Configuring AWS Config Alerts

CloudCheckr's Alert Builder ensures that CloudCheckr alerts you when specific conditions within your AWS deployment are met.

CloudCheckr allows you to create an unlimited number of alerts across multiple alert types. You can base alerts on costs, resource usage (such as EC2, or S3), or AWS activity recorded by the CloudTrail and/or AWS Config services. 

To build an alert based on changes detected from AWS Config:

  1. Choose the Resource Changes (via AWS Config) alert type from the drop-down menu.

    The Alert Builder page opens—giving you AWS Config-specific options.
  2. Type a name for your alert. CloudCheckr will use this name in the subject line of the alert emails you receive.

Alert Delivery Options

After you create your alert, you can choose how you want CloudCheckr to deliver your alerts:

  • Email: email address(es) where you want to send the alert; separate multiple addresses with a comma

  • SNS Topic: ARN value of an SNS topic
    The IAM user whose credentials were added to CloudCheckr needs sns:Publish permissions to use this feature.
  • PagerDuty: your PagerDuty service API key, which will route the alert through PagerDuty's alerting system

Alert Parameters

After you choose your delivery options, you can choose what changes will trigger an alert. You can refine your filter on parameters such as the following:

  • Resource Deleted
  • Security Group Modified
  • All Security-Related Changes

When you select one or more of these options, you refine the selected resource type and/or change type for the alert.  For example, selecting Security Group Modified allows the alert builder to filter the Resource Type by EC2 Security Group.

You can further refine your configurations by the following parameters:

  • Availability Zone: the location of the resources that will trigger the alert
    Not all resources are tied to an availability zone.
  • Resource Type: the type of resource, such as EC2 instance, Security Group, or VPC Subnet
  • Change Type: the type of change that you want to trigger an alert such as Resource Deleted, Relationship Created, and Tag Modified

You can choose one, all, or any combination of these parameters.

You can also select Build your own filter from below to onfigure your own filters. 

You can also choose to filter your alert by specific resource ID or by resource tag.

Adding CloudCheckr as a Subscriber to Your Config SNS Topic

For AWS Config alerts to function successfully, you must add CloudCheckr as a subscriber to your AWS Config SNS topic. This action allows CloudCheckr to process the SNS notifications to ensure the alerts are triggered in real-time, instead of waiting for CloudCheckr to retrieve the log files from S3. 

To add CloudCheckr as a subscriber of your SNS topic:

  1. Copy the Endpoint URL from the Alert Builder.
  2. Log into the SNS Service within the AWS Management Console. 
  3. Locate and select the SNS Topic used for AWS Config from the list of topics. 
  4. Click the Create New Subscription button. 
  5. In the dialog box, paste the Endpoint URL into the associated text field. 
  6. For the Protocol, option, verify that you selected HTTPS.
  7. Click Subscribe.

    CloudCheckr will automatically confirm the subscription and your AWS Config alerts can now be delivered.

How did we do?