Search code examples
amazon-web-servicestags

Send notification if any newly launched aws resource doesn't have specific tags

My requirement is to track any newly launch aws service/resources which does have 2 specific tags. What is the best way to do this? Right now thinking to have a lambda which will keep pinging any new resources is being launched or not which doesn't have specific tags.

Any other recommendation!

Solution

  • We do have a similar requirement where we want to ascertain that all of the newly created resources confirm certain requirements ( having specific tags and does not breach any security best practices).

    We have implemented a soln which was based on AWS Config service

    "AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting." Reference: https://aws.amazon.com/config/

    Consolidated list of the resources supported by AWS Config can be found at: https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html

    The High-level design to achieve this as below:

    enter image description here

    The following needs to be done to implement the architecture

    1. Enable Conf service in the region which you want to observe.

    2. Enable config change recording from config console.

    3. Create a lambda that evaluates the json event received for the config changes on AWS resources monitored by Config service and check for tags (in your case).

    4. Create a custom config rule which observes the event for resources of your interest delegate those events to the lambda which you have created in step 3.

    5. Lambda can send events to SNS for noncompliant resources. From SNS you can trigger an email