示例过大配置项变更通知
当 AWS Config 检测到资源的配置变更时,会发送配置项(CI)通知。如果通知超过了 Amazon Simple Notification Service(Amazon SNS)允许的最大大小,则通知会包含配置项的简短摘要。
您可以在 s3BucketLocation 字段中指定的 Amazon S3 存储桶位置查看完整通知。
下面的示例通知显示了 Amazon EC2 实例的一个配置项。通知中包含变更摘要以及通知在 Amazon S3 存储桶中的位置。
View the Timeline for this Resource in the Console: https://console.aws.amazon.com/config/home?region=us-west-2#/timeline/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80?time=2016-10-06T16:46:16.261Z The full configuration item change notification for this resource exceeded the maximum size allowed by Amazon Simple Notification Service (SNS). A summary of the configuration item is provided here. You can view the complete notification in the specified Amazon S3 bucket location. New State Record Summary: ---------------------------- { "configurationItemSummary": { "changeType": "UPDATE", "configurationItemVersion": "1.2", "configurationItemCaptureTime": "2016-10-06T16:46:16.261Z", "configurationStateId": 0, "awsAccountId": "123456789012", "configurationItemStatus": "OK", "resourceType": "AWS::EC2::Instance", "resourceId": "resourceId_14b76876-7969-4097-ab8e-a31942b02e80", "resourceName": null, "ARN": "arn:aws:ec2:us-west-2:123456789012:instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80", "awsRegion": "us-west-2", "availabilityZone": null, "configurationStateMd5Hash": "8f1ee69b287895a0f8bc5753eca68e96", "resourceCreationTime": "2016-10-06T16:46:10.489Z" }, "s3DeliverySummary": { "s3BucketLocation": "amzn-s3-demo-bucket/AWSLogs/123456789012/Config/us-west-2/2016/10/6/OversizedChangeNotification/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80/123456789012_Config_us-west-2_ChangeNotification_AWS::EC2::Instance_resourceId_14b76876-7969-4097-ab8e-a31942b02e80_20161006T164616Z_0.json.gz", "errorCode": null, "errorMessage": null }, "notificationCreationTime": "2016-10-06T16:46:16.261Z", "messageType": "OversizedConfigurationItemChangeNotification", "recordVersion": "1.0" }
如何访问超大配置项
当配置项过大时,只会向 Amazon SNS 发送摘要。完整的配置项(CI)存储在 Amazon S3 中
以下代码示例显示如何访问您的完整 CI。
import boto3 import json def handle_oversized_configuration_item(event): """ Example of handling an oversized configuration item notification When a configuration item is oversized: 1. AWS Config sends a summary notification through SNS 2. The complete configuration item is stored in S3 3. Use get_resource_config_history API to retrieve the complete configuration """ # Extract information from the summary notification if event['messageType'] == 'OversizedConfigurationItemChangeNotification': summary = event['configurationItemSummary'] resource_type = summary['resourceType'] resource_id = summary['resourceId'] # Initialize AWS Config client config_client = boto3.client('config') # Retrieve the complete configuration item response = config_client.get_resource_config_history( resourceType=resource_type, resourceId=resource_id ) if response['configurationItems']: config_item = response['configurationItems'][0] # For EC2 instances, the configuration contains instance details configuration = json.loads(config_item['configuration']) print(f"Instance Configuration: {configuration}") # Handle supplementary configuration if present if 'supplementaryConfiguration' in config_item: for key, value in config_item['supplementaryConfiguration'].items(): if isinstance(value, str): config_item['supplementaryConfiguration'][key] = json.loads(value) print(f"Supplementary Configuration: {config_item['supplementaryConfiguration']}") return config_item # If needed, you can also access the complete notification from S3 s3_location = event['s3DeliverySummary']['s3BucketLocation'] print(f"Complete notification available in S3: {s3_location}") return None
工作方式
-
该函数接受包含 AWS Config 通知的事件参数。
-
它会检查消息类型是否为超大配置通知。
-
该函数从摘要中提取资源类型和 ID。
-
它使用 AWS Config 客户端,检索完整的配置历史记录。
-
该函数同时处理主配置和补充配置。
-
如果需要,您可以从提供的 S3 位置访问完整通知。
