Configuring AWS Config Alerts

CloudCheckr’s Alert Builder allows you to be alerted when specific conditions within your AWS deployment are met.   With the Alert Builder you can configure alerts based on cost, or on resource usage and changes.


CloudCheckr allows you to create an unlimited number of alerts across multiple alert types. Alerts can be based on costs, resource usage (such as EC2, or S3), or AWS activity recorded by the CloudTrail and/or AWS Config services.


To build an alert based on changes detected from AWS Config, choose the “Resource Changes (via AWS Config) alert type from the dropdown.  This will refresh the Alert Builder page, giving you AWS Config-specific options.


Next, give your alert a name. This name will be used in the subject line of the alert emails you receive, so choose an appropriate name.


Then choose how you would like CloudCheckr to deliver your alerts.  You can choose any or all of the following options:

Email – enter the email address(es) you’d like to receive the alert.  Separate multiple addresses with a comma.

SNS Topic – enter the ARN of an SNS topic.  NOTE: The IAM user whose credentials were added to CloudCheckr needs sns:Publish permissions to use this feature.

PagerDuty – enter your PagerDuty service API key into this field to have the alert routed through PagerDuty’s alerting system.


Next you choose which type(s) of resource changes, on which type(s) of resources you would like to trigger an alert.


You can use the quick select box to automatically filter your alert around a pre-defined concept including:

  • Resource Deleted
  • Security Group Modified
  • All Security-Related Changes

Selecting any of those options will modify the selected resource type and/or change type for the alert.  For example, selecting “Security Group Modified” will have the alert builder filter the Resource Type selection to EC2 Security Group.

You can further edit these configurations using the options below.  You can also select <Build your own filter from below> to choose your own filter selections.


You have the flexibility to choose to filter your alerts by Availability Zone, Resource Type, and/or Change Type.  You can choose one, all, or any combination of options within each section.

NOTE: You can click the binoculars icon above each section for an easier way to interact with the options.

Availability Zone – the availability zone where the resource(s) whose changes you’d like to receive alerts for are located.  NOTE: not all resources are tied to an availability zone.

Resource Type – the type of resource, such as EC2 instance, Security Group, or VPC Subnet.

Change Type – the change you’d like to receive an alert for, including Resource Deleted, Relationship Created, and Tag Modified.


You can also choose to filter your alert by specific resource ID, or by resource tag.


IMPORTANT: For AWS Config alerts to function you must add CloudCheckr as a subscriber to your AWS Config SNS topic. This will allow CloudCheckr to process the notifications being delivered via SNS so the alerts can be triggered in near real-time, instead of waiting for CloudCheckr to retrieve the log files from S3.


To add CloudCheckr as a subscriber of your SNS topic, follow these steps:

1. Copy the Endpoint URL from the Alert Builder (as shown above).

2. Login to the SNS Service within the AWS Management Console.


3. Locate and select the SNS Topic used for AWS Config in the list of topics.


4. Click the Create New Subscription button.


5. In the pop-up, paste the URL taken from CloudCheckr’s alert builder into the Endpoint text box.  For Protocol, be sure that HTTPS is selected.

6. Click Subscribe.

That’s it!  CloudCheckr will automatically confirm the subscription and your AWS Config alerts can now be delivered.

Leave a Reply