New AWS Config CCF Connector: Resource Configuration Visibility via Custom API Pull

Data Source

AWS Config configuration item notifications from a single AWS account and region. The connector captures resource configuration change events, including resource type, account ID, region, configuration item status, and change notification type.

Ingestion Mechanism

CCF-based (Codeless Connector Framework) using the RestApiPoller pull mechanism. Microsoft Sentinel polls a GET /logs endpoint authenticated via x-api-key header. The AWS-side backend must be deployed via the included CloudFormation template, which provisions:

• DynamoDB table (SentinelConfigLogs by default) as a time-indexed event buffer
• Ingest Lambda function subscribed to an AWS Config SNS topic
• Query Lambda function behind API Gateway
• API Gateway REST API with API key + usage plan

Data lands in the AWSConfig_CL custom table. This is not the native AWS-managed CloudTrail/Config integration – it requires a separate CloudFormation stack deployment in each AWS account and region to be monitored.

Security Impact (Visibility & Fidelity)

This connector unlocks AWS resource configuration change tracking in Microsoft Sentinel for environments without native AWS Config integration coverage. Key visibility includes:

• Resource type changes across EC2, IAM, S3, and other AWS service configurations
• Correlation of configuration drift with sign-in and activity events already ingested from other AWS connectors
• Detection of unauthorized resource modifications (e.g., security group rule changes, IAM policy mutations)

No bundled Analytic Rules or Hunting Queries are included in this PR – detection coverage depends on custom KQL against AWSConfig_CL.

Deployment Notes

The AWS-side deployment requires CAPABILITY_NAMED_IAM (the CloudFormation template creates a named IAM execution role for the Lambda functions). The API key value is passed as a plaintext CloudFormation parameter (NoEcho: true) and must match the value entered in the Sentinel connector page. The DynamoDB buffer has a configurable TTL (default 90 days); Sentinel is the system of record.

No bundled detections are included. Teams deploying this connector should develop KQL rules against AWSConfig_CL based on their AWS Config rule coverage.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/AWSConfig_CL.json
DataConnectors/AWS-Config/AWSConfig_CL.json
DataConnectors/AWS-Config/AWSConfig_Sentinel_CCF.json
DataConnectors/AWS-Config/CloudFormation/template_1_AWS_Config_v2.yaml
DataConnectors/AWS-Config/README.md