Add AWS Config CCF data connector#14440
Conversation
Updated the AWS Config CloudFormation template to replace CloudFormation short-form intrinsic function tags, such as `!Ref`, `!Sub`, `!Equals`, `!If`, and `!GetAtt`, with the equivalent long-form syntax, such as `Ref`, `Fn::Sub`, `Fn::Equals`, `Fn::If`, and `Fn::GetAtt`. This change does not modify the CloudFormation logic or resource behavior. It only adjusts the YAML syntax so the Microsoft Sentinel repository YAML validation can parse the template successfully.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a community AWS Config data connector for Microsoft Sentinel using the Codeless Connector Framework (CCF), plus AWS-side infrastructure to expose AWS Config notifications via a secured custom API for polling.
Changes:
- Added documentation for deploying and configuring the AWS-side API and Sentinel connector settings.
- Added an AWS CloudFormation template to deploy API Gateway + Lambda + DynamoDB + SNS integration for AWS Config notifications.
- Added an Azure ARM template for the CCF RestApiPoller connector and custom table schema + KQL validation custom table definition.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| DataConnectors/AWS-Config/README.md | Documents end-to-end deployment, configuration, API testing, Sentinel setup, and troubleshooting. |
| DataConnectors/AWS-Config/CloudFormation/template_1_AWS_Config_v2.yaml | Provisions AWS resources (SNS/Lambda/DynamoDB/API Gateway/API key/usage plan) to serve Config events to Sentinel. |
| DataConnectors/AWS-Config/AWSConfig_Sentinel_CCF.json | Deploys the Sentinel CCF RestApiPoller connector, DCE/DCR, and the AWSConfig_CL custom table. |
| DataConnectors/AWS-Config/AWSConfig_CL.json | Defines the custom table schema for AWSConfig_CL. |
| .script/tests/KqlvalidationsTests/CustomTables/AWSConfig_CL.json | Adds the AWSConfig_CL schema to the repo’s KQL validation test fixtures. |
|
Hello Team, I have reviewed and resolved the Copilot comments. For the ARM template expressions, the escaped bracket syntax was kept intentionally because the values are part of the embedded connector template and need to be evaluated at the connector deployment level. The deployment was validated successfully in the PoC. For the CloudFormation template, the inline Lambda implementation was kept to maintain a self-contained deployment experience. API Gateway logging was also reviewed; the current implementation was validated end-to-end using Lambda CloudWatch logs, API key authentication, API polling, and Microsoft Sentinel ingestion. The connector has been tested successfully in PoC, including AWS-side deployment, API polling, and data ingestion into the AWSConfig_CL custom table. |
|
Hi @KanenasCS, thanks for the update. I'll review the PR and provide update if anything required. Thanks! |
Change(s):
Added a new AWS Config Microsoft Sentinel data connector under DataConnectors/AWS-Config/.
Added a Codeless Connector Framework (CCF) data connector for ingesting AWS Config configuration item notifications into the AWSConfig_CL custom table.
Added an AWS CloudFormation template that deploys the required AWS-side API backend, including API Gateway, Lambda functions, DynamoDB, SNS integration, API key authentication, usage plan, IAM role, and CloudWatch log groups.
Added a README with deployment, configuration, API testing, Microsoft Sentinel connector configuration, validation queries, troubleshooting, and cleanup steps.
Reason for Change(s):
This contribution provides a community AWS Config connector for Microsoft Sentinel using the Codeless Connector Framework.
AWS Config notifications are collected through an AWS-hosted API endpoint deployed by CloudFormation and polled by Microsoft Sentinel using API key authentication.
The connector enables AWS Config resource configuration visibility in Microsoft Sentinel through the AWSConfig_CL table.
Version Updated:
Not applicable. This PR does not add or update Detections/Analytic Rule templates.
Testing Completed:
Yes.
Validated the CloudFormation deployment flow.
Validated that the AWS API endpoint supports GET /logs.
Validated API key authentication using the x-api-key header.
Validated the expected API response structure with an events array.
Validated the Microsoft Sentinel connector configuration values documented in the README.
Checked that the validations are passing and have addressed any issues that are present: