本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 使用传输通道 传输通道 由于 AWS Config 持续记录您的 AWS 资源发生的变化,它会通过*交付渠道*发送通知和更新的配置状态。您可以管理交付渠道以控制配置更新的 AWS Config 发送位置。 **Topics** + [ ## 注意事项 ](#dc-considerations) + [ ## 术语 ](#dc-terminology) + [Components of a Configuration Item](config-item-table.md) + [ # 查看传输通道 ](dc-view.md) + [ # 更新传递通道 ](update-dc-console.md) + [ # 重命名传递通道 ](update-dc-rename.md) + [传送配置快照](deliver-snapshot-cli.md) + [ # 验证传送状态 ](verify-delivery-status.md) + [查看配置快照](view-configuration-snapshot.md) + [配置快照示例](example-s3-snapshot.md) + [示例通知](notifications-for-AWS-Config.md) ## 注意事项 **每个账户的每个区域配有一个交付渠道** 每个 AWS 区域只能有一个配送渠道 AWS 账户,并且需要使用配送渠道 AWS Config。 **超大配置项目通知包括简短摘要** 当 AWS Config 检测到资源的配置更改并且通知超过 Amazon SNS 允许的最大大小时,通知中会包含配置项目的简短摘要。您可以在 `s3BucketLocation` 字段中指定的 Amazon S3 存储桶位置查看完整通知。有关更多信息,请参阅[过大配置项更改通知示例](https://docs.aws.amazon.com/config/latest/developerguide/oversized-notification-example.html)。 **AWS Config 支持对使用的 Amazon S3 存储桶进行 AWS KMS 加密 AWS Config** 您可以提供 AWS Key Management Service (AWS KMS) 密钥或别名亚马逊资源名称 (ARN) 来加密传输到您的亚马逊简单存储服务 (Amazon S3) 存储桶的数据。默认情况下,将配置历史记录和快照文件 AWS Config 传送到您的 Amazon S3 存储桶,并使用 S3 AES-256 服务器端加密 SSE-S3 对静态数据进行加密。但是,如果您提供 AWS Config 了 KMS 密钥或别名 ARN,则 AWS Config 使用该 KMS 密钥而不是 AES-256 加密。 AWS Config 不支持向 Amazon S3 存储桶的传送渠道,其中启用了对象锁定并启用了默认保留。有关更多信息,请参阅 [S3 对象锁定的工作原理](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html)。 ## 术语 *配置项目*表示您账户中存在的受支持 AWS 资源的各种属性的 point-in-time视图。配置项目的组件包括元数据、属性、关系、当前配置和相关事件。 AWS Config 每当它检测到正在记录的资源类型发生变化时,都会创建一个配置项目。例如,如果 AWS Config 正在记录 Amazon S3 存储桶,则每当创建、更新或删除存储桶时,都会 AWS Config 创建一个配置项目。您也可以选择 AWS Config 以您设置的录制频率创建配置项目。 *配置历史记录*是指定资源在某个时间段的配置项集合。配置历史记录包含多种信息,例如资源首次创建的时间、过去一个月的资源配置情况以及昨天上午 9 点发生了哪些配置更改等。配置历史记录有多种格式可供您使用。 AWS Config 自动将正在记录的每种资源类型的配置历史记录文件传送到您指定的 Amazon S3 存储桶。您可以在 AWS Config 控制台中选择给定资源,然后使用时间轴导航到该资源的所有先前配置项目。此外,您还可以从 API 访问资源的历史配置项。 *配置快照*是您账户中受支持资源的配置项的集合。配置快照可以完整展示被记录的资源及其配置的相关信息。配置快照是验证您的配置的有效工具。例如,您可以定期检查配置快照,以便找出配置错误的资源或可能不应存在的资源。配置快照具有多种格式。您可以将配置快照传输到您指定的 Amazon Simple Storage Service(Amazon S3)存储桶。此外,您还可以在 AWS Config 控制台中选择一个时间点,并使用资源之间的关系浏览配置项目的快照。 *配置流*是自动更新的列表,列出了 AWS Config 正在录制的资源的所有配置项目。每当资源被创建、修改或删除时, AWS Config 会创建一条配置项并将其添加到配置流。配置流使用您选择的 Amazon Simple Notification Service(Amazon SNS)主题工作。配置流有助于观察配置更改的发生,这样您就可以发现潜在的问题,在某些资源发生更改时生成通知,或者更新需要反映 AWS 资源配置的外部系统。 # 配置项的组成部分 *配置项* 代表您账户中受支持的 AWS 资源在特定时间点具备的各种属性。配置项的组成部分包括元数据、属性、关系、当前配置以及相关事件。只要检测到正在记录的资源类型发生变更,AWS Config 就会创建配置项。例如,如果 AWS Config 正在记录 Amazon S3 存储桶,则只要创建、更新或删除存储桶,AWS Config 就会创建配置项。您也可以选择让 AWS Config 以您设置的记录频率创建配置项。 配置项由以下部分组成。 **** | 组件 | 描述 | 包含 | | --- | --- | --- | | 元数据 | 有关此配置项的信息 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/config/latest/developerguide/config-item-table.html) | | 属性 | 资源属性 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/config/latest/developerguide/config-item-table.html) | | 关系 | 该资源和与账户关联的其他资源的关系 | 关系描述,例如 Amazon EBS 卷 vol-1234567 附加到 Amazon EC2 实例 i-a1b2c3d4 | | 当前配置 | 通过对资源进行 Describe 或 List API 调用返回的信息 | 例如,DescribeVolumes API 会返回有关卷的以下信息:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/config/latest/developerguide/config-item-table.html) | **备注** 1. 配置项关系不包含网络流或数据流依赖关系。无法自定义配置项来表示您的应用程序架构。 1. 从 1.3 版开始,relatedEvents 字段为空。您可以访问《AWS CloudTrail API 参考**》中的 [LookupEvents API](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html),以检索资源事件。 1. 从 1.3 版开始,configurationItemMD5Hash 字段为空。您可以使用 configurationStateId 字段来确保您拥有最新的配置项。 1. 如果某资源类型不支持标签功能,或其描述性 API 响应中未包含标签信息,则 AWS Config 不会在该资源类型的配置项(CI)中捕获标签数据。AWS Config 仍会记录这些资源。但是,任何依赖标签数据的功能都将无法使用。这会影响依赖标签数据的基于标签的筛选、分组或合规性评估。 # 查看传输通道 您必须使用AWS CLI来查看有关配送渠道的详细信息。 以下代码示例演示如何使用 `DescribeDeliveryChannels`。 ------ #### [ CLI ] **AWS CLI** **获取有关传输通道的详细信息** 以下命令返回有关传输通道的详细信息: ``` aws configservice describe-delivery-channels ``` 输出: ``` { "DeliveryChannels": [ { "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic", "name": "default", "s3BucketName": "config-bucket-123456789012" } ] } ``` + 有关 API 的详细信息,请参阅*AWS CLI命令参考[DescribeDeliveryChannels](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-delivery-channels.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1:此示例检索该地区的传输通道并显示详细信息。** ``` Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}} ``` **输出**: ``` Name S3BucketName S3KeyPrefix DeliveryFrequency ---- ------------ ----------- ----------------- default config-bucket-NA my TwentyFour_Hours ``` + 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1:此示例检索该地区的传输通道并显示详细信息。** ``` Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}} ``` **输出**: ``` Name S3BucketName S3KeyPrefix DeliveryFrequency ---- ------------ ----------- ----------------- default config-bucket-NA my TwentyFour_Hours ``` + 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 更新传递通道 更新传递通道时,您可以设置以下选项: + 用于 AWS Config 发送配置快照和配置历史记录文件的 Amazon S3 存储桶。 + 将配置快照 AWS Config 发送到您的 Amazon S3 存储桶的频率。 + 向其 AWS Config 发送有关配置更改的通知的 Amazon SNS 主题。 ## 更新传输通道(控制台) 您可以使用 AWS Config 控制台为您的交付渠道设置 Amazon S3 存储桶和 Amazon SNS 主题。有关管理这些设置的步骤,请参阅 [使用控制台设置 AWS Config](gs-console.md) 控制台不提供用于重命名传递通道、设置配置快照频率或删除传递通道的选项。要执行这些任务,必须使用 AWS CLI、 AWS Config API 或其中一个 AWS SDKs。 ## 更新传递通道 (AWS SDKs) 以下代码示例演示如何使用 `PutDeliveryChannel`。 ------ #### [ CLI ] **AWS CLI** **创建传输通道** 以下命令以 JSON 代码的形式提供传输通道的设置: ``` aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json ``` `deliveryChannel.json` 文件指定了传输通道的属性: ``` { "name": "default", "s3BucketName": "config-bucket-123456789012", "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } } ``` 此示例设置了以下属性: `name`——传输通道的名称。默认情况下, AWS Config 会`default`将名称分配给新的交付渠道。您无法使用命令更新传递渠道名称。`put-delivery-channel`有关更改名称的步骤,请参阅“重命名传输通道”。`s3BucketName`- AWS Config 向其发送配置快照和配置历史记录文件的 Amazon S3 存储桶的名称。如果您指定的存储桶属于另一个 AWS 账户,则该存储桶必须具有授予对 Config AWS 的访问权限的策略。有关更多信息,请参阅 Amazon S3 存储桶的权限。 `snsTopicARN`-Amazon SNS 主题的亚马逊资源名称 (ARN), AWS Config 会向其发送有关配置变更的通知。如果您从其他账户选择主题,则该主题必须具有授予对 Config 的访问权限的策略。 AWS 有关更多信息,请参阅 Amazon SNS 主题的权限。 `configSnapshotDeliveryProperties`-包含`deliveryFrequency`属性,该属性设置 AWS Config 提供配置快照的频率以及它为定期 Config 规则调用评估的频率。 如果命令成功, AWS Config 将不返回任何输出。要验证您的配送渠道的设置,请运行 describe-delivery-channels命令。 + 有关 API 的详细信息,请参阅*AWS CLI 命令参考[PutDeliveryChannel](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-delivery-channel.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1:此示例更改现有传输通道的 deliveryFrequency 属性。** ``` Write-CFGDeliveryChannel -ConfigSnapshotDeliveryProperties_DeliveryFrequency TwentyFour_Hours -DeliveryChannelName default -DeliveryChannel_S3BucketName amzn-s3-demo-bucket -DeliveryChannel_S3KeyPrefix my ``` + 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [PutDeliveryChannel](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1:此示例更改现有传输通道的 deliveryFrequency 属性。** ``` Write-CFGDeliveryChannel -ConfigSnapshotDeliveryProperties_DeliveryFrequency TwentyFour_Hours -DeliveryChannelName default -DeliveryChannel_S3BucketName amzn-s3-demo-bucket -DeliveryChannel_S3KeyPrefix my ``` + 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [PutDeliveryChannel](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ (可选)您可以使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channels.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channels.html) 命令验证传输通道设置是否已更新: ``` $ aws configservice describe-delivery-channels { "DeliveryChannels": [ { "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" }, "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic", "name": "default", "s3BucketName": "config-bucket-123456789012" } ] } ``` 以下代码示例演示如何使用 `DescribeDeliveryChannels`。 ------ #### [ CLI ] **AWS CLI** **获取有关传输通道的详细信息** 以下命令返回有关传输通道的详细信息: ``` aws configservice describe-delivery-channels ``` 输出: ``` { "DeliveryChannels": [ { "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic", "name": "default", "s3BucketName": "config-bucket-123456789012" } ] } ``` + 有关 API 的详细信息,请参阅*AWS CLI 命令参考[DescribeDeliveryChannels](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-delivery-channels.html)*中的。 ------ #### [ PowerShell ] **适用于 PowerShell V4 的工具** **示例 1:此示例检索该地区的传输通道并显示详细信息。** ``` Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}} ``` **输出**: ``` Name S3BucketName S3KeyPrefix DeliveryFrequency ---- ------------ ----------- ----------------- default config-bucket-NA my TwentyFour_Hours ``` + 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v4/reference)中的。 **适用于 PowerShell V5 的工具** **示例 1:此示例检索该地区的传输通道并显示详细信息。** ``` Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}} ``` **输出**: ``` Name S3BucketName S3KeyPrefix DeliveryFrequency ---- ------------ ----------- ----------------- default config-bucket-NA my TwentyFour_Hours ``` + 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v5/reference)中的。 ------ # 重命名传递通道 要更改传递通道的名称,您必须删除该传输通道,然后使用指定名称创建一个新传输通道。在删除传递通道之前,您必须暂时停止配置记录器。 AWS Config 控制台不提供删除传送渠道的选项。您必须使用 AWS CL AWS Config I、API 或其中一个 AWS SDKs。 **使用重命名配送渠道 AWS CLI** 1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/stop-configuration-recorder.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/stop-configuration-recorder.html) 命令停止配置记录器: ``` $ aws configservice stop-configuration-recorder --configuration-recorder-name configRecorderName ``` 1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channels.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channels.html) 命令,并记下您的传输通道属性: ``` $ aws configservice describe-delivery-channels { "DeliveryChannels": [ { "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" }, "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic", "name": "default", "s3BucketName": "config-bucket-123456789012" } ] } ``` 1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/delete-delivery-channel.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/delete-delivery-channel.html) 命令删除传输通道: ``` $ aws configservice delete-delivery-channel --delivery-channel-name default ``` 1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/put-delivery-channel.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/put-delivery-channel.html) 命令以所需名称创建传输通道: ``` $ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json ``` deliveryChannel.json 文件指定了传输通道的属性: ``` { "name": "myCustomDeliveryChannelName", "s3BucketName": "config-bucket-123456789012", "snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } } ``` 1. 使用 `start-configuration-recorder` 命令恢复记录: ``` $ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName ``` # 将配置快照传送到 Amazon S3 存储桶 传送配置快照 *配置快照*是您账户中受支持资源的配置项的集合。配置快照可以完整展示被记录的资源及其配置的相关信息。配置快照是验证您的配置的有效工具。例如,您可以定期检查配置快照,以便找出配置错误的资源或可能不应存在的资源。配置快照具有多种格式。您可以将配置快照传输到您指定的 Amazon Simple Storage Service(Amazon S3)存储桶。此外,您还可以在 AWS Config 控制台中选择一个时间点,并使用资源之间的关系浏览配置项目的快照。 ## 传送配置快照 AWS Config 在您调用[DeliverConfigSnapshot](https://docs.aws.amazon.com/config/latest/APIReference/API_DeliverConfigSnapshot.html)操作或运行 AWS CLI `deliver-config-snapshot`命令时生成配置快照。 AWS Config 将配置快照存储在您在启用时指定的 Amazon S3 存储桶中 AWS Config。 通过指定配置传送渠道 AWS Config 时分配的名称来输入[https://docs.aws.amazon.com/cli/latest/reference/configservice/deliver-config-snapshot.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/deliver-config-snapshot.html)命令,例如: ``` $ aws configservice deliver-config-snapshot --delivery-channel-name default { "configSnapshotId": "94ccff53-83be-42d9-996f-b4624b3c1a55" } ``` # 验证传送状态 输入[https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channel-status.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channel-status.html)命令以验证是否 AWS Config 已开始将配置传送到指定的交付渠道: ``` aws configservice describe-delivery-channel-status ``` 该响应列出了 AWS Config 用于向存储桶和主题传送配置的所有三种交付格式的状态。 ``` { "DeliveryChannelsStatus": [ { "configStreamDeliveryInfo": { "lastStatusChangeTime": 1415138614.125, "lastStatus": "SUCCESS" }, "configHistoryDeliveryInfo": { "lastSuccessfulTime": 1415148744.267, "lastStatus": "SUCCESS", "lastAttemptTime": 1415148744.267 }, "configSnapshotDeliveryInfo": { "lastSuccessfulTime": 1415333113.4159999, "lastStatus": "SUCCESS", "lastAttemptTime": 1415333113.4159999 }, "name": "default" } ] } ``` 在 `configSnapshotDeliveryInfo` 中查看 `lastSuccessfulTime` 字段。时间应与您上次请求传送配置快照的时间一致。 **注意** AWS Config 使用 UTC 格式(协调世界时)来记录时间。 # 查看 Amazon S3 存储桶中的配置快照 查看配置快照 *配置快照*是您账户中受支持资源的配置项的集合。配置快照可以完整展示被记录的资源及其配置的相关信息。配置快照是验证您的配置的有效工具。例如,您可以定期检查配置快照,以便找出配置错误的资源或可能不应存在的资源。配置快照具有多种格式。您可以将配置快照传输到您指定的 Amazon Simple Storage Service(Amazon S3)存储桶。此外,您还可以在 AWS Config 控制台中选择一个时间点,并使用资源之间的关系浏览配置项目的快照。 ## 查看配置快照 1. 登录 AWS 管理控制台 并打开 Amazon S3 控制台,网址为[https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/)。 1. 在 Amazon S3 控制台的**所有存储桶**列表中,选择 Amazon S3 存储桶名称。 1. 点阅查看您的存储桶中的嵌套文件夹,找到快照 ID 与由命令返回的 ID 相匹配的 `ConfigSnapshot` 对象。下载并打开对象以查看配置快照。S3 存储桶还包含一个名为的空文件`ConfigWritabilityCheckFile`。 AWS Config 创建此文件以验证服务是否可以成功写入 S3 存储桶。 # 示例配置快照来自 AWS Config 配置快照示例 以下是配置快照中 AWS Config 包含的信息的示例。快照描述了在当前区域中为您录制的资源的配置 AWS 账户,并描述了这些资源之间的关系。 AWS Config **注意** 配置快照可以包括对不支持的资源类型和资源的IDs 引用。 ``` { "fileVersion": "1.0", "requestId": "asudf8ow-4e34-4f32-afeb-0ace5bf3trye", "configurationItems": [ { "configurationItemVersion": "1.0", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T23:47:08.918Z", "configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-adb69edbb1e4", "c376e30d-71a2-4694-89b7-a5a04ad92281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume1" } ], "volumeType": "standard" } }, { "configurationItemVersion": "1.0", "resourceId": "i-344c463d", "accountId": "12345678910", "arn": "arn:aws:ec2:us-west-2b:123456789012:instance/i-344c463d", "configurationItemCaptureTime": "2014-03-07T23:47:09.523Z", "configurationStateID": "cdb571fa-ce7a-4ec5-8914-0320466a355e", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-adb69edbb1e4", "c376e30d-71a2-4694-89b7-a5a04ad92281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Instance", "resourceCreationTime": "2014-02-26T22:56:35.000Z", "tags": { "Name": "integ-test-1", "examplename": "examplevalue" }, "relationships": [ { "resourceId": "vol-ce676ccc", "resourceType": "AWS::EC2::Volume", "name": "Attached Volume" }, { "resourceId": "vol-ef0e06ed", "resourceType": "AWS::EC2::Volume", "name": "Attached Volume", "direction": "OUT" }, { "resourceId": "subnet-47b4cf2c", "resourceType": "AWS::EC2::SUBNET", "name": "Is contained in Subnet", "direction": "IN" } ], "configuration": { "instanceId": "i-344c463d", "imageId": "ami-ccf297fc", "state": { "code": 16, "name": "running" }, "privateDnsName": "ip-172-31-21-63.us-west-2.compute.internal", "publicDnsName": "ec2-54-218-4-189.us-west-2.compute.amazonaws.com", "stateTransitionReason": "", "keyName": "configDemo", "amiLaunchIndex": 0, "productCodes": [], "instanceType": "t1.micro", "launchTime": "2014-02-26T22:56:35.0000+0000", "placement": { "availabilityZone": "us-west-2b", "groupName": "", "tenancy": "default" }, "kernelId": "aki-fc8f11cc", "monitoring": { "state": "disabled" }, "subnetId": "subnet-47b4cf2c", "vpcId": "vpc-41b4cf2a", "privateIpAddress": "172.31.21.63", "publicIpAddress": "54.218.4.189", "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/sda1", "blockDeviceMappings": [ { "deviceName": "/dev/sda1", "ebs": { "volumeId": "vol-ef0e06ed", "status": "attached", "attachTime": "2014-02-26T22:56:38.0000+0000", "deleteOnTermination": true } }, { "deviceName": "/dev/sdf", "ebs": { "volumeId": "vol-ce676ccc", "status": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } } ], "virtualizationType": "paravirtual", "clientToken": "aBCDe123456", "tags": [ { "key": "Name", "value": "integ-test-1" }, { "key": "examplekey", "value": "examplevalue" } ], "securityGroups": [ { "groupName": "launch-wizard-2", "groupId": "sg-892adfec" } ], "sourceDestCheck": true, "hypervisor": "xen", "networkInterfaces": [ { "networkInterfaceId": "eni-55c03d22", "subnetId": "subnet-47b4cf2c", "vpcId": "vpc-41b4cf2a", "description": "", "ownerId": "12345678910", "status": "in-use", "privateIpAddress": "172.31.21.63", "privateDnsName": "ip-172-31-21-63.us-west-2.compute.internal", "sourceDestCheck": true, "groups": [ { "groupName": "launch-wizard-2", "groupId": "sg-892adfec" } ], "attachment": { "attachmentId": "eni-attach-bf90c489", "deviceIndex": 0, "status": "attached", "attachTime": "2014-02-26T22:56:35.0000+0000", "deleteOnTermination": true }, "association": { "publicIp": "54.218.4.189", "publicDnsName": "ec2-54-218-4-189.us-west-2.compute.amazonaws.com", "ipOwnerId": "amazon" }, "privateIpAddresses": [ { "privateIpAddress": "172.31.21.63", "privateDnsName": "ip-172-31-21-63.us-west-2.compute.internal", "primary": true, "association": { "publicIp": "54.218.4.189", "publicDnsName": "ec2-54-218-4-189.us-west-2.compute.amazonaws.com", "ipOwnerId": "amazon" } } ] } ], "ebsOptimized": false } } ] } ``` 下一步是验证配置快照是否成功传送到了传递通道。 # AWS Config 发送至 Amazon SNS 主题的通知 示例通知 **注意** 必须先设置配置记录器和传送渠道,然后 AWS Config 才能向 Amazon SNS 主题发送通知。有关更多信息,请参阅[管理配置记录器](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html)和[管理传输通道](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html)。 您可以配置为 AWS Config 将配置更改和通知流式传输到 Amazon SNS 主题。例如,更新资源时,可以通过电子邮件接收通知,查看更改。当根据您的资源 AWS Config 评估您的自定义或托管规则时,您也可以收到通知。有关更多信息,请参阅[中的日志和监控 AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-logging-and-monitoring.html)。 AWS Config 发送以下事件的通知: + 资源的配置项发生变更。 + 为您的账户传输了资源配置历史记录。 + 为您的账户启动并传输了已记录资源的配置快照。 + 您的资源的合规性状态以及它们是否符合您的规则。 + 针对您的资源开始评估规则。 + AWS Config 未能将通知发送到您的账户。 **Topics** + [示例配置项变更通知](example-sns-notification.md) + [ # 示例配置历史记录传输通知 ](example-configuration-history-notification.md) + [ # 示例配置快照传输开始通知 ](example-configuration-snapshot-notification-started.md) + [ # 示例配置快照传输通知 ](example-configuration-snapshot-notification.md) + [ # 示例合规性变更通知 ](example-config-rule-compliance-notification.md) + [ # 示例规则评估开始通知 ](config-rules-evaluation-started.md) + [ # 示例过大配置项变更通知 ](oversized-notification-example.md) + [ # 示例传输失败通知 ](notification-delivery-failed.md) # 示例配置项变更通知 示例配置项变更通知 AWS Config 使用 Amazon SNS 向订阅终端节点发送通知。这些通知提供配置快照和配置历史记录的交付状态,并提供记录 AWS 资源的配置发生变化时 AWS Config 创建的每个配置项目。 AWS Config 还会发送通知,显示您的资源是否符合您的规则。如果您选择通过电子邮件发送通知,则可在您的电子邮件客户端应用程序中,根据电子邮件的主题行和消息正文使用筛选条件。 以下是一个 Amazon SNS 通知示例负载,当 AWS Config 检测到 Amazon Elastic Block Store 卷 `vol-ce676ccc` 已附加到 ID 为 `i-344c463d` 的实例时,会生成该通知。此通知包含针对资源的配置项变更。 ``` { "Type": "Notification", "MessageId": "8b945cb0-db34-5b72-b032-1724878af488", "TopicArn": "arn:aws:sns:us-west-2:123456789012:example", "Message": { "MessageVersion": "1.0", "NotificationCreateTime": "2014-03-18T10:11:00Z", "messageType": "ConfigurationItemChangeNotification", "configurationItem": [ { "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2014-03-07T23:47:08.918Z", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "resourceId": "vol-ce676ccc", "awsAccountId": "123456789012", "configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [], "availabilityZone": "us-west-2b", "resourceType": "AWS::EC2::VOLUME", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::INSTANCE", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [], "volumeType": "standard" } } ], "configurationItemDiff": { "changeType": "UPDATE", "changedProperties": { "Configuration.State": { "previousValue": "available", "updatedValue": "in-use", "changeType": "UPDATE" }, "Configuration.Attachments.0": { "updatedValue": { "VolumeId": "vol-ce676ccc", "InstanceId": "i-344c463d", "Device": "/dev/sdf", "State": "attached", "AttachTime": "FriMar0723: 46: 28UTC2014", "DeleteOnTermination": "false" }, "changeType": "CREATE" } } } }, "Timestamp": "2014-03-07T23:47:10.001Z", "SignatureVersion": "1", "Signature": "LgfJNB5aOk/w3omqsYrv5cUFY8yvIJvO5ZZh46/KGPApk6HXRTBRlkhjacnxIXJEWsGI9mxvMmoWPLJGYEAR5FF/+/Ro9QTmiTNcEjQ5kB8wGsRWVrk/whAzT2lVtofc365En2T1Ncd9iSFFXfJchgBmI7EACZ28t+n2mWFgo57n6eGDvHTedslzC6KxkfWTfXsR6zHXzkB3XuZImktflg3iPKtvBb3Zc9iVbNsBEI4FITFWktSqqomYDjc5h0kgapIo4CtCHGKpALW9JDmP+qZhMzEbHWpzFlEzvFl55KaZXxDbznBD1ZkqPgno/WufuxszCiMrsmV8pUNUnkU1TA==", "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-e372f8ca30337fdb084e8ac449342c77.pem", "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:example:a6859fee-3638-407c-907e-879651c9d143" } ``` ## 存在关系的资源的配置项 如果某个资源与其他资源关联,则更改该资源会导致产生多个配置项。以下示例显示了如何为具有关系的资源 AWS Config 创建配置项目。 1. 您有一个 ID 为 `i-007d374c8912e3e90` 的 Amazon EC2 实例,该实例与 Amazon EC2 安全组 `sg-c8b141b4` 关联。 1. 您更新 EC2 实例,将安全组变更为另一安全组。`sg-3f1fef43` 1. 由于 EC2 实例与其他资源相关,因此 AWS Config 会创建多个配置项目,如下例所示: 更换安全组时,此通知包含针对 EC2 实例的配置项变更。 ``` { "Type": "Notification", "MessageId": "faeba85e-ef46-570a-b01c-f8b0faae8d5d", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] AWS::EC2::Instance i-007d374c8912e3e90 Updated in Account 123456789012", "Message": { "configurationItemDiff": { "changedProperties": { "Configuration.NetworkInterfaces.0": { "previousValue": { "networkInterfaceId": "eni-fde9493f", "subnetId": "subnet-2372be7b", "vpcId": "vpc-14400670", "description": "", "ownerId": "123456789012", "status": "in-use", "macAddress": "0e:36:a2:2d:c5:e0", "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "sourceDestCheck": true, "groups": [{ "groupName": "example-security-group-1", "groupId": "sg-c8b141b4" }], "attachment": { "attachmentId": "eni-attach-85bd89d9", "deviceIndex": 0, "status": "attached", "attachTime": "2017-01-09T19:36:02.000Z", "deleteOnTermination": true }, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" }, "privateIpAddresses": [{ "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "primary": true, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" } }] }, "updatedValue": null, "changeType": "DELETE" }, "Relationships.0": { "previousValue": { "resourceId": "sg-c8b141b4", "resourceName": null, "resourceType": "AWS::EC2::SecurityGroup", "name": "Is associated with SecurityGroup" }, "updatedValue": null, "changeType": "DELETE" }, "Configuration.NetworkInterfaces.1": { "previousValue": null, "updatedValue": { "networkInterfaceId": "eni-fde9493f", "subnetId": "subnet-2372be7b", "vpcId": "vpc-14400670", "description": "", "ownerId": "123456789012", "status": "in-use", "macAddress": "0e:36:a2:2d:c5:e0", "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "sourceDestCheck": true, "groups": [{ "groupName": "example-security-group-2", "groupId": "sg-3f1fef43" }], "attachment": { "attachmentId": "eni-attach-85bd89d9", "deviceIndex": 0, "status": "attached", "attachTime": "2017-01-09T19:36:02.000Z", "deleteOnTermination": true }, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" }, "privateIpAddresses": [{ "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "primary": true, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" } }] }, "changeType": "CREATE" }, "Relationships.1": { "previousValue": null, "updatedValue": { "resourceId": "sg-3f1fef43", "resourceName": null, "resourceType": "AWS::EC2::SecurityGroup", "name": "Is associated with SecurityGroup" }, "changeType": "CREATE" }, "Configuration.SecurityGroups.1": { "previousValue": null, "updatedValue": { "groupName": "example-security-group-2", "groupId": "sg-3f1fef43" }, "changeType": "CREATE" }, "Configuration.SecurityGroups.0": { "previousValue": { "groupName": "example-security-group-1", "groupId": "sg-c8b141b4" }, "updatedValue": null, "changeType": "DELETE" } }, "changeType": "UPDATE" }, "configurationItem": { "relatedEvents": [], "relationships": [ { "resourceId": "eni-fde9493f", "resourceName": null, "resourceType": "AWS::EC2::NetworkInterface", "name": "Contains NetworkInterface" }, { "resourceId": "sg-3f1fef43", "resourceName": null, "resourceType": "AWS::EC2::SecurityGroup", "name": "Is associated with SecurityGroup" }, { "resourceId": "subnet-2372be7b", "resourceName": null, "resourceType": "AWS::EC2::Subnet", "name": "Is contained in Subnet" }, { "resourceId": "vol-0a2d63a256bce35c5", "resourceName": null, "resourceType": "AWS::EC2::Volume", "name": "Is attached to Volume" }, { "resourceId": "vpc-14400670", "resourceName": null, "resourceType": "AWS::EC2::VPC", "name": "Is contained in Vpc" } ], "configuration": { "instanceId": "i-007d374c8912e3e90", "imageId": "ami-9be6f38c", "state": { "code": 16, "name": "running" }, "privateDnsName": "ip-172-31-16-84.ec2.internal", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "stateTransitionReason": "", "keyName": "ec2-micro", "amiLaunchIndex": 0, "productCodes": [], "instanceType": "t2.micro", "launchTime": "2017-01-09T20:13:28.000Z", "placement": { "availabilityZone": "us-east-2c", "groupName": "", "tenancy": "default", "hostId": null, "affinity": null }, "kernelId": null, "ramdiskId": null, "platform": null, "monitoring": {"state": "disabled"}, "subnetId": "subnet-2372be7b", "vpcId": "vpc-14400670", "privateIpAddress": "172.31.16.84", "publicIpAddress": "54.175.43.43", "stateReason": null, "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/xvda", "blockDeviceMappings": [{ "deviceName": "/dev/xvda", "ebs": { "volumeId": "vol-0a2d63a256bce35c5", "status": "attached", "attachTime": "2017-01-09T19:36:03.000Z", "deleteOnTermination": true } }], "virtualizationType": "hvm", "instanceLifecycle": null, "spotInstanceRequestId": null, "clientToken": "bIYqA1483990561516", "tags": [{ "key": "Name", "value": "value" }], "securityGroups": [{ "groupName": "example-security-group-2", "groupId": "sg-3f1fef43" }], "sourceDestCheck": true, "hypervisor": "xen", "networkInterfaces": [{ "networkInterfaceId": "eni-fde9493f", "subnetId": "subnet-2372be7b", "vpcId": "vpc-14400670", "description": "", "ownerId": "123456789012", "status": "in-use", "macAddress": "0e:36:a2:2d:c5:e0", "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "sourceDestCheck": true, "groups": [{ "groupName": "example-security-group-2", "groupId": "sg-3f1fef43" }], "attachment": { "attachmentId": "eni-attach-85bd89d9", "deviceIndex": 0, "status": "attached", "attachTime": "2017-01-09T19:36:02.000Z", "deleteOnTermination": true }, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" }, "privateIpAddresses": [{ "privateIpAddress": "172.31.16.84", "privateDnsName": "ip-172-31-16-84.ec2.internal", "primary": true, "association": { "publicIp": "54.175.43.43", "publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com", "ipOwnerId": "amazon" } }] }], "iamInstanceProfile": null, "ebsOptimized": false, "sriovNetSupport": null, "enaSupport": true }, "supplementaryConfiguration": {}, "tags": {"Name": "value"}, "configurationItemVersion": "1.2", "configurationItemCaptureTime": "2017-01-09T22:50:14.328Z", "configurationStateId": 1484002214328, "awsAccountId": "123456789012", "configurationItemStatus": "OK", "resourceType": "AWS::EC2::Instance", "resourceId": "i-007d374c8912e3e90", "resourceName": null, "ARN": "arn:aws:ec2:us-east-2:123456789012:instance/i-007d374c8912e3e90", "awsRegion": "us-east-2", "availabilityZone": "us-east-2c", "configurationStateMd5Hash": "8d0f41750f5965e0071ae9be063ba306", "resourceCreationTime": "2017-01-09T20:13:28.000Z" }, "notificationCreationTime": "2017-01-09T22:50:15.928Z", "messageType": "ConfigurationItemChangeNotification", "recordVersion": "1.2" }, "Timestamp": "2017-01-09T22:50:16.358Z", "SignatureVersion": "1", "Signature": "lpJTEYOSr8fUbiaaRNw1ECawJFVoD7I67mIeEkfAWJkqvvpak1ULHLlC+I0sS/01A4P1Yci8GSK/cOEC/O2XBntlw4CAtbMUgTQvb345Z2YZwcpK0kPNi6v6N51DuZ/6DZA8EC+gVTNTO09xtNIH8aMlvqyvUSXuh278xayExC5yTRXEg+ikdZRd4QzS7obSK1kgRZWI6ipxPNL6rd56/VvPxyhcbS7Vm40/2+e0nVb3bjNHBxjQTXSs1Xhuc9eP2gEsC4Sl32bGqdeDU1Y4dFGukuzPYoHuEtDPh+GkLUq3KeiDAQshxAZLmOIRcQ7iJ/bELDJTN9AcX6lqlDZ79w==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" } ``` 此通知包含针对与该实例关联的 EC2 安全组 `sg-3f1fef43` 的配置项变更。 ``` { "Type": "Notification", "MessageId": "564d873e-711e-51a3-b48c-d7d064f65bf4", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] AWS::EC2::SecurityGroup sg-3f1fef43 Created in Account 123456789012", "Message": { "configurationItemDiff": { "changedProperties": {}, "changeType": "CREATE" }, "configurationItem": { "relatedEvents": [], "relationships": [{ "resourceId": "vpc-14400670", "resourceName": null, "resourceType": "AWS::EC2::VPC", "name": "Is contained in Vpc" }], "configuration": { "ownerId": "123456789012", "groupName": "example-security-group-2", "groupId": "sg-3f1fef43", "description": "This is an example security group.", "ipPermissions": [], "ipPermissionsEgress": [{ "ipProtocol": "-1", "fromPort": null, "toPort": null, "userIdGroupPairs": [], "ipRanges": ["0.0.0.0/0"], "prefixListIds": [] }], "vpcId": "vpc-14400670", "tags": [] }, "supplementaryConfiguration": {}, "tags": {}, "configurationItemVersion": "1.2", "configurationItemCaptureTime": "2017-01-09T22:50:15.156Z", "configurationStateId": 1484002215156, "awsAccountId": "123456789012", "configurationItemStatus": "ResourceDiscovered", "resourceType": "AWS::EC2::SecurityGroup", "resourceId": "sg-3f1fef43", "resourceName": null, "ARN": "arn:aws:ec2:us-east-2:123456789012:security-group/sg-3f1fef43", "awsRegion": "us-east-2", "availabilityZone": "Not Applicable", "configurationStateMd5Hash": "7399608745296f67f7fe1c9ca56d5205", "resourceCreationTime": null }, "notificationCreationTime": "2017-01-09T22:50:16.021Z", "messageType": "ConfigurationItemChangeNotification", "recordVersion": "1.2" }, "Timestamp": "2017-01-09T22:50:16.413Z", "SignatureVersion": "1", "Signature": "GocX31Uu/zNFo85hZqzsNy30skwmLnjPjj+UjaJzkih+dCP6gXYGQ0bK7uMzaLL2C/ibYOOsT7I/XY4NW6Amc5T46ydyHDjFRtQi8UfUQTqLXYRTnpOO/hyK9lMFfhUNs4NwQpmx3n3mYEMpLuMs8DCgeBmB3AQ+hXPhNuNuR3mJVgo25S8AqphN9O0okZ2MKNUQy8iJm/CVAx70TdnYsfUMZ24n88bUzAfiHGzc8QTthMdrFVUwXxa1h/7Zl8+A7BwoGmjo7W8CfLDVwaIQv1Uplgk3qd95Z0AXOzXVxNBQEi4k8axcknwjzpyO1g3rKzByiQttLUQwkgF33op9wg==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" } ``` ## 了解 Amazon SNS `ConfigurationItemChangeNotification` 通知中的 `configurationItemDiff` 字段 `configurationItemDiff` 字段 AWS Config 每当资源配置发生变化时,都会创建配置项目 (create/update/delete)。有关 AWS Config 可以记录的支持资源类型的列表,请参阅[支持的资源类型 AWS Config](resource-config-reference.md)。 AWS Config 更改发生时使用 Amazon SNS 发送通知。Amazon SNS 通知有效负载包含可帮助您跟踪给定 AWS 区域中的资源变化的字段。 要了解您收到 `ConfigurationItemChangeNotification` 通知的原因,请查看 `configurationItemDiff` 详细信息。这些字段因更改类型而异,可以形成不同的组合,例如 UPDATE-UPDATE、UPDATE-CREATE 和 DELETE-DELETE。以下是对一些常见组合的解释。 ### UPDATE-CREATE 和 UPDATE-UPDATE 以下示例包括资源直接关系和资源配置的更改。`configurationItemDiff` 详细信息显示以下信息: **已执行的操作**:账户中存在的托管策略已关联到 AWS Identity and Access Management (IAM) 角色。 **执行的基本操作**:更新(更新账户中资源类型 `AWS::IAM::Policy` 的关联数量)。 **更改类型组合**: 1. 资源直接关系更改 UPDATE-CREATE。在 IAM 策略和 IAM 角色之间创建了新的附加或关联。 1. 资源配置更改 UPDATE-UPDATE。当策略附加到 IAM 角色时,IAM 策略关联的数量从 2 个增加到 3 个。 UPDATE-CREATE 和 UPDATE-UPDATE `configurationItemDiff` 通知示例: ``` { "configurationItemDiff": { "changedProperties": { "Relationships.0": { "previousValue": null, "updatedValue": { "resourceId": "AROA6D3M4S53*********", "resourceName": "Test1", "resourceType": "AWS::IAM::Role", "name": "Is attached to Role" }, "changeType": "CREATE" >>>>>>>>>>>>>>>>>>>> 1 }, "Configuration.AttachmentCount": { "previousValue": 2, "updatedValue": 3, "changeType": "UPDATE" >>>>>>>>>>>>>>>>>>>> 2 } }, "changeType": "UPDATE" } } ``` ### UPDATE-DELETE 以下示例包括资源直接关系和资源配置的更改。`configurationItemDiff` 详细信息显示以下信息: **已执行的操作**:已从 IAM 用户分离账户中存在的托管策略。 **已执行的基本操作**:更新(更新与资源类型 `AWS::IAM::User` 关联的权限策略)。 **更改类型组合**:资源直接关系更改 UPDATE-DELETE。已删除账户中 IAM 用户与 IAM 策略之间的关联。 ### DELETE-DELETE 以下示例包括资源直接关系和资源配置的更改。`configurationItemDiff` 详细信息显示以下信息: **已执行的操作**:已删除账户中存在的 IAM 角色。 **已执行的基本操作**:删除(已删除资源类型 `AWS::IAM::Role` 的资源)。 **更改类型组合**:资源直接关系更改和资源配置更改 DELETE-DELETE。删除 IAM 角色还会删除 IAM 策略与 IAM 角色的关联。 # 示例配置历史记录传输通知 配置历史记录是某一资源类型在一段时间内的配置项的集合。以下是为您的账户提供 CloudTrail 跟踪资源的配置历史记录时 AWS Config 发送的通知示例。 ``` { "Type": "Notification", "MessageId": "ce49bf2c-d03a-51b0-8b6a-ef480a8b39fe", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] Configuration History Delivery Completed for Account 123456789012", "Message": { "s3ObjectKey": "AWSLogs/123456789012/Config/us-east-2/2016/9/27/ConfigHistory/123456789012_Config_us-east-2_ConfigHistory_AWS::CloudTrail::Trail_20160927T195818Z_20160927T195818Z_1.json.gz", "s3Bucket": "config-bucket-123456789012-ohio", "notificationCreationTime": "2016-09-27T20:37:05.217Z", "messageType": "ConfigurationHistoryDeliveryCompleted", "recordVersion": "1.1" }, "Timestamp": "2016-09-27T20:37:05.315Z", "SignatureVersion": "1", "Signature": "OuIcS5RAKXTR6chQEJp3if4KJQVlBz2kmXh7QE1/RJQiCPsCNfG0J0rUZ1rqfKMqpps/Ka+zF0kg4dUCWV9PF0dliuwnjfbtYmDZpP4EBOoGmxcTliUn1AIe/yeGFDuc6P3EotP3zt02rhmxjezjf3c11urstFZ8rTLVXp0z0xeyk4da0UetLsWZxUFEG0Z5uhk09mBo5dg/4mryIOovidhrbCBgX5marot8TjzNPS9UrKhi2YGUoSQGr4E85EzWqqXdn33GO8dy0DqDfdWBaEr3IWVGtHy3w7oJDMIqW7ENkfML0bJMQjin4P5tYeilNF5XQzhtCkFvFx7JHR97vw==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" } ``` # 示例配置快照传输开始通知 以下是 AWS Config 开始为您的账户提供配置快照时 AWS Config 发送的通知示例。 ``` { "Type": "Notification", "MessageId": "a32d0487-94b1-53f6-b4e6-5407c9c00be6", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] Configuration Snapshot Delivery Started for Account 123456789012", "Message": { "configSnapshotId": "108e0794-84a7-4cca-a179-76a199ddd11a", "notificationCreationTime": "2016-10-18T17:26:09.572Z", "messageType": "ConfigurationSnapshotDeliveryStarted", "recordVersion": "1.1" }, "Timestamp": "2016-10-18T17:26:09.840Z", "SignatureVersion": "1", "Signature": "BBA0DeKsfteTpYyZH5HPANpOLmW/jumOMBsghRq/kimY9tjNlkF/V3BpLG1HVmDQdQzBh6oKE0h0rxcazbyGf5KF5W5r1zKKlEnS9xugFzALPUx//olSJ4neWalLBKNIq1xvAQgu9qHfDR7dS2aCwe4scQfqOjn1Ev7PlZqxmT+ux3SR/C54cbfcduDpDsPwdo868+TpZvMtaU30ySnX04fmOgxoiA8AJO/EnjduQ08/zd4SYXhm+H9wavcwXB9XECelHhRW70Y+wHQixfx40S1SaSRzvnJE+m9mHphFQs64YraRDRv6tMaenTk6CVPO+81ceAXIg2E1m7hZ7lz4PA==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" } ``` # 示例配置快照传输通知 配置快照是所有已记录资源的配置项及其在您账户中的配置的集合。以下是为您的账户提供配置快照时 AWS Config 发送的通知示例。 ``` { "Type": "Notification", "MessageId": "9fc82f4b-397e-5b69-8f55-7f2f86527100", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] Configuration Snapshot Delivery Completed for Account 123456789012", "Message": { "configSnapshotId": "16da64e4-cb65-4846-b061-e6c3ba43cb96", "s3ObjectKey": "AWSLogs/123456789012/Config/us-east-2/2016/9/27/ConfigSnapshot/123456789012_Config_us-east-2_ConfigSnapshot_20160927T183939Z_16da64e4-cb65-4846-b061-e6c3ba43cb96.json.gz", "s3Bucket": "config-bucket-123456789012-ohio", "notificationCreationTime": "2016-09-27T18:39:39.853Z", "messageType": "ConfigurationSnapshotDeliveryCompleted", "recordVersion": "1.1" }, "Timestamp": "2016-09-27T18:39:40.062Z", "SignatureVersion": "1", "Signature": "PMkWfUuj/fKIEXA7s2wTDLbZoF/MDsUkPspYghOpwu9n6m+C+zrm0cEZXPxxJPvhnWozG7SVqkHYf9QgI/diW2twP/HPDn5GQs2rNDc+YlaByEXnKVtHV1Gd4r1kN57E/oOW5NVLNczk5ymxAW+WGdptZJkCgyVuhJ28s08m3Z3Kqz96PPSnXzYZoCfCn/yP6CqXoN7olr4YCbYxYwn8zOUYcPmc45yYNSUTKZi+RJQRnDJkL2qb+s4h9w2fjbBBj8xe830VbFJqbHp7UkSfpc64Y+tRvmMLY5CI1cYrnuPRhTLdUk+R0sshg5G+JMtSLVG/TvWbjz44CKXJprjIQg==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" } ``` # 示例合规性变更通知 根据自定义或托管规则 AWS Config 评估您的资源时, AWS Config 会发送一条通知,显示资源是否符合该规则。 以下是 CloudTrail 跟踪资源符合`cloudtrail-enabled `托管规则的通知示例。 ``` { "Type": "Notification", "MessageId": "11fd05dd-47e1-5523-bc01-55b988bb9478", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] AWS::::Account 123456789012 is COMPLIANT with cloudtrail-enabled in Accoun...", "Message": { "awsAccountId": "123456789012", "configRuleName": "cloudtrail-enabled", "configRuleARN": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-9rpvxc", "resourceType": "AWS::::Account", "resourceId": "123456789012", "awsRegion": "us-east-2", "newEvaluationResult": { "evaluationResultIdentifier": { "evaluationResultQualifier": { "configRuleName": "cloudtrail-enabled", "resourceType": "AWS::::Account", "resourceId": "123456789012" }, "orderingTimestamp": "2016-09-27T19:48:40.619Z" }, "complianceType": "COMPLIANT", "resultRecordedTime": "2016-09-27T19:48:41.405Z", "configRuleInvokedTime": "2016-09-27T19:48:40.914Z", "annotation": null, "resultToken": null }, "oldEvaluationResult": { "evaluationResultIdentifier": { "evaluationResultQualifier": { "configRuleName": "cloudtrail-enabled", "resourceType": "AWS::::Account", "resourceId": "123456789012" }, "orderingTimestamp": "2016-09-27T16:30:49.531Z" }, "complianceType": "NON_COMPLIANT", "resultRecordedTime": "2016-09-27T16:30:50.717Z", "configRuleInvokedTime": "2016-09-27T16:30:50.105Z", "annotation": null, "resultToken": null }, "notificationCreationTime": "2016-09-27T19:48:42.620Z", "messageType": "ComplianceChangeNotification", "recordVersion": "1.0" }, "Timestamp": "2016-09-27T19:48:42.749Z", "SignatureVersion": "1", "Signature": "XZ9FfLb2ywkW9yj0yBkNtIP5q7Cry6JtCEyUiHmG9gpOZi3seQ41udhtAqCZoiNiizAEi+6gcttHCRV1hNemzp/YmBmTfO6azYXt0FJDaEvd86k68VCS9aqRlBBjYlNo7ILi4Pqd5rE4BX2YBQSzcQyERGkUfTZ2BIFyAmb1Q/y4/6ez8rDyi545FDSlgcGEb4LKLNR6eDi4FbKtMGZHA7Nz8obqs1dHbgWYnp3c80mVLl7ohP4hilcxdywAgXrbsN32ekYr15gdHozx8YzyjfRSo3SjH0c5PGSXEAGNuC3mZrKJip+BIZ21ZtkcUtY5B3ImgRlUO7Yhn3L3c6rZxQ==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" } ``` **示例:Config 配置项目变更 \$1 Amazon EventBridge** ``` { "version": "0", "id": "00bdf13e-1111-b2f5-cef0-e9cbbe7cd533", "detail-type": "Config Configuration Item Change", "source": "aws.config", "account": "123456789012", "time": "2022-03-16T01:10:51Z", "region": "us-east-1", "resources": ["arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95"], "detail": { "recordVersion": "1.3", "messageType": "ConfigurationItemChangeNotification", "configurationItemDiff": { "changedProperties": { "Configuration.FileSystemTags.0": { "updatedValue": { "Key": "test", "Value": "me" }, "changeType": "CREATE" }, "Tags.2": { "updatedValue": "me", "changeType": "CREATE" } }, "changeType": "UPDATE" }, "notificationCreationTime": "2022-03-16T01:10:51.976Z", "configurationItem": { "relatedEvents": [], "relationships": [], "configuration": { "FileSystemId": "fs-01f0d526165b57f95", "Arn": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95", "Encrypted": true, "FileSystemTags": [{ "Key": "Name", "Value": "myname" }, { "Key": "test", "Value": "me" }], "PerformanceMode": "generalPurpose", "ThroughputMode": "bursting", "LifecyclePolicies": [{ "TransitionToIA": "AFTER_30_DAYS" }, { "TransitionToPrimaryStorageClass": "AFTER_1_ACCESS" }], "BackupPolicy": { "Status": "ENABLED" }, "FileSystemPolicy": {}, "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/0e6c91d5-e23b-4ed3-bd36-1561fbbc0a2d" }, "supplementaryConfiguration": {}, "tags": { "aws:elasticfilesystem:default-backup": "enabled", "test": "me", "Name": "cloudcontroltest1" }, "configurationItemVersion": "1.3", "configurationItemCaptureTime": "2022-03-16T01:10:50.837Z", "configurationStateId": 1647393050837, "awsAccountId": "123456789012", "configurationItemStatus": "OK", "resourceType": "AWS::EFS::FileSystem", "resourceId": "fs-01f0d526165b57f95", "resourceName": "fs-01f0d526165b57f95", "ARN": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95", "awsRegion": "us-east-1", "availabilityZone": "Regional", "configurationStateMd5Hash": "" } } } ``` # 示例规则评估开始通知 AWS Config 当它开始根据您的资源评估您的自定义或托管规则时,会发送通知。以下是 AWS Config 开始评估`iam-password-policy`托管规则时的通知示例。 ``` { "Type": "Notification", "MessageId": "358c8e65-e27a-594e-82d0-de1fe77393d7", "TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio", "Subject": "[AWS Config:us-east-2] Config Rules Evaluation Started for Account 123456789012", "Message": { "awsAccountId": "123456789012", "awsRegion": "us-east-2", "configRuleNames": ["iam-password-policy"], "notificationCreationTime": "2016-10-13T21:55:21.339Z", "messageType": "ConfigRulesEvaluationStarted", "recordVersion": "1.0" }, "Timestamp": "2016-10-13T21:55:21.575Z", "SignatureVersion": "1", "Signature": "DE431D+24zzFRboyPY2bPTsznJWe8L6TjDC+ItYlLFkE9jACSBl3sQ1uSjYzEhEbN7Cs+wBoHnJ/DxOSpyCxt4giqgKd+H2I636BvrQwHDhJwJm7qI6P8IozEliRvRWbM38zDTvHqkmmXQbdDHRsK/MssMeVTBKuW0x8ivMrj+KpwuF57tE62eXeFhjBeJ0DKQV+aC+i3onsuT7HQvXQDBPdOM+cSuLrJaMQJ6TcMU5G76qg/gl494ilb4Vj4udboGWpHSgUvI3guFsc1SsTrlWXQKXabWtsCQPfdOhkKgmViCfMZrLRp8Pjnu+uspYQELkEfwBchDVVzd15iMrAzQ==", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem", "UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4" } ``` # 示例过大配置项变更通知 当 AWS Config 检测到资源的配置更改时,它会发送配置项目 (CI) 通知。如果通知超过了 Amazon Simple Notification Service(Amazon SNS)允许的最大大小,则通知会包含配置项的简短摘要。 您可以在 `s3BucketLocation` 字段中指定的 Amazon S3 存储桶位置查看完整通知。 下面的示例通知显示了 Amazon EC2 实例的一个配置项。通知中包含变更摘要以及通知在 Amazon S3 存储桶中的位置。 ``` View the Timeline for this Resource in the Console: https://console.aws.amazon.com/config/home?region=us-west-2#/timeline/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80?time=2016-10-06T16:46:16.261Z The full configuration item change notification for this resource exceeded the maximum size allowed by Amazon Simple Notification Service (SNS). A summary of the configuration item is provided here. You can view the complete notification in the specified Amazon S3 bucket location. New State Record Summary: ---------------------------- { "configurationItemSummary": { "changeType": "UPDATE", "configurationItemVersion": "1.2", "configurationItemCaptureTime": "2016-10-06T16:46:16.261Z", "configurationStateId": 0, "awsAccountId": "123456789012", "configurationItemStatus": "OK", "resourceType": "AWS::EC2::Instance", "resourceId": "resourceId_14b76876-7969-4097-ab8e-a31942b02e80", "resourceName": null, "ARN": "arn:aws:ec2:us-west-2:123456789012:instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80", "awsRegion": "us-west-2", "availabilityZone": null, "configurationStateMd5Hash": "8f1ee69b287895a0f8bc5753eca68e96", "resourceCreationTime": "2016-10-06T16:46:10.489Z" }, "s3DeliverySummary": { "s3BucketLocation": "amzn-s3-demo-bucket/AWSLogs/123456789012/Config/us-west-2/2016/10/6/OversizedChangeNotification/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80/123456789012_Config_us-west-2_ChangeNotification_AWS::EC2::Instance_resourceId_14b76876-7969-4097-ab8e-a31942b02e80_20161006T164616Z_0.json.gz", "errorCode": null, "errorMessage": null }, "notificationCreationTime": "2016-10-06T16:46:16.261Z", "messageType": "OversizedConfigurationItemChangeNotification", "recordVersion": "1.0" } ``` ## 如何访问超大配置项 当配置项过大时,只会向 Amazon SNS 发送摘要。完整的配置项(CI)存储在 Amazon S3 中 以下代码示例显示如何访问您的完整 CI。 ``` import boto3 import json def handle_oversized_configuration_item(event): """ Example of handling an oversized configuration item notification When a configuration item is oversized: 1. AWS Config sends a summary notification through SNS 2. The complete configuration item is stored in S3 3. Use get_resource_config_history API to retrieve the complete configuration """ # Extract information from the summary notification if event['messageType'] == 'OversizedConfigurationItemChangeNotification': summary = event['configurationItemSummary'] resource_type = summary['resourceType'] resource_id = summary['resourceId'] # Initialize AWS Config client config_client = boto3.client('config') # Retrieve the complete configuration item response = config_client.get_resource_config_history( resourceType=resource_type, resourceId=resource_id ) if response['configurationItems']: config_item = response['configurationItems'][0] # For EC2 instances, the configuration contains instance details configuration = json.loads(config_item['configuration']) print(f"Instance Configuration: {configuration}") # Handle supplementary configuration if present if 'supplementaryConfiguration' in config_item: for key, value in config_item['supplementaryConfiguration'].items(): if isinstance(value, str): config_item['supplementaryConfiguration'][key] = json.loads(value) print(f"Supplementary Configuration: {config_item['supplementaryConfiguration']}") return config_item # If needed, you can also access the complete notification from S3 s3_location = event['s3DeliverySummary']['s3BucketLocation'] print(f"Complete notification available in S3: {s3_location}") return None ``` ## 工作原理 1. 该函数接受包含 AWS Config 通知的事件参数。 1. 它会检查消息类型是否为超大配置通知。 1. 该函数从摘要中提取资源类型和 ID。 1. 它使用 AWS Config 客户端检索完整的配置历史记录。 1. 该函数同时处理主配置和补充配置。 1. 如果需要,您可以从提供的 S3 位置访问完整通知。 # 示例传输失败通知 AWS Config 如果 AWS Config 无法将配置快照或超大配置项目更改通知传送到您的 Amazon S3 存储桶,则会发送传送失败通知。请确认您指定了有效的 Amazon S3 存储桶。 ``` View the Timeline for this Resource in the Console: https://console.aws.amazon.com/config/home?region=us-west-2#/timeline/AWS::EC2::Instance/test_resourceId_014b953d-75e3-40ce-96b9-c7240b975457?time=2016-10-06T16:46:13.749Z The full configuration item change notification for this resource exceeded the maximum size allowed by Amazon Simple Notification Service (SNS). A summary of the configuration item is provided here. You can view the complete notification in the specified Amazon S3 bucket location. New State Record Summary: ---------------------------- { "configurationItemSummary": { "changeType": "UPDATE", "configurationItemVersion": "1.2", "configurationItemCaptureTime": "2016-10-06T16:46:13.749Z", "configurationStateId": 0, "awsAccountId": "123456789012", "configurationItemStatus": "OK", "resourceType": "AWS::EC2::Instance", "resourceId": "test_resourceId_014b953d-75e3-40ce-96b9-c7240b975457", "resourceName": null, "ARN": "arn:aws:ec2:us-west-2:123456789012:instance/test_resourceId_014b953d-75e3-40ce-96b9-c7240b975457", "awsRegion": "us-west-2", "availabilityZone": null, "configurationStateMd5Hash": "6de64b95eacd30e7b63d4bba7cd80814", "resourceCreationTime": "2016-10-06T16:46:10.489Z" }, "s3DeliverySummary": { "s3BucketLocation": null, "errorCode": "NoSuchBucket", "errorMessage": "Failed to deliver notification to bucket: bucket-example for account 123456789012 in region us-west-2." }, "notificationCreationTime": "2016-10-06T16:46:13.749Z", "messageType": "OversizedConfigurationItemChangeDeliveryFailed", "recordVersion": "1.0" } ```