroups": [{ "groupName": "example-security-group-2", "groupId": "sg-3f1fef43" }], "sourceDestCheck": true, "hypervisor": "xen", "networkInterfaces": [{ "networkInterfaceId": "eni-fde9493f", "subnetId": "subnet-2372be7b", "vpcId": "vpc-14400670", "description": "", "ownerId": "123456789012", "status": "in-use", "macAddress": "0e:36:a2:2d:c5:e0", "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "sourceDestCheck": true, "groups": [{ "groupName": "example-security-group-2", "groupId": "sg-3f1fef43" }], "attachment": { "attachmentId": "eni-attach-85bd89d9", "deviceIndex": 0, "status": "attached", "attachTime": "2017-01-09T19:36:02.000Z", "deleteOnTermination": true }, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" }, "privateIpAddresses": [{ "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "primary": true, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" } }] }], "iamInstanceProfile": null, "ebsOptimized": false, "sriovNetSupport": null, "enaSupport": true }, "supplementaryConfiguration": {}, "tags": {"Name": "value"}, "configurationItemVersion": "1.2", "configurationItemCaptureTime": "2017-01-09T22:50:14.328Z", "configurationStateId": 1484002214328, "awsAccountId": "123456789012", "configurationItemStatus": "OK", "resourceType": "AWS::EC2::Instance", "resourceId": "i-007d374c8912e3e90", "resourceName": null, "ARN": "arn:aws:ec2:us-east-2:123456789012:instance/i-007d374c8912e3e90", "awsRegion": "us-east-2", "availabilityZone": "us-east-2c", "configurationStateMd5Hash": "8d0f41750f5965e0071ae9be063ba306", "resourceCreationTime": "2017-01-09T20:13:28.000Z" }, "notificationCreationTime": "2017-01-09T22:50:15.928Z", "messageType": "ConfigurationItemChangeNotification", "recordVersion": "1.2" }, "Timestamp": "2017-01-09T22:50:16.358Z", "SignatureVersion": "1", "Signature": "lpJTEYOSr8fUbiaaRNw1ECawJFVoD7I67mIeEkfAWJkqvvpak1ULHLlC+I0sS/01A4P1Yci8GSK/cOEC/O2XBntlw4CAtbMUgTQvb345Z2YZwcpK0kPNi6v6N51DuZ/6DZA8EC+gVTNTO09xtNIH8aMlvqyvUSXuh278xayExC5yTRXEg+ikdZRd4QzS7obSK1kgRZWI6ipxPNL6rd56/VvPxyhcbS7Vm40/2+e0nVb3bjNHBxjQTXSs1Xhuc9eP2gEsC4Sl32bGqdeDU1Y4dFGukuzPYoHuEtDPh+GkLUq3KeiDAQshxAZLmOIRcQ7iJ/bELDJTN9AcX6lqlDZ79w==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" }
此通知包含與執行個體建立關聯之 EC2 安全群組 sg-3f1fef43 的組態項目變更。
{ "Type": "Notification", "MessageId": "564d873e-711e-51a3-b48c-d7d064f65bf4", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] AWS::EC2::SecurityGroup sg-3f1fef43 Created in Account 123456789012", "Message": { "configurationItemDiff": { "changedProperties": {}, "changeType": "CREATE" }, "configurationItem": { "relatedEvents": [], "relationships": [{ "resourceId": "vpc-14400670", "resourceName": null, "resourceType": "AWS::EC2::VPC", "name": "Is contained in Vpc" }], "configuration": { "ownerId": "123456789012", "groupName": "example-security-group-2", "groupId": "sg-3f1fef43", "description": "This is an example security group.", "ipPermissions": [], "ipPermissionsEgress": [{ "ipProtocol": "-1", "fromPort": null, "toPort": null, "userIdGroupPairs": [], "ipRanges": ["0.0.0.0/0"], "prefixListIds": [] }], "vpcId": "vpc-14400670", "tags": [] }, "supplementaryConfiguration": {}, "tags": {}, "configurationItemVersion": "1.2", "configurationItemCaptureTime": "2017-01-09T22:50:15.156Z", "configurationStateId": 1484002215156, "awsAccountId": "123456789012", "configurationItemStatus": "ResourceDiscovered", "resourceType": "AWS::EC2::SecurityGroup", "resourceId": "sg-3f1fef43", "resourceName": null, "ARN": "arn:aws:ec2:us-east-2:123456789012:security-group/sg-3f1fef43", "awsRegion": "us-east-2", "availabilityZone": "Not Applicable", "configurationStateMd5Hash": "7399608745296f67f7fe1c9ca56d5205", "resourceCreationTime": null }, "notificationCreationTime": "2017-01-09T22:50:16.021Z", "messageType": "ConfigurationItemChangeNotification", "recordVersion": "1.2" }, "Timestamp": "2017-01-09T22:50:16.413Z", "SignatureVersion": "1", "Signature": "GocX31Uu/zNFo85hZqzsNy30skwmLnjPjj+UjaJzkih+dCP6gXYGQ0bK7uMzaLL2C/ibYOOsT7I/XY4NW6Amc5T46ydyHDjFRtQi8UfUQTqLXYRTnpOO/hyK9lMFfhUNs4NwQpmx3n3mYEMpLuMs8DCgeBmB3AQ+hXPhNuNuR3mJVgo25S8AqphN9O0okZ2MKNUQy8iJm/CVAx70TdnYsfUMZ24n88bUzAfiHGzc8QTthMdrFVUwXxa1h/7Zl8+A7BwoGmjo7W8CfLDVwaIQv1Uplgk3qd95Z0AXOzXVxNBQEi4k8axcknwjzpyO1g3rKzByiQttLUQwkgF33op9wg==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" }
了解 Amazon SNS ConfigurationItemChangeNotification 通知中的 configurationItemDiff 欄位
AWS Config 每當資源的配置發生變化(創建/更新/刪除)時創建一個配置項目。如需 AWS Config 可記錄的受支援資源類型清單,請參閱支援的資源類型。 AWS Config 使用 Amazon SNS 在發生變更時傳送通知。Amazon SNS 通知承載包含欄位,可協助您追蹤指定 AWS 區域中的資源變更。
若要了解您收到 ConfigurationItemChangeNotification 通知的原因,請檢閱 configurationItemDiff 詳細資訊。這些欄位會根據變更類型而有所不同,並且可以形成不同的組合,例如「UPDATE-UPDATE」、「UPDATE-CREATE」和「DELETE-DELETE」。下列是部分常見組合的說明。
「UPDATE-CREATE」和「UPDATE-UPDATE」
下列範例包含資源直接關係與資源組態中的變更。configurationItemDiff 詳細資訊顯示了下列資訊:
已執行的動作:帳戶中存在的受管政策已附加至 AWS Identity and Access Management (IAM) 角色。
已執行的基本操作:UPDATE (更新帳號中資源類型 AWS::IAM::Policy 的關聯數量)。
變更類型組合:
資源直接關係變更「UPDATE-CREATE」。在 IAM 政策和 IAM 角色之間建立了新的連接或關聯。
資源組態變更「UPDATE-UPDATE」。當政策連接至 IAM 角色時,IAM 政策關聯的數量會從 2 增加到 3。
範例「UPDATE-CREATE」和「UPDATE-UPDATE」configurationItemDiff 通知:
{ "configurationItemDiff": { "changedProperties": { "Relationships.0": { "previousValue": null, "updatedValue": { "resourceId": "AROA6D3M4S53*********", "resourceName": "Test1", "resourceType": "AWS::IAM::Role", "name": "Is attached to Role" }, "changeType": "CREATE" >>>>>>>>>>>>>>>>>>>> 1 }, "Configuration.AttachmentCount": { "previousValue": 2, "updatedValue": 3, "changeType": "UPDATE" >>>>>>>>>>>>>>>>>>>> 2 } }, "changeType": "UPDATE" } }
UPDATE-DELETE
下列範例包含資源直接關係與資源組態中的變更。configurationItemDiff 詳細資訊顯示了下列資訊:
已執行的動作:帳戶中存在的受管政策已與 IAM 使用者分離。
已執行的基本操作:UPDATE (更新與資源類型 AWS::IAM::User 相關聯的許可政策)。
變更類型組合:資源直接關係變更「UPDATE-DELETE」。帳戶中 IAM 使用者與 IAM 政策之間的關聯已刪除。
範例「UPDATE-DELETE」configurationItemDiff 通知:
{ "configurationItemDiff": { "changedProperties": { "Configuration.UserPolicyList.0": { "previousValue": { "policyName": "Test2", "policyDocument": "{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "aws:RequestTag/VPCId": "*" } } } ] }" }, "updatedValue": null, "changeType": "DELETE" >>>>>>>>>>>>>>>>>>>> 3 } }, "changeType": "UPDATE" } }
DELETE-DELETE
下列範例包含資源直接關係與資源組態中的變更。configurationItemDiff 詳細資訊顯示了下列資訊:
已執行的動作:已刪除帳戶中存在的 IAM 角色。
已執行的基本操作:DELETE (已刪除資源類型 AWS::IAM::Role 的資源)。
變更類型組合:資源直接關係變更與資源組態變更「DELETE-DELETE」。刪除 IAM 角色的同時,也會刪除 IAM 政策與 IAM 角色之間的關聯。
範例「DELETE-DELETE」configurationItemDiff 通知:
{ "configurationItemDiff": { "changedProperties": { "Relationships.0": { "previousValue": { "resourceId": "ANPAIJ5MXUKK*********", "resourceName": "AWSCloudTrailAccessPolicy", "resourceType": "AWS::IAM::Policy", "name": "Is attached to CustomerManagedPolicy" }, "updatedValue": null, "changeType": "DELETE" }, "Configuration": { "previousValue": { "path": "/", "roleName": "CloudTrailRole", "roleId": "AROAJITJ6YGM*********", "arn": "arn:aws:iam::123456789012:role/CloudTrailRole", "createDate": "2017-12-06T10:27:51.000Z", "assumeRolePolicyDocument": "{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"sts:ExternalId":"123456"}}}]}", "instanceProfileList": [], "rolePolicyList": [], "attachedManagedPolicies": [ { "policyName": "AWSCloudTrailAccessPolicy", "policyArn": "arn:aws:iam::123456789012:policy/AWSCloudTrailAccessPolicy" } ], "permissionsBoundary": null, "tags": [], "roleLastUsed": null }, "updatedValue": null, "changeType": "DELETE" } }, "changeType": "DELETE" }
