本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用交付管道
當 AWS Config 持續記錄 AWS 資源發生的變更時,它會透過*交付管道*傳送通知和更新的組態狀態。您可以管理交付管道,以控制 AWS Config 傳送組態更新的位置。
**Topics**
+ [考量事項](#dc-considerations)
+ [術語](#dc-terminology)
+ [Components of a Configuration Item](config-item-table.md)
+ [檢視交付管道](dc-view.md)
+ [更新交付管道](update-dc-console.md)
+ [重新為交付管道命名](update-dc-rename.md)
+ [交付組態快照](deliver-snapshot-cli.md)
+ [驗證交付狀態](verify-delivery-status.md)
+ [檢視組態快照](view-configuration-snapshot.md)
+ [範例組態快照](example-s3-snapshot.md)
+ [範例通知](notifications-for-AWS-Config.md)
## 考量事項
**每個帳戶每個區域一個交付管道**
每個 AWS 區域每個區域只能有一個交付管道 AWS 帳戶,而且需要使用交付管道 AWS Config。
**過大的組態項目通知包含簡短摘要**
當 AWS Config 偵測到資源的組態變更,且通知超過 Amazon SNS 允許的大小上限時,通知會包含組態項目的簡短摘要。您可以在 `s3BucketLocation` 欄位所指定的 Amazon S3 儲存貯體位置檢視完整通知。如需詳細資訊,請參閱《[範例大型組態項目變更通知](https://docs.aws.amazon.com/config/latest/developerguide/oversized-notification-example.html)》。
**AWS Config 支援 使用的 Amazon S3 儲存貯體 AWS KMS 加密 AWS Config**
您可以提供 AWS Key Management Service (AWS KMS) 金鑰或別名 Amazon Resource Name (ARN),以加密交付至 Amazon Simple Storage Service (Amazon S3) 儲存貯體的資料。根據預設, 會將組態歷史記錄和快照檔案 AWS Config 交付至 Amazon S3 儲存貯體,並使用 S3 AES-256 伺服器端加密 SSE-S3 加密靜態資料。不過,如果您 AWS Config 提供 KMS 金鑰或別名 ARN, AWS Config 會使用該 KMS 金鑰而非 AES-256 加密。
AWS Config 不支援交付通道到啟用物件鎖定並啟用預設保留的 Amazon S3 儲存貯體。如需詳細資訊,請參閱 [S3 物件鎖定的運作方式](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html)。
## 術語
*組態項目*代表帳戶中存在之支援 AWS 資源的各種屬性point-in-time檢視。組態項目的元件包括中繼資料、屬性、關係、目前組態和相關事件。 會在偵測到正在記錄的資源類型變更時 AWS Config 建立組態項目。例如,如果 AWS Config 正在記錄 Amazon S3 儲存貯體,則 AWS Config 會在建立、更新或刪除儲存貯體時建立組態項目。您也可以選取 AWS Config ,以您設定的錄製頻率建立組態項目。
*組態歷史記錄*是指定資源在任何時間期間的組態項目集合。組態歷史記錄可協助您回答下列這類問題,例如,第一次建立資源時、上個月如何設定資源,以及昨天 9 AM 進行何種組態變更。您可以使用多種格式的組態歷史記錄。 AWS Config 會自動將每個資源類型的組態歷史記錄檔案,記錄到您指定的 Amazon S3 儲存貯體。您可以在 AWS Config 主控台中選取指定的資源,並使用時間軸導覽至該資源的所有先前組態項目。此外,您也可以從 API 存取資源的歷史組態項目。
*組態快照*是帳戶中現有所支援資源的組態項目集合。此組態快照是所記錄資源和其組態的完整全貌。組態快照可以是驗證組態的實用工具。例如,建議您定期檢查未正確設定或可能不存在之資源的組態快照。組態快照具有多種格式。您可以將組態快照交付至您指定的 Amazon Simple Storage Service (Amazon S3) 儲存貯體。此外,您可以在 AWS Config 主控台中選取時間點,並使用資源之間的關係瀏覽組態項目的快照。
*組態串流*是 AWS Config 正在記錄之資源的所有組態項目的自動更新清單。每次建立、修改或刪除資源時, AWS Config 都會建立組態項目,並新增至組態串流。使用您選擇的 Amazon Simple Notification Service (Amazon SNS) 主題後,組態串流即可運作。組態串流有助於觀察組態變更,以便您可以發現潛在問題、在特定資源變更時產生通知,或更新需要反映 AWS 資源組態的外部系統。
# 組態項目的元件
*組態項目*代表帳戶中存在之支援 AWS 資源的各種屬性point-in-time檢視。組態項目的元件包括中繼資料、屬性、關係、目前組態和相關事件。 會在偵測到正在記錄的資源類型變更時 AWS Config 建立組態項目。例如,如果 AWS Config 正在記錄 Amazon S3 儲存貯體,則 會在建立、更新或刪除儲存貯體時 AWS Config 建立組態項目。您也可以為 選取 AWS Config ,以您設定的錄製頻率建立組態項目。
組態項目由下列元件組成。
****
| 元件 | 描述 | 包含 |
| --- | --- | --- |
| 中繼資料 | 此組態項目的相關資訊 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/config/latest/developerguide/config-item-table.html) |
| Attributes | 資源屬性 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/config/latest/developerguide/config-item-table.html) |
| 關係 | 資源與其他和帳戶建立關聯之資源的相關方式 | 關係的描述,例如 Amazon EBS 磁碟區 vol-1234567 連接到 Amazon EC2 執行個體 i-a1b2c3d4 |
| 目前的組態 | 透過呼叫資源的 Describe 或 List API 傳回的資訊 | 例如,DescribeVolumes API 會傳回下列磁碟區的相關資訊:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/config/latest/developerguide/config-item-table.html) |
**備註**
1. 組態項目關聯不包含網路流程或資料流程依存。組態項目無法經由自訂以代表您的應用程式架構。
1. 從版本 1.3 開始,relatedEvents 欄位為空白。您可以存取《*AWS CloudTrail API 參考*》中的 [LookupEvents API](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html),以擷取資源的事件。
1. 從版本 1.3 開始,configurationItemMD5Hash 欄位為空白。您可以使用 configurationStateId 欄位確認您擁有最新的組態項目。
1. 如果資源類型不支援標記,或在其描述 API 回應中不包含標籤資訊, AWS Config 則 不會在該資源類型的組態項目 (CIs) 中擷取標籤資料。 AWS Config 仍會記錄這些資源。不過,依賴標籤資料的任何功能都無法運作。這會影響依賴標籤資料的標籤型篩選、分組或合規評估。
# 檢視交付管道
您必須使用AWS CLI來檢視交付管道的詳細資訊。
下列程式碼範例示範如何使用 `DescribeDeliveryChannels`。
------
#### [ CLI ]
**AWS CLI**
**取得交付管道的詳細資訊**
下列命令會傳回有關交付管道的詳細資訊:
```
aws configservice describe-delivery-channels
```
輸出:
```
{
"DeliveryChannels": [
{
"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic",
"name": "default",
"s3BucketName": "config-bucket-123456789012"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI命令參考》**中的 [DescribeDeliveryChannels](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-delivery-channels.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取區域的交付管道,並顯示詳細資訊。**
```
Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}}
```
**輸出:**
```
Name S3BucketName S3KeyPrefix DeliveryFrequency
---- ------------ ----------- -----------------
default config-bucket-NA my TwentyFour_Hours
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取區域的交付管道,並顯示詳細資訊。**
```
Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}}
```
**輸出:**
```
Name S3BucketName S3KeyPrefix DeliveryFrequency
---- ------------ ----------- -----------------
default config-bucket-NA my TwentyFour_Hours
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 更新交付管道
在您更新交付管道時,您可以設定下列選項:
+ AWS Config 傳送組態快照和組態歷史記錄檔案的 Amazon S3 儲存貯體。
+ 將組態快照 AWS Config 交付至 Amazon S3 儲存貯體的頻率。
+ AWS Config 傳送組態變更通知的 Amazon SNS 主題。
## 更新交付管道 (主控台)
您可以使用 AWS Config 主控台來設定交付管道的 Amazon S3 儲存貯體和 Amazon SNS 主題。如需管理這些設定的步驟,請參閱[AWS Config 使用主控台設定](gs-console.md)。
主控台不會提供重新命名交付管道、設定組態快照頻率,或是刪除交付管道的選項。若要執行這些任務,您必須使用 AWS CLI、 AWS Config API 或其中一個 AWS SDKs。
## 更新交付管道 (AWS SDKs)
下列程式碼範例示範如何使用 `PutDeliveryChannel`。
------
#### [ CLI ]
**AWS CLI**
**建立交付管道**
下列命令會以 JSON 程式碼的形式提供交付管道的設定:
```
aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json
```
`deliveryChannel.json` 檔案指定交付管道屬性:
```
{
"name": "default",
"s3BucketName": "config-bucket-123456789012",
"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}
```
此範例會設定下列屬性:
`name` – 交付管道的名稱。根據預設, AWS Config 會將名稱指派給`default`新的交付管道。您無法使用 `put-delivery-channel`命令更新交付管道名稱。如需變更名稱的步驟,請參閱重新命名交付管道。`s3BucketName`- Config AWS 交付組態快照和組態歷史記錄檔案的 Amazon S3 儲存貯體名稱。如果您指定屬於另一個 AWS 帳戶的儲存貯體,該儲存貯體必須具有將存取許可授予 AWS Config 的政策。如需詳細資訊,請參閱《Amazon S3 儲存貯體許可》。
`snsTopicARN` - 組態傳送組態變更通知的 Amazon SNS 主題的 Amazon Resource Name (ARN)。如果您從另一個帳戶選擇主題,該主題必須具有授予 Config AWS 存取許可的政策。 AWS 如需詳細資訊,請參閱 Amazon SNS 主題的許可。
`configSnapshotDeliveryProperties` - 包含 `deliveryFrequency` 屬性,這會設定 Config AWS 交付組態快照的頻率,以及叫用定期 Config 規則評估的頻率。
如果命令成功, AWS Config 不會傳回任何輸出。若要驗證交付管道的設定,請執行 describe-delivery-channels 命令。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [PutDeliveryChannel](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-delivery-channel.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會變更現有交付管道的 deliveryFrequency 屬性。**
```
Write-CFGDeliveryChannel -ConfigSnapshotDeliveryProperties_DeliveryFrequency TwentyFour_Hours -DeliveryChannelName default -DeliveryChannel_S3BucketName amzn-s3-demo-bucket -DeliveryChannel_S3KeyPrefix my
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [PutDeliveryChannel](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會變更現有交付管道的 deliveryFrequency 屬性。**
```
Write-CFGDeliveryChannel -ConfigSnapshotDeliveryProperties_DeliveryFrequency TwentyFour_Hours -DeliveryChannelName default -DeliveryChannel_S3BucketName amzn-s3-demo-bucket -DeliveryChannel_S3KeyPrefix my
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [PutDeliveryChannel](https://docs.aws.amazon.com/powershell/v5/reference)。
------
(選擇性) 您可以使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channels.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channels.html) 命令確認交付管道設定已更新:
```
$ aws configservice describe-delivery-channels
{
"DeliveryChannels": [
{
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
},
"snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic",
"name": "default",
"s3BucketName": "config-bucket-123456789012"
}
]
}
```
下列程式碼範例示範如何使用 `DescribeDeliveryChannels`。
------
#### [ CLI ]
**AWS CLI**
**取得交付管道的詳細資訊**
下列命令會傳回有關交付管道的詳細資訊:
```
aws configservice describe-delivery-channels
```
輸出:
```
{
"DeliveryChannels": [
{
"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic",
"name": "default",
"s3BucketName": "config-bucket-123456789012"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeDeliveryChannels](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-delivery-channels.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取區域的交付管道,並顯示詳細資訊。**
```
Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}}
```
**輸出:**
```
Name S3BucketName S3KeyPrefix DeliveryFrequency
---- ------------ ----------- -----------------
default config-bucket-NA my TwentyFour_Hours
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取區域的交付管道,並顯示詳細資訊。**
```
Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}}
```
**輸出:**
```
Name S3BucketName S3KeyPrefix DeliveryFrequency
---- ------------ ----------- -----------------
default config-bucket-NA my TwentyFour_Hours
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 重新為交付管道命名
若要變更交付管道名稱,您必須將其刪除,並使用您指定的名稱建立新的交付管道。您必須暫時停止組態記錄器,才能刪除交付管道。 AWS Config 主控台不提供刪除交付管道的選項。您必須使用 AWS CLI、 AWS Config API 或其中一個 AWS SDKs。
**使用 重新命名交付管道 AWS CLI**
1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/stop-configuration-recorder.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/stop-configuration-recorder.html) 命令停止組態記錄器:
```
$ aws configservice stop-configuration-recorder --configuration-recorder-name configRecorderName
```
1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channels.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channels.html) 命令並記下您交付管道的屬性:
```
$ aws configservice describe-delivery-channels
{
"DeliveryChannels": [
{
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
},
"snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic",
"name": "default",
"s3BucketName": "config-bucket-123456789012"
}
]
}
```
1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/delete-delivery-channel.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/delete-delivery-channel.html) 命令刪除交付管道:
```
$ aws configservice delete-delivery-channel --delivery-channel-name default
```
1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/put-delivery-channel.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/put-delivery-channel.html) 命令,使用需要的名稱建立交付管道:
```
$ aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json
```
deliveryChannel.json 檔案指定了交付管道屬性:
```
{
"name": "myCustomDeliveryChannelName",
"s3BucketName": "config-bucket-123456789012",
"snsTopicARN": "arn:aws:sns:us-east-2:123456789012:config-topic",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}
```
1. 使用 `start-configuration-recorder` 命令繼續記錄:
```
$ aws configservice start-configuration-recorder --configuration-recorder-name configRecorderName
```
# 將組態快照交付至 Amazon S3 儲存貯體
*組態快照*是帳戶中現有所支援資源的組態項目集合。此組態快照是所記錄資源和其組態的完整全貌。組態快照可以是驗證組態的實用工具。例如,建議您定期檢查未正確設定或可能不存在之資源的組態快照。組態快照具有多種格式。您可以將組態快照交付至您指定的 Amazon Simple Storage Service (Amazon S3) 儲存貯體。此外,您可以在 AWS Config 主控台中選取時間點,並使用資源之間的關係瀏覽組態項目的快照。
## 交付組態快照
AWS Config 當您叫用 [DeliverConfigSnapshot](https://docs.aws.amazon.com/config/latest/APIReference/API_DeliverConfigSnapshot.html) 動作或執行 命令時, AWS CLI `deliver-config-snapshot` 會產生組態快照。 會將組態快照 AWS Config 存放在您在啟用時指定的 Amazon S3 儲存貯體中 AWS Config。
輸入 [https://docs.aws.amazon.com/cli/latest/reference/configservice/deliver-config-snapshot.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/deliver-config-snapshot.html)命令,方法是在設定交付管道 AWS Config 時指定 指派的名稱,例如:
```
$ aws configservice deliver-config-snapshot --delivery-channel-name default
{
"configSnapshotId": "94ccff53-83be-42d9-996f-b4624b3c1a55"
}
```
# 驗證交付狀態
輸入 [https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channel-status.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-delivery-channel-status.html)命令以確認 AWS Config 已開始將組態交付至指定的交付管道:
```
aws configservice describe-delivery-channel-status
```
回應會列出 AWS Config 用來將組態交付至儲存貯體和主題的所有三種交付格式的狀態。
```
{
"DeliveryChannelsStatus": [
{
"configStreamDeliveryInfo": {
"lastStatusChangeTime": 1415138614.125,
"lastStatus": "SUCCESS"
},
"configHistoryDeliveryInfo": {
"lastSuccessfulTime": 1415148744.267,
"lastStatus": "SUCCESS",
"lastAttemptTime": 1415148744.267
},
"configSnapshotDeliveryInfo": {
"lastSuccessfulTime": 1415333113.4159999,
"lastStatus": "SUCCESS",
"lastAttemptTime": 1415333113.4159999
},
"name": "default"
}
]
}
```
檢視 中的 `lastSuccessfulTime` 欄位`configSnapshotDeliveryInfo`。時間應該符合您上次請求交付組態快照的時間。
**注意**
AWS Config 使用 UTC 格式 (國際標準時間) 來記錄時間。
# 檢視 Amazon S3 儲存貯體中的組態快照
*組態快照*是帳戶中現有所支援資源的組態項目集合。此組態快照是所記錄資源和其組態的完整全貌。組態快照可以是驗證組態的實用工具。例如,建議您定期檢查未正確設定或可能不存在之資源的組態快照。組態快照具有多種格式。您可以將組態快照交付至您指定的 Amazon Simple Storage Service (Amazon S3) 儲存貯體。此外,您可以在 AWS Config 主控台中選取時間點,並使用資源之間的關係瀏覽組態項目的快照。
## 檢視組態快照
1. 登入 AWS 管理主控台 並開啟位於 https://[https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/) 的 Amazon S3 主控台。
1. 在 Amazon S3 主控台**所有儲存貯體**清單中,選擇 Amazon S3 儲存貯體的名稱。
1. 逐一查看儲存貯體中的巢狀資料夾,直到您看到`ConfigSnapshot`物件的快照 ID 與 命令傳回的 ID 相符。下載並開啟 物件以檢視組態快照。S3 儲存貯體也包含名為 的空白檔案`ConfigWritabilityCheckFile`。 會 AWS Config 建立此檔案,以驗證服務是否可以成功寫入 S3 儲存貯體。
# 來自 的範例組態快照 AWS Config
以下是組態快照中 AWS Config 包含 的資訊範例。快照說明 AWS Config 目前區域中記錄的資源組態 AWS 帳戶,並說明這些資源之間的關係。
**注意**
組態快照可以包含不受支援資源類型和資源 ID 的參考。
```
{
"fileVersion": "1.0",
"requestId": "asudf8ow-4e34-4f32-afeb-0ace5bf3trye",
"configurationItems": [
{
"configurationItemVersion": "1.0",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc",
"accountId": "12345678910",
"configurationItemCaptureTime": "2014-03-07T23:47:08.918Z",
"configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [
"06c12a39-eb35-11de-ae07-adb69edbb1e4",
"c376e30d-71a2-4694-89b7-a5a04ad92281"
],
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02-27T21:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T21:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
},
{
"tagName": "name",
"tagValue": "DataVolume1"
}
],
"volumeType": "standard"
}
},
{
"configurationItemVersion": "1.0",
"resourceId": "i-344c463d",
"accountId": "12345678910",
"arn": "arn:aws:ec2:us-west-2b:123456789012:instance/i-344c463d",
"configurationItemCaptureTime": "2014-03-07T23:47:09.523Z",
"configurationStateID": "cdb571fa-ce7a-4ec5-8914-0320466a355e",
"configurationItemStatus": "OK",
"relatedEvents": [
"06c12a39-eb35-11de-ae07-adb69edbb1e4",
"c376e30d-71a2-4694-89b7-a5a04ad92281"
],
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Instance",
"resourceCreationTime": "2014-02-26T22:56:35.000Z",
"tags": {
"Name": "integ-test-1",
"examplename": "examplevalue"
},
"relationships": [
{
"resourceId": "vol-ce676ccc",
"resourceType": "AWS::EC2::Volume",
"name": "Attached Volume"
},
{
"resourceId": "vol-ef0e06ed",
"resourceType": "AWS::EC2::Volume",
"name": "Attached Volume",
"direction": "OUT"
},
{
"resourceId": "subnet-47b4cf2c",
"resourceType": "AWS::EC2::SUBNET",
"name": "Is contained in Subnet",
"direction": "IN"
}
],
"configuration": {
"instanceId": "i-344c463d",
"imageId": "ami-ccf297fc",
"state": {
"code": 16,
"name": "running"
},
"privateDnsName": "ip-172-31-21-63.us-west-2.compute.internal",
"publicDnsName": "ec2-54-218-4-189.us-west-2.compute.amazonaws.com",
"stateTransitionReason": "",
"keyName": "configDemo",
"amiLaunchIndex": 0,
"productCodes": [],
"instanceType": "t1.micro",
"launchTime": "2014-02-26T22:56:35.0000+0000",
"placement": {
"availabilityZone": "us-west-2b",
"groupName": "",
"tenancy": "default"
},
"kernelId": "aki-fc8f11cc",
"monitoring": {
"state": "disabled"
},
"subnetId": "subnet-47b4cf2c",
"vpcId": "vpc-41b4cf2a",
"privateIpAddress": "172.31.21.63",
"publicIpAddress": "54.218.4.189",
"architecture": "x86_64",
"rootDeviceType": "ebs",
"rootDeviceName": "/dev/sda1",
"blockDeviceMappings": [
{
"deviceName": "/dev/sda1",
"ebs": {
"volumeId": "vol-ef0e06ed",
"status": "attached",
"attachTime": "2014-02-26T22:56:38.0000+0000",
"deleteOnTermination": true
}
},
{
"deviceName": "/dev/sdf",
"ebs": {
"volumeId": "vol-ce676ccc",
"status": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
}
],
"virtualizationType": "paravirtual",
"clientToken": "aBCDe123456",
"tags": [
{
"key": "Name",
"value": "integ-test-1"
},
{
"key": "examplekey",
"value": "examplevalue"
}
],
"securityGroups": [
{
"groupName": "launch-wizard-2",
"groupId": "sg-892adfec"
}
],
"sourceDestCheck": true,
"hypervisor": "xen",
"networkInterfaces": [
{
"networkInterfaceId": "eni-55c03d22",
"subnetId": "subnet-47b4cf2c",
"vpcId": "vpc-41b4cf2a",
"description": "",
"ownerId": "12345678910",
"status": "in-use",
"privateIpAddress": "172.31.21.63",
"privateDnsName": "ip-172-31-21-63.us-west-2.compute.internal",
"sourceDestCheck": true,
"groups": [
{
"groupName": "launch-wizard-2",
"groupId": "sg-892adfec"
}
],
"attachment": {
"attachmentId": "eni-attach-bf90c489",
"deviceIndex": 0,
"status": "attached",
"attachTime": "2014-02-26T22:56:35.0000+0000",
"deleteOnTermination": true
},
"association": {
"publicIp": "54.218.4.189",
"publicDnsName": "ec2-54-218-4-189.us-west-2.compute.amazonaws.com",
"ipOwnerId": "amazon"
},
"privateIpAddresses": [
{
"privateIpAddress": "172.31.21.63",
"privateDnsName": "ip-172-31-21-63.us-west-2.compute.internal",
"primary": true,
"association": {
"publicIp": "54.218.4.189",
"publicDnsName": "ec2-54-218-4-189.us-west-2.compute.amazonaws.com",
"ipOwnerId": "amazon"
}
}
]
}
],
"ebsOptimized": false
}
}
]
}
```
下一步是驗證已將組態快照成功交付至交付管道。
# AWS Config 傳送至 Amazon SNS 主題的通知
**注意**
在 AWS Config 可以傳送通知到 Amazon SNS 主題之前,您必須先設定組態記錄器和交付管道。如需詳細資訊,請參閱《[管理組態記錄器](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html)》和《[管理交付管道](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html)》。
您可以設定 AWS Config 將組態變更和通知串流至 Amazon SNS 主題。例如,更新資源時,您可以收到傳送至您電子郵件的通知,因此您可以檢視變更。當 根據您的 資源 AWS Config 評估您的自訂或受管規則時,您也會收到通知。如需詳細資訊,請參閱在 [中記錄和監控 AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-logging-and-monitoring.html)。
AWS Config 會傳送下列事件的通知:
+ 資源的組態項目變更。
+ 已交付您帳戶的資源組態歷史記錄。
+ 已針對您的帳戶啟動和交付所記錄資源的組態快照。
+ 資源的合規性狀態,以及它們是否符合您的規則。
+ 已針對您的資源開始規則的評估。
+ AWS Config 無法將通知傳送到您的帳戶。
**Topics**
+ [範例組態項目變更通知](example-sns-notification.md)
+ [範例組態歷史記錄交付通知](example-configuration-history-notification.md)
+ [範例組態快照交付已啟動通知](example-configuration-snapshot-notification-started.md)
+ [範例組態快照交付通知](example-configuration-snapshot-notification.md)
+ [範例合規性變更通知](example-config-rule-compliance-notification.md)
+ [範例規則評估已啟動通知](config-rules-evaluation-started.md)
+ [範例大型組態項目變更通知](oversized-notification-example.md)
+ [範例交付失敗通知](notification-delivery-failed.md)
# 範例組態項目變更通知
AWS Config 使用 Amazon SNS 將通知傳遞至訂閱端點。這些通知提供組態快照和組態歷史記錄的交付狀態,並提供當記錄 AWS 資源的組態變更時所 AWS Config 建立的每個組態項目。 AWS Config 也會傳送通知,顯示您的資源是否符合您的規則。如果您選擇透過電子郵件傳送通知,則可以根據電子郵件的主旨行和訊息本文以在電子郵件用戶端應用程式中使用篩選條件。
下列 Amazon SNS 通知承載範例是在 AWS Config 偵測到 Amazon Elastic Block Store 磁碟區 `vol-ce676ccc` 連接至 ID 為 `i-344c463d` 的執行個體時所產生。通知包含資源的組態項目變更。
```
{
"Type": "Notification",
"MessageId": "8b945cb0-db34-5b72-b032-1724878af488",
"TopicArn": "arn:aws:sns:us-west-2:123456789012:example",
"Message": {
"MessageVersion": "1.0",
"NotificationCreateTime": "2014-03-18T10:11:00Z",
"messageType": "ConfigurationItemChangeNotification",
"configurationItem": [
{
"configurationItemVersion": "1.0",
"configurationItemCaptureTime": "2014-03-07T23:47:08.918Z",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc",
"resourceId": "vol-ce676ccc",
"awsAccountId": "123456789012",
"configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [],
"availabilityZone": "us-west-2b",
"resourceType": "AWS::EC2::VOLUME",
"resourceCreationTime": "2014-02-27T21:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::INSTANCE",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T21:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [],
"volumeType": "standard"
}
}
],
"configurationItemDiff": {
"changeType": "UPDATE",
"changedProperties": {
"Configuration.State": {
"previousValue": "available",
"updatedValue": "in-use",
"changeType": "UPDATE"
},
"Configuration.Attachments.0": {
"updatedValue": {
"VolumeId": "vol-ce676ccc",
"InstanceId": "i-344c463d",
"Device": "/dev/sdf",
"State": "attached",
"AttachTime": "FriMar0723: 46: 28UTC2014",
"DeleteOnTermination": "false"
},
"changeType": "CREATE"
}
}
}
},
"Timestamp": "2014-03-07T23:47:10.001Z",
"SignatureVersion": "1",
"Signature": "LgfJNB5aOk/w3omqsYrv5cUFY8yvIJvO5ZZh46/KGPApk6HXRTBRlkhjacnxIXJEWsGI9mxvMmoWPLJGYEAR5FF/+/Ro9QTmiTNcEjQ5kB8wGsRWVrk/whAzT2lVtofc365En2T1Ncd9iSFFXfJchgBmI7EACZ28t+n2mWFgo57n6eGDvHTedslzC6KxkfWTfXsR6zHXzkB3XuZImktflg3iPKtvBb3Zc9iVbNsBEI4FITFWktSqqomYDjc5h0kgapIo4CtCHGKpALW9JDmP+qZhMzEbHWpzFlEzvFl55KaZXxDbznBD1ZkqPgno/WufuxszCiMrsmV8pUNUnkU1TA==",
"SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-e372f8ca30337fdb084e8ac449342c77.pem",
"UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:example:a6859fee-3638-407c-907e-879651c9d143"
}
```
## 含關係的資源組態項目
如果資源與其他資源相關,則變更該資源可能會產生多個組態項目。下列範例顯示 如何為具有關係的資源 AWS Config 建立組態項目。
1. 您有 ID 為 `i-007d374c8912e3e90` 的 Amazon EC2 執行個體,而且執行個體與 Amazon EC2 安全群組 `sg-c8b141b4` 建立關聯。
1. 您更新 EC2 執行個體,以將安全群組變更為另一個安全群組 `sg-3f1fef43`。
1. 由於 EC2 執行個體與另一個資源相關,因此 會 AWS Config 建立多個組態項目,如下列範例所示:
此通知包含 EC2 執行個體在取代安全群組時的組態項目變更。
```
{
"Type": "Notification",
"MessageId": "faeba85e-ef46-570a-b01c-f8b0faae8d5d",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio",
"Subject": "[AWS Config:us-east-2] AWS::EC2::Instance i-007d374c8912e3e90 Updated in Account 123456789012",
"Message": {
"configurationItemDiff": {
"changedProperties": {
"Configuration.NetworkInterfaces.0": {
"previousValue": {
"networkInterfaceId": "eni-fde9493f",
"subnetId": "subnet-2372be7b",
"vpcId": "vpc-14400670",
"description": "",
"ownerId": "123456789012",
"status": "in-use",
"macAddress": "0e:36:a2:2d:c5:e0",
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"sourceDestCheck": true,
"groups": [{
"groupName": "example-security-group-1",
"groupId": "sg-c8b141b4"
}],
"attachment": {
"attachmentId": "eni-attach-85bd89d9",
"deviceIndex": 0,
"status": "attached",
"attachTime": "2017-01-09T19:36:02.000Z",
"deleteOnTermination": true
},
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
},
"privateIpAddresses": [{
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"primary": true,
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
}
}]
},
"updatedValue": null,
"changeType": "DELETE"
},
"Relationships.0": {
"previousValue": {
"resourceId": "sg-c8b141b4",
"resourceName": null,
"resourceType": "AWS::EC2::SecurityGroup",
"name": "Is associated with SecurityGroup"
},
"updatedValue": null,
"changeType": "DELETE"
},
"Configuration.NetworkInterfaces.1": {
"previousValue": null,
"updatedValue": {
"networkInterfaceId": "eni-fde9493f",
"subnetId": "subnet-2372be7b",
"vpcId": "vpc-14400670",
"description": "",
"ownerId": "123456789012",
"status": "in-use",
"macAddress": "0e:36:a2:2d:c5:e0",
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"sourceDestCheck": true,
"groups": [{
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43"
}],
"attachment": {
"attachmentId": "eni-attach-85bd89d9",
"deviceIndex": 0,
"status": "attached",
"attachTime": "2017-01-09T19:36:02.000Z",
"deleteOnTermination": true
},
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
},
"privateIpAddresses": [{
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"primary": true,
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
}
}]
},
"changeType": "CREATE"
},
"Relationships.1": {
"previousValue": null,
"updatedValue": {
"resourceId": "sg-3f1fef43",
"resourceName": null,
"resourceType": "AWS::EC2::SecurityGroup",
"name": "Is associated with SecurityGroup"
},
"changeType": "CREATE"
},
"Configuration.SecurityGroups.1": {
"previousValue": null,
"updatedValue": {
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43"
},
"changeType": "CREATE"
},
"Configuration.SecurityGroups.0": {
"previousValue": {
"groupName": "example-security-group-1",
"groupId": "sg-c8b141b4"
},
"updatedValue": null,
"changeType": "DELETE"
}
},
"changeType": "UPDATE"
},
"configurationItem": {
"relatedEvents": [],
"relationships": [
{
"resourceId": "eni-fde9493f",
"resourceName": null,
"resourceType": "AWS::EC2::NetworkInterface",
"name": "Contains NetworkInterface"
},
{
"resourceId": "sg-3f1fef43",
"resourceName": null,
"resourceType": "AWS::EC2::SecurityGroup",
"name": "Is associated with SecurityGroup"
},
{
"resourceId": "subnet-2372be7b",
"resourceName": null,
"resourceType": "AWS::EC2::Subnet",
"name": "Is contained in Subnet"
},
{
"resourceId": "vol-0a2d63a256bce35c5",
"resourceName": null,
"resourceType": "AWS::EC2::Volume",
"name": "Is attached to Volume"
},
{
"resourceId": "vpc-14400670",
"resourceName": null,
"resourceType": "AWS::EC2::VPC",
"name": "Is contained in Vpc"
}
],
"configuration": {
"instanceId": "i-007d374c8912e3e90",
"imageId": "ami-9be6f38c",
"state": {
"code": 16,
"name": "running"
},
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"stateTransitionReason": "",
"keyName": "ec2-micro",
"amiLaunchIndex": 0,
"productCodes": [],
"instanceType": "t2.micro",
"launchTime": "2017-01-09T20:13:28.000Z",
"placement": {
"availabilityZone": "us-east-2c",
"groupName": "",
"tenancy": "default",
"hostId": null,
"affinity": null
},
"kernelId": null,
"ramdiskId": null,
"platform": null,
"monitoring": {"state": "disabled"},
"subnetId": "subnet-2372be7b",
"vpcId": "vpc-14400670",
"privateIpAddress": "172.31.16.84",
"publicIpAddress": "54.175.43.43",
"stateReason": null,
"architecture": "x86_64",
"rootDeviceType": "ebs",
"rootDeviceName": "/dev/xvda",
"blockDeviceMappings": [{
"deviceName": "/dev/xvda",
"ebs": {
"volumeId": "vol-0a2d63a256bce35c5",
"status": "attached",
"attachTime": "2017-01-09T19:36:03.000Z",
"deleteOnTermination": true
}
}],
"virtualizationType": "hvm",
"instanceLifecycle": null,
"spotInstanceRequestId": null,
"clientToken": "bIYqA1483990561516",
"tags": [{
"key": "Name",
"value": "value"
}],
"securityGroups": [{
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43"
}],
"sourceDestCheck": true,
"hypervisor": "xen",
"networkInterfaces": [{
"networkInterfaceId": "eni-fde9493f",
"subnetId": "subnet-2372be7b",
"vpcId": "vpc-14400670",
"description": "",
"ownerId": "123456789012",
"status": "in-use",
"macAddress": "0e:36:a2:2d:c5:e0",
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"sourceDestCheck": true,
"groups": [{
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43"
}],
"attachment": {
"attachmentId": "eni-attach-85bd89d9",
"deviceIndex": 0,
"status": "attached",
"attachTime": "2017-01-09T19:36:02.000Z",
"deleteOnTermination": true
},
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
},
"privateIpAddresses": [{
"privateIpAddress": "172.31.16.84",
"privateDnsName": "ip-172-31-16-84.ec2.internal",
"primary": true,
"association": {
"publicIp": "54.175.43.43",
"publicDnsName": "ec2-54-175-43-43.compute-1.amazonaws.com",
"ipOwnerId": "amazon"
}
}]
}],
"iamInstanceProfile": null,
"ebsOptimized": false,
"sriovNetSupport": null,
"enaSupport": true
},
"supplementaryConfiguration": {},
"tags": {"Name": "value"},
"configurationItemVersion": "1.2",
"configurationItemCaptureTime": "2017-01-09T22:50:14.328Z",
"configurationStateId": 1484002214328,
"awsAccountId": "123456789012",
"configurationItemStatus": "OK",
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-007d374c8912e3e90",
"resourceName": null,
"ARN": "arn:aws:ec2:us-east-2:123456789012:instance/i-007d374c8912e3e90",
"awsRegion": "us-east-2",
"availabilityZone": "us-east-2c",
"configurationStateMd5Hash": "8d0f41750f5965e0071ae9be063ba306",
"resourceCreationTime": "2017-01-09T20:13:28.000Z"
},
"notificationCreationTime": "2017-01-09T22:50:15.928Z",
"messageType": "ConfigurationItemChangeNotification",
"recordVersion": "1.2"
},
"Timestamp": "2017-01-09T22:50:16.358Z",
"SignatureVersion": "1",
"Signature": "lpJTEYOSr8fUbiaaRNw1ECawJFVoD7I67mIeEkfAWJkqvvpak1ULHLlC+I0sS/01A4P1Yci8GSK/cOEC/O2XBntlw4CAtbMUgTQvb345Z2YZwcpK0kPNi6v6N51DuZ/6DZA8EC+gVTNTO09xtNIH8aMlvqyvUSXuh278xayExC5yTRXEg+ikdZRd4QzS7obSK1kgRZWI6ipxPNL6rd56/VvPxyhcbS7Vm40/2+e0nVb3bjNHBxjQTXSs1Xhuc9eP2gEsC4Sl32bGqdeDU1Y4dFGukuzPYoHuEtDPh+GkLUq3KeiDAQshxAZLmOIRcQ7iJ/bELDJTN9AcX6lqlDZ79w==",
"SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
"UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4"
}
```
此通知包含與執行個體建立關聯之 EC2 安全群組 `sg-3f1fef43` 的組態項目變更。
```
{
"Type": "Notification",
"MessageId": "564d873e-711e-51a3-b48c-d7d064f65bf4",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio",
"Subject": "[AWS Config:us-east-2] AWS::EC2::SecurityGroup sg-3f1fef43 Created in Account 123456789012",
"Message": {
"configurationItemDiff": {
"changedProperties": {},
"changeType": "CREATE"
},
"configurationItem": {
"relatedEvents": [],
"relationships": [{
"resourceId": "vpc-14400670",
"resourceName": null,
"resourceType": "AWS::EC2::VPC",
"name": "Is contained in Vpc"
}],
"configuration": {
"ownerId": "123456789012",
"groupName": "example-security-group-2",
"groupId": "sg-3f1fef43",
"description": "This is an example security group.",
"ipPermissions": [],
"ipPermissionsEgress": [{
"ipProtocol": "-1",
"fromPort": null,
"toPort": null,
"userIdGroupPairs": [],
"ipRanges": ["0.0.0.0/0"],
"prefixListIds": []
}],
"vpcId": "vpc-14400670",
"tags": []
},
"supplementaryConfiguration": {},
"tags": {},
"configurationItemVersion": "1.2",
"configurationItemCaptureTime": "2017-01-09T22:50:15.156Z",
"configurationStateId": 1484002215156,
"awsAccountId": "123456789012",
"configurationItemStatus": "ResourceDiscovered",
"resourceType": "AWS::EC2::SecurityGroup",
"resourceId": "sg-3f1fef43",
"resourceName": null,
"ARN": "arn:aws:ec2:us-east-2:123456789012:security-group/sg-3f1fef43",
"awsRegion": "us-east-2",
"availabilityZone": "Not Applicable",
"configurationStateMd5Hash": "7399608745296f67f7fe1c9ca56d5205",
"resourceCreationTime": null
},
"notificationCreationTime": "2017-01-09T22:50:16.021Z",
"messageType": "ConfigurationItemChangeNotification",
"recordVersion": "1.2"
},
"Timestamp": "2017-01-09T22:50:16.413Z",
"SignatureVersion": "1",
"Signature": "GocX31Uu/zNFo85hZqzsNy30skwmLnjPjj+UjaJzkih+dCP6gXYGQ0bK7uMzaLL2C/ibYOOsT7I/XY4NW6Amc5T46ydyHDjFRtQi8UfUQTqLXYRTnpOO/hyK9lMFfhUNs4NwQpmx3n3mYEMpLuMs8DCgeBmB3AQ+hXPhNuNuR3mJVgo25S8AqphN9O0okZ2MKNUQy8iJm/CVAx70TdnYsfUMZ24n88bUzAfiHGzc8QTthMdrFVUwXxa1h/7Zl8+A7BwoGmjo7W8CfLDVwaIQv1Uplgk3qd95Z0AXOzXVxNBQEi4k8axcknwjzpyO1g3rKzByiQttLUQwkgF33op9wg==",
"SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
"UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4"
}
```
## 了解 Amazon SNS `ConfigurationItemChangeNotification` 通知中的 `configurationItemDiff` 欄位
AWS Config 會在資源組態變更時 (create/update/delete建立組態項目。如需 AWS Config 可記錄的支援資源類型清單,請參閱 [支援的資源類型 AWS Config](resource-config-reference.md). AWS Config uses Amazon SNS 在變更發生時傳送通知。Amazon SNS 通知承載包含欄位,可協助您追蹤指定 AWS 區域中的資源變更。
若要了解您收到 `ConfigurationItemChangeNotification` 通知的原因,請檢閱 `configurationItemDiff` 詳細資訊。這些欄位會根據變更類型而有所不同,並且可以形成不同的組合,例如「UPDATE-UPDATE」、「UPDATE-CREATE」和「DELETE-DELETE」。下列是部分常見組合的說明。
### 「UPDATE-CREATE」和「UPDATE-UPDATE」
下列範例包含資源直接關係與資源組態中的變更。`configurationItemDiff` 詳細資訊顯示了下列資訊:
**執行的動作**:帳戶中存在的受管政策已連接至 AWS Identity and Access Management (IAM) 角色。
**已執行的基本操作**:UPDATE (更新帳號中資源類型 `AWS::IAM::Policy` 的關聯數量)。
**變更類型組合**:
1. 資源直接關係變更「UPDATE-CREATE」。在 IAM 政策和 IAM 角色之間建立了新的連接或關聯。
1. 資源組態變更「UPDATE-UPDATE」。當政策連接至 IAM 角色時,IAM 政策關聯的數量會從 2 增加到 3。
範例「UPDATE-CREATE」和「UPDATE-UPDATE」`configurationItemDiff` 通知:
```
{
"configurationItemDiff": {
"changedProperties": {
"Relationships.0": {
"previousValue": null,
"updatedValue": {
"resourceId": "AROA6D3M4S53*********",
"resourceName": "Test1",
"resourceType": "AWS::IAM::Role",
"name": "Is attached to Role"
},
"changeType": "CREATE" >>>>>>>>>>>>>>>>>>>> 1
},
"Configuration.AttachmentCount": {
"previousValue": 2,
"updatedValue": 3,
"changeType": "UPDATE" >>>>>>>>>>>>>>>>>>>> 2
}
},
"changeType": "UPDATE"
}
}
```
### UPDATE-DELETE
下列範例包含資源直接關係與資源組態中的變更。`configurationItemDiff` 詳細資訊顯示了下列資訊:
**已執行的動作**:帳戶中存在的受管政策已與 IAM 使用者分離。
**已執行的基本操作**:UPDATE (更新與資源類型 `AWS::IAM::User` 相關聯的許可政策)。
**變更類型組合**:資源直接關係變更「UPDATE-DELETE」。帳戶中 IAM 使用者與 IAM 政策之間的關聯已刪除。
### DELETE-DELETE
下列範例包含資源直接關係與資源組態中的變更。`configurationItemDiff` 詳細資訊顯示了下列資訊:
**已執行的動作**:已刪除帳戶中存在的 IAM 角色。
**已執行的基本操作**:DELETE (已刪除資源類型 `AWS::IAM::Role` 的資源)。
**變更類型組合**:資源直接關係變更與資源組態變更「DELETE-DELETE」。刪除 IAM 角色的同時,也會刪除 IAM 政策與 IAM 角色之間的關聯。
# 範例組態歷史記錄交付通知
組態歷史記錄是資源類型在一般時間期間的組態項目集合。以下是當為您的帳戶交付 CloudTrail 追蹤資源的組態歷史記錄時 AWS Config 傳送的範例通知。
```
{
"Type": "Notification",
"MessageId": "ce49bf2c-d03a-51b0-8b6a-ef480a8b39fe",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio",
"Subject": "[AWS Config:us-east-2] Configuration History Delivery Completed for Account 123456789012",
"Message": {
"s3ObjectKey": "AWSLogs/123456789012/Config/us-east-2/2016/9/27/ConfigHistory/123456789012_Config_us-east-2_ConfigHistory_AWS::CloudTrail::Trail_20160927T195818Z_20160927T195818Z_1.json.gz",
"s3Bucket": "config-bucket-123456789012-ohio",
"notificationCreationTime": "2016-09-27T20:37:05.217Z",
"messageType": "ConfigurationHistoryDeliveryCompleted",
"recordVersion": "1.1"
},
"Timestamp": "2016-09-27T20:37:05.315Z",
"SignatureVersion": "1",
"Signature": "OuIcS5RAKXTR6chQEJp3if4KJQVlBz2kmXh7QE1/RJQiCPsCNfG0J0rUZ1rqfKMqpps/Ka+zF0kg4dUCWV9PF0dliuwnjfbtYmDZpP4EBOoGmxcTliUn1AIe/yeGFDuc6P3EotP3zt02rhmxjezjf3c11urstFZ8rTLVXp0z0xeyk4da0UetLsWZxUFEG0Z5uhk09mBo5dg/4mryIOovidhrbCBgX5marot8TjzNPS9UrKhi2YGUoSQGr4E85EzWqqXdn33GO8dy0DqDfdWBaEr3IWVGtHy3w7oJDMIqW7ENkfML0bJMQjin4P5tYeilNF5XQzhtCkFvFx7JHR97vw==",
"SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
"UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4"
}
```
# 範例組態快照交付已啟動通知
以下是當 AWS Config 開始交付您帳戶的組態快照時 AWS Config 傳送的範例通知。
```
{
"Type": "Notification",
"MessageId": "a32d0487-94b1-53f6-b4e6-5407c9c00be6",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio",
"Subject": "[AWS Config:us-east-2] Configuration Snapshot Delivery Started for Account 123456789012",
"Message": {
"configSnapshotId": "108e0794-84a7-4cca-a179-76a199ddd11a",
"notificationCreationTime": "2016-10-18T17:26:09.572Z",
"messageType": "ConfigurationSnapshotDeliveryStarted",
"recordVersion": "1.1"
},
"Timestamp": "2016-10-18T17:26:09.840Z",
"SignatureVersion": "1",
"Signature": "BBA0DeKsfteTpYyZH5HPANpOLmW/jumOMBsghRq/kimY9tjNlkF/V3BpLG1HVmDQdQzBh6oKE0h0rxcazbyGf5KF5W5r1zKKlEnS9xugFzALPUx//olSJ4neWalLBKNIq1xvAQgu9qHfDR7dS2aCwe4scQfqOjn1Ev7PlZqxmT+ux3SR/C54cbfcduDpDsPwdo868+TpZvMtaU30ySnX04fmOgxoiA8AJO/EnjduQ08/zd4SYXhm+H9wavcwXB9XECelHhRW70Y+wHQixfx40S1SaSRzvnJE+m9mHphFQs64YraRDRv6tMaenTk6CVPO+81ceAXIg2E1m7hZ7lz4PA==",
"SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
"UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4"
}
```
# 範例組態快照交付通知
組態快照是您帳戶中所有已記錄資源和其組態的組態項目集合。以下是在為您的帳戶交付組態快照時 AWS Config 傳送的範例通知。
```
{
"Type": "Notification",
"MessageId": "9fc82f4b-397e-5b69-8f55-7f2f86527100",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio",
"Subject": "[AWS Config:us-east-2] Configuration Snapshot Delivery Completed for Account 123456789012",
"Message": {
"configSnapshotId": "16da64e4-cb65-4846-b061-e6c3ba43cb96",
"s3ObjectKey": "AWSLogs/123456789012/Config/us-east-2/2016/9/27/ConfigSnapshot/123456789012_Config_us-east-2_ConfigSnapshot_20160927T183939Z_16da64e4-cb65-4846-b061-e6c3ba43cb96.json.gz",
"s3Bucket": "config-bucket-123456789012-ohio",
"notificationCreationTime": "2016-09-27T18:39:39.853Z",
"messageType": "ConfigurationSnapshotDeliveryCompleted",
"recordVersion": "1.1"
},
"Timestamp": "2016-09-27T18:39:40.062Z",
"SignatureVersion": "1",
"Signature": "PMkWfUuj/fKIEXA7s2wTDLbZoF/MDsUkPspYghOpwu9n6m+C+zrm0cEZXPxxJPvhnWozG7SVqkHYf9QgI/diW2twP/HPDn5GQs2rNDc+YlaByEXnKVtHV1Gd4r1kN57E/oOW5NVLNczk5ymxAW+WGdptZJkCgyVuhJ28s08m3Z3Kqz96PPSnXzYZoCfCn/yP6CqXoN7olr4YCbYxYwn8zOUYcPmc45yYNSUTKZi+RJQRnDJkL2qb+s4h9w2fjbBBj8xe830VbFJqbHp7UkSfpc64Y+tRvmMLY5CI1cYrnuPRhTLdUk+R0sshg5G+JMtSLVG/TvWbjz44CKXJprjIQg==",
"SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
"UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4"
}
```
# 範例合規性變更通知
當 根據自訂或受管規則 AWS Config 評估您的資源時, AWS Config 會傳送通知,顯示資源是否符合規則。
下列範例通知顯示 CloudTrail 追蹤資源符合 `cloudtrail-enabled ` 受管規則。
```
{
"Type": "Notification",
"MessageId": "11fd05dd-47e1-5523-bc01-55b988bb9478",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio",
"Subject": "[AWS Config:us-east-2] AWS::::Account 123456789012 is COMPLIANT with cloudtrail-enabled in Accoun...",
"Message": {
"awsAccountId": "123456789012",
"configRuleName": "cloudtrail-enabled",
"configRuleARN": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-9rpvxc",
"resourceType": "AWS::::Account",
"resourceId": "123456789012",
"awsRegion": "us-east-2",
"newEvaluationResult": {
"evaluationResultIdentifier": {
"evaluationResultQualifier": {
"configRuleName": "cloudtrail-enabled",
"resourceType": "AWS::::Account",
"resourceId": "123456789012"
},
"orderingTimestamp": "2016-09-27T19:48:40.619Z"
},
"complianceType": "COMPLIANT",
"resultRecordedTime": "2016-09-27T19:48:41.405Z",
"configRuleInvokedTime": "2016-09-27T19:48:40.914Z",
"annotation": null,
"resultToken": null
},
"oldEvaluationResult": {
"evaluationResultIdentifier": {
"evaluationResultQualifier": {
"configRuleName": "cloudtrail-enabled",
"resourceType": "AWS::::Account",
"resourceId": "123456789012"
},
"orderingTimestamp": "2016-09-27T16:30:49.531Z"
},
"complianceType": "NON_COMPLIANT",
"resultRecordedTime": "2016-09-27T16:30:50.717Z",
"configRuleInvokedTime": "2016-09-27T16:30:50.105Z",
"annotation": null,
"resultToken": null
},
"notificationCreationTime": "2016-09-27T19:48:42.620Z",
"messageType": "ComplianceChangeNotification",
"recordVersion": "1.0"
},
"Timestamp": "2016-09-27T19:48:42.749Z",
"SignatureVersion": "1",
"Signature": "XZ9FfLb2ywkW9yj0yBkNtIP5q7Cry6JtCEyUiHmG9gpOZi3seQ41udhtAqCZoiNiizAEi+6gcttHCRV1hNemzp/YmBmTfO6azYXt0FJDaEvd86k68VCS9aqRlBBjYlNo7ILi4Pqd5rE4BX2YBQSzcQyERGkUfTZ2BIFyAmb1Q/y4/6ez8rDyi545FDSlgcGEb4LKLNR6eDi4FbKtMGZHA7Nz8obqs1dHbgWYnp3c80mVLl7ohP4hilcxdywAgXrbsN32ekYr15gdHozx8YzyjfRSo3SjH0c5PGSXEAGNuC3mZrKJip+BIZ21ZtkcUtY5B3ImgRlUO7Yhn3L3c6rZxQ==",
"SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
"UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4"
}
```
**範例:Config 組態項目變更 \$1 Amazon EventBridge**
```
{
"version": "0",
"id": "00bdf13e-1111-b2f5-cef0-e9cbbe7cd533",
"detail-type": "Config Configuration Item Change",
"source": "aws.config",
"account": "123456789012",
"time": "2022-03-16T01:10:51Z",
"region": "us-east-1",
"resources": ["arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95"],
"detail": {
"recordVersion": "1.3",
"messageType": "ConfigurationItemChangeNotification",
"configurationItemDiff": {
"changedProperties": {
"Configuration.FileSystemTags.0": {
"updatedValue": {
"Key": "test",
"Value": "me"
},
"changeType": "CREATE"
},
"Tags.2": {
"updatedValue": "me",
"changeType": "CREATE"
}
},
"changeType": "UPDATE"
},
"notificationCreationTime": "2022-03-16T01:10:51.976Z",
"configurationItem": {
"relatedEvents": [],
"relationships": [],
"configuration": {
"FileSystemId": "fs-01f0d526165b57f95",
"Arn": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95",
"Encrypted": true,
"FileSystemTags": [{
"Key": "Name",
"Value": "myname"
}, {
"Key": "test",
"Value": "me"
}],
"PerformanceMode": "generalPurpose",
"ThroughputMode": "bursting",
"LifecyclePolicies": [{
"TransitionToIA": "AFTER_30_DAYS"
}, {
"TransitionToPrimaryStorageClass": "AFTER_1_ACCESS"
}],
"BackupPolicy": {
"Status": "ENABLED"
},
"FileSystemPolicy": {},
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/0e6c91d5-e23b-4ed3-bd36-1561fbbc0a2d"
},
"supplementaryConfiguration": {},
"tags": {
"aws:elasticfilesystem:default-backup": "enabled",
"test": "me",
"Name": "cloudcontroltest1"
},
"configurationItemVersion": "1.3",
"configurationItemCaptureTime": "2022-03-16T01:10:50.837Z",
"configurationStateId": 1647393050837,
"awsAccountId": "123456789012",
"configurationItemStatus": "OK",
"resourceType": "AWS::EFS::FileSystem",
"resourceId": "fs-01f0d526165b57f95",
"resourceName": "fs-01f0d526165b57f95",
"ARN": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-01f0d526165b57f95",
"awsRegion": "us-east-1",
"availabilityZone": "Regional",
"configurationStateMd5Hash": ""
}
}
}
```
# 範例規則評估已啟動通知
AWS Config 當 開始針對您的 資源評估您的自訂或受管規則時, 會傳送通知。以下是 AWS Config 開始評估`iam-password-policy`受管規則時的範例通知。
```
{
"Type": "Notification",
"MessageId": "358c8e65-e27a-594e-82d0-de1fe77393d7",
"TopicArn": "arn:aws:sns:us-east-2:123456789012:config-topic-ohio",
"Subject": "[AWS Config:us-east-2] Config Rules Evaluation Started for Account 123456789012",
"Message": {
"awsAccountId": "123456789012",
"awsRegion": "us-east-2",
"configRuleNames": ["iam-password-policy"],
"notificationCreationTime": "2016-10-13T21:55:21.339Z",
"messageType": "ConfigRulesEvaluationStarted",
"recordVersion": "1.0"
},
"Timestamp": "2016-10-13T21:55:21.575Z",
"SignatureVersion": "1",
"Signature": "DE431D+24zzFRboyPY2bPTsznJWe8L6TjDC+ItYlLFkE9jACSBl3sQ1uSjYzEhEbN7Cs+wBoHnJ/DxOSpyCxt4giqgKd+H2I636BvrQwHDhJwJm7qI6P8IozEliRvRWbM38zDTvHqkmmXQbdDHRsK/MssMeVTBKuW0x8ivMrj+KpwuF57tE62eXeFhjBeJ0DKQV+aC+i3onsuT7HQvXQDBPdOM+cSuLrJaMQJ6TcMU5G76qg/gl494ilb4Vj4udboGWpHSgUvI3guFsc1SsTrlWXQKXabWtsCQPfdOhkKgmViCfMZrLRp8Pjnu+uspYQELkEfwBchDVVzd15iMrAzQ==",
"SigningCertURL": "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
"UnsubscribeURL": "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:123456789012:config-topic-ohio:956fe658-0ce3-4fb3-b409-a45f22a3c3d4"
}
```
# 範例大型組態項目變更通知
當 AWS Config 偵測到資源的組態變更時,它會傳送組態項目 (CI) 通知。如果通知超過 Amazon Simple Notification Service (Amazon SNS) 允許的大小上限,則通知會包含組態項目的簡短摘要。
您可以在 `s3BucketLocation` 欄位所指定的 Amazon S3 儲存貯體位置檢視完整通知。
下列通知範例顯示 Amazon EC2 執行個體的 CI。通知包含變更摘要以及 Amazon S3 儲存貯體中的通知位置。
```
View the Timeline for this Resource in the Console:
https://console.aws.amazon.com/config/home?region=us-west-2#/timeline/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80?time=2016-10-06T16:46:16.261Z
The full configuration item change notification for this resource exceeded the maximum size allowed by Amazon Simple Notification Service (SNS). A summary of the configuration item is provided here. You can view the complete notification in the specified Amazon S3 bucket location.
New State Record Summary:
----------------------------
{
"configurationItemSummary": {
"changeType": "UPDATE",
"configurationItemVersion": "1.2",
"configurationItemCaptureTime": "2016-10-06T16:46:16.261Z",
"configurationStateId": 0,
"awsAccountId": "123456789012",
"configurationItemStatus": "OK",
"resourceType": "AWS::EC2::Instance",
"resourceId": "resourceId_14b76876-7969-4097-ab8e-a31942b02e80",
"resourceName": null,
"ARN": "arn:aws:ec2:us-west-2:123456789012:instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80",
"awsRegion": "us-west-2",
"availabilityZone": null,
"configurationStateMd5Hash": "8f1ee69b287895a0f8bc5753eca68e96",
"resourceCreationTime": "2016-10-06T16:46:10.489Z"
},
"s3DeliverySummary": {
"s3BucketLocation": "amzn-s3-demo-bucket/AWSLogs/123456789012/Config/us-west-2/2016/10/6/OversizedChangeNotification/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80/123456789012_Config_us-west-2_ChangeNotification_AWS::EC2::Instance_resourceId_14b76876-7969-4097-ab8e-a31942b02e80_20161006T164616Z_0.json.gz",
"errorCode": null,
"errorMessage": null
},
"notificationCreationTime": "2016-10-06T16:46:16.261Z",
"messageType": "OversizedConfigurationItemChangeNotification",
"recordVersion": "1.0"
}
```
## 如何存取過大的組態項目
當組態項目過大時,只會將摘要傳送至 Amazon SNS。完整的組態項目 (CI) 存放在 Amazon S3 中
下列程式碼範例示範如何存取完整的 CI。
```
import boto3
import json
def handle_oversized_configuration_item(event):
"""
Example of handling an oversized configuration item notification
When a configuration item is oversized:
1. AWS Config sends a summary notification through SNS
2. The complete configuration item is stored in S3
3. Use get_resource_config_history API to retrieve the complete configuration
"""
# Extract information from the summary notification
if event['messageType'] == 'OversizedConfigurationItemChangeNotification':
summary = event['configurationItemSummary']
resource_type = summary['resourceType']
resource_id = summary['resourceId']
# Initialize AWS Config client
config_client = boto3.client('config')
# Retrieve the complete configuration item
response = config_client.get_resource_config_history(
resourceType=resource_type,
resourceId=resource_id
)
if response['configurationItems']:
config_item = response['configurationItems'][0]
# For EC2 instances, the configuration contains instance details
configuration = json.loads(config_item['configuration'])
print(f"Instance Configuration: {configuration}")
# Handle supplementary configuration if present
if 'supplementaryConfiguration' in config_item:
for key, value in config_item['supplementaryConfiguration'].items():
if isinstance(value, str):
config_item['supplementaryConfiguration'][key] = json.loads(value)
print(f"Supplementary Configuration: {config_item['supplementaryConfiguration']}")
return config_item
# If needed, you can also access the complete notification from S3
s3_location = event['s3DeliverySummary']['s3BucketLocation']
print(f"Complete notification available in S3: {s3_location}")
return None
```
## 運作方式
1. 函數接受包含 AWS Config 通知的事件參數。
1. 它會檢查訊息類型是否為過大的組態通知。
1. 函數會從摘要中擷取資源類型和 ID。
1. 使用 AWS Config 用戶端,它會擷取完整的組態歷史記錄。
1. 函數會同時處理主要和補充組態。
1. 如有需要,您可以從提供的 S3 位置存取完整的通知。
# 範例交付失敗通知
AWS Config 如果 AWS Config 無法將組態快照或過大的組態項目變更通知傳送到 Amazon S3 儲存貯體, 會傳送傳送失敗通知。驗證您已指定有效的 Amazon S3 儲存貯體。
```
View the Timeline for this Resource in the Console:
https://console.aws.amazon.com/config/home?region=us-west-2#/timeline/AWS::EC2::Instance/test_resourceId_014b953d-75e3-40ce-96b9-c7240b975457?time=2016-10-06T16:46:13.749Z
The full configuration item change notification for this resource exceeded the maximum size allowed by Amazon Simple Notification Service (SNS). A summary of the configuration item is provided here. You can view the complete notification in the specified Amazon S3 bucket location.
New State Record Summary:
----------------------------
{
"configurationItemSummary": {
"changeType": "UPDATE",
"configurationItemVersion": "1.2",
"configurationItemCaptureTime": "2016-10-06T16:46:13.749Z",
"configurationStateId": 0,
"awsAccountId": "123456789012",
"configurationItemStatus": "OK",
"resourceType": "AWS::EC2::Instance",
"resourceId": "test_resourceId_014b953d-75e3-40ce-96b9-c7240b975457",
"resourceName": null,
"ARN": "arn:aws:ec2:us-west-2:123456789012:instance/test_resourceId_014b953d-75e3-40ce-96b9-c7240b975457",
"awsRegion": "us-west-2",
"availabilityZone": null,
"configurationStateMd5Hash": "6de64b95eacd30e7b63d4bba7cd80814",
"resourceCreationTime": "2016-10-06T16:46:10.489Z"
},
"s3DeliverySummary": {
"s3BucketLocation": null,
"errorCode": "NoSuchBucket",
"errorMessage": "Failed to deliver notification to bucket: bucket-example for account 123456789012 in region us-west-2."
},
"notificationCreationTime": "2016-10-06T16:46:13.749Z",
"messageType": "OversizedConfigurationItemChangeDeliveryFailed",
"recordVersion": "1.0"
}
```