範例大型組態項目變更通知 - AWS Config

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

範例大型組態項目變更通知

當 AWS Config 偵測到資源的組態變更時,會傳送組態項目 (CI) 通知。如果通知超過 Amazon Simple Notification Service (Amazon SNS) 允許的大小上限,則通知會包含組態項目的簡短摘要。

您可以在 s3BucketLocation 欄位所指定的 Amazon S3 儲存貯體位置檢視完整通知。

下列通知範例顯示 Amazon EC2 執行個體的 CI。通知包含變更摘要以及 Amazon S3 儲存貯體中的通知位置。

View the Timeline for this Resource in the Console: https://console.aws.amazon.com/config/home?region=us-west-2#/timeline/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80?time=2016-10-06T16:46:16.261Z The full configuration item change notification for this resource exceeded the maximum size allowed by Amazon Simple Notification Service (SNS). A summary of the configuration item is provided here. You can view the complete notification in the specified Amazon S3 bucket location. New State Record Summary: ---------------------------- { "configurationItemSummary": { "changeType": "UPDATE", "configurationItemVersion": "1.2", "configurationItemCaptureTime": "2016-10-06T16:46:16.261Z", "configurationStateId": 0, "awsAccountId": "123456789012", "configurationItemStatus": "OK", "resourceType": "AWS::EC2::Instance", "resourceId": "resourceId_14b76876-7969-4097-ab8e-a31942b02e80", "resourceName": null, "ARN": "arn:aws:ec2:us-west-2:123456789012:instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80", "awsRegion": "us-west-2", "availabilityZone": null, "configurationStateMd5Hash": "8f1ee69b287895a0f8bc5753eca68e96", "resourceCreationTime": "2016-10-06T16:46:10.489Z" }, "s3DeliverySummary": { "s3BucketLocation": "amzn-s3-demo-bucket/AWSLogs/123456789012/Config/us-west-2/2016/10/6/OversizedChangeNotification/AWS::EC2::Instance/resourceId_14b76876-7969-4097-ab8e-a31942b02e80/123456789012_Config_us-west-2_ChangeNotification_AWS::EC2::Instance_resourceId_14b76876-7969-4097-ab8e-a31942b02e80_20161006T164616Z_0.json.gz", "errorCode": null, "errorMessage": null }, "notificationCreationTime": "2016-10-06T16:46:16.261Z", "messageType": "OversizedConfigurationItemChangeNotification", "recordVersion": "1.0" }

如何存取過大的組態項目

當組態項目過大時,只會將摘要傳送至 Amazon SNS。完整的組態項目 (CI) 存放在 Amazon S3 中

下列程式碼範例示範如何存取完整的 CI。

import boto3 import json def handle_oversized_configuration_item(event): """ Example of handling an oversized configuration item notification When a configuration item is oversized: 1. AWS Config sends a summary notification through SNS 2. The complete configuration item is stored in S3 3. Use get_resource_config_history API to retrieve the complete configuration """ # Extract information from the summary notification if event['messageType'] == 'OversizedConfigurationItemChangeNotification': summary = event['configurationItemSummary'] resource_type = summary['resourceType'] resource_id = summary['resourceId'] # Initialize AWS Config client config_client = boto3.client('config') # Retrieve the complete configuration item response = config_client.get_resource_config_history( resourceType=resource_type, resourceId=resource_id ) if response['configurationItems']: config_item = response['configurationItems'][0] # For EC2 instances, the configuration contains instance details configuration = json.loads(config_item['configuration']) print(f"Instance Configuration: {configuration}") # Handle supplementary configuration if present if 'supplementaryConfiguration' in config_item: for key, value in config_item['supplementaryConfiguration'].items(): if isinstance(value, str): config_item['supplementaryConfiguration'][key] = json.loads(value) print(f"Supplementary Configuration: {config_item['supplementaryConfiguration']}") return config_item # If needed, you can also access the complete notification from S3 s3_location = event['s3DeliverySummary']['s3BucketLocation'] print(f"Complete notification available in S3: {s3_location}") return None

運作方式

  1. 函數接受包含 AWS Config 通知的事件參數。

  2. 它會檢查訊息類型是否為過大的組態通知。

  3. 函數會從摘要中擷取資源類型和 ID。

  4. 使用 AWS Config 用戶端,它會擷取完整的組態歷史記錄。

  5. 函數會同時處理主要和補充組態。

  6. 如有需要,您可以從提供的 S3 位置存取完整的通知。