作ったのでメモとして残しておきます。
Cloudformation
Resources:
AwsConfigSnsTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: yourtopic
TopicName: YourTopicName
Subscription:
- Endpoint: yourmail@example.com
Protocol: email
ConfigRulesChangedNotifyEventRule:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- aws.config
detail-type:
- "Config Rules Compliance Change"
detail:
configRuleName:
- !Ref MyConfigRule
newEvaluationResult:
complianceType:
- NON_COMPLIANT
State: "ENABLED"
Targets:
- Id: 1
Arn: !Ref AwsConfigSnsTopic
InputTransformer:
InputPathsMap:
awsRegion: "$.detail.awsRegion"
resourceId: "$.detail.resourceId"
awsAccountId: "$.detail.awsAccountId"
compliance: "$.detail.newEvaluationResult.complianceType"
rule: "$.detail.configRuleName"
time: "$.detail.newEvaluationResult.resultRecordedTime"
resourceType: "$.detail.resourceType"
InputTemplate: "\"On <time> AWS Config rule <rule> evaluated the <resourceType> with Id <resourceId> in the account <awsAccountId> region <awsRegion> as <compliance> For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resourceType>/<resourceId>/configuration\""
AwsConfigSnsTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref AwsConfigSnsTopic
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action:
- sns:Publish
Resource: !Ref AwsConfigSnsTopic
MyConfigRule:
Type: AWS::Config::ConfigRule
# 以下省略
ポイント
メッセージの整形
ここの内容を元にCloudformationでInputTransformerを設定しています。
FailedInvocationsでSNSメッセージが飛ばない
SNSのアクセスポリシーで events.amazonaws.com からのPublish権限を付けてあげると上手くいきます。GUIから設定すると自動で設定されるので気付かなかったです。