I'm trying to set up an SNS Topic to receive AWS Config messages specifically for EC2 instances. I've created a subscription to this topic hoping to get notified via email about any EC2-related messages. Without any filtering, it works perfectly; I receive all the AWS Config messages. However, when I implement a filter policy to just catch EC2 instance messages, I don't receive anything. Here's what I'm using for the filter policy:
{
"configurationItem": {
"resourceType": [
"AWS::EC2::Instance"
]
}
}
I've verified that 'resourceType' is present in the configurationItem when there's no filter applied. I've also tested filtering on different properties, but none of them seem to give any results. Can anyone suggest what I'm doing wrong or how to fix this?
1 Answer
The issue you’re facing is a common stumbling block with SNS filters. The SNS filtering doesn't check the message body directly; it only looks at the MessageAttributes included with the notification. Because AWS Config sends its payload as a JSON message in the body, your filtering policy won’t catch anything since it’s trying to match an attribute that doesn’t exist.
You might want to consider adding a Lambda function that can extract the required fields from the message body and publish them as attributes. Alternatively, routing the notifications through EventBridge is typically a simpler approach, as it has a built-in rules engine that can parse JSON structures effectively. Is there a specific reason you’re sticking with the SNS Topic for the notifications?
I think you’re on point! The SNS documentation often highlights the use of MessageAttributes for filtering, and it seems like that’s the key here. Just for clarity, here's a link that goes into detail about filtering capabilities, including on the message body: [Payload-based message filtering for Amazon SNS](https://aws.amazon.com/blogs/compute/introducing-payload-based-message-filtering-for-amazon-sns/). So, if you can set it up properly, it might just work!