Many customers define resource tagging strategy to manage their AWS resources to either being able to identify the resource owner or the cost center, or for any other purpose. Therefore, it’s important to have a mechanism to identify those resources that don’t have the essential resource tags. In AWS Service Catalog AppRegistry, attribute groups are an open JSON object that stores metadata for a resource. In this post, I’ll show how you can define a JSON schema that your attribute groups are validated against, and provide key information that you can use to take remediation actions, if the attribute group doesn’t conform to the schema definition.

Solution overview

Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. An EventBridge rule lets you filter out the events based on event pattern, such as receiving only events when an AppRegistry attribute group is created or updated. Once a rule matches an incoming event, it sends it to targets for processing.

AWS Lambda receives the event from the EventBridge and validates the current schema in the attribute group against the schema definition that defines the essential attributes that each attribute group must have. If the attribute groups don’t comply with the schema definition, then you trigger remediation actions to make sure that missing attributes are added.

Event flow of identifying action events in AppRegistry attribute group and validation of the attribute group against the schema definition.

Figure 1: The workflow to validate attribute group against the schema definition

Let’s go through the flow to better understand what’s happening at each step:

  1. A new attribute group is either created or an existing one is updated.
  2. EventBridge rule matches the event based on the event pattern.
  3. The EventBridge rule triggers the target, the Lambda function, thereby passing the event object.
  4. The Lambda function gets the schema definition from the schema definition store.
  5. The Lambda function validates the attribute group against the schema definition.
  6. OpsItem (ticket) is created in AWS Systems Manager OpsCenter if the schema validation fails.

Taking remediation actions on non-compliant attribute groups

The first step is being able to identify if an attribute group conforms to the schema definition or not. However, to take remediation steps usually requires having additional information about the event. Let’s assume you have following schema definition that defines the essential attribute groups that you want every attribute group to have:

{ "ApplicationName": "", "ApplicationOwner": "", "ApplicationOwnerEmail": "", "CostCenter": "", "OnCall": { "PrimaryName": "", "PrimaryPhone": "", "EscalationVP": "", "EscalationPhone": "" }

Also, let’s assume that you create an attribute group myWebAppMetadata with the following JSON object:

{ "ApplicationOwner": "John Doe", "ApplicationOwnerEmail": "[email protected]", "OnCall": { "PrimaryName": "Jorge Souza", "PrimaryPhone": "555-0100-5678" }

In this example, the schema validation for this attribute group will fail and collect the following sample payload that can be used to take remediation actions:

{ "schemaDefinitionCompliant": false, "missingAttributes": [ "$.ApplicationName", "$.CostCenter", "$.OnCall.EscalationVP", "$.OnCall.EscalationPhone" ], "attributeGroup": { "arn": "arn:aws:servicecatalog:us-east-2:111122223333:/attribute-groups/1234567890abcdef0", "name": "myWebAppMetadata", "id": "1234567890abcdef0", ... }, "userIdentity": { "type": "AssumedRole", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/admin", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", ... }, "eventName": "CreateAttributeGroup", "log_id": "70dd7ebc94534cc09dac8c45ae755244", "ops_item_id": "oi-1234567890ab"

The payload provides key information, such as:

  • schemaDefinitionCompliant, is the attribute group is compliant
  • missingAttributes, what exact attributes are missing
  • attributeGroup, what is the exact attribute group that is not compliant
  • userIdentity, who performed the action in this attribute group
  • eventName, what type of action has been performed
  • ops_item_id, OpsItem ID in OpsCenter that is created if schema validation failed

If the attribute group is not compliant with the schema definition, then the solution will create an OpsItem in OpsCenter and you can track the resolution progress from there. By knowing who performed the action, you can notify either the user from the userIdentity and/or the application owner by using ApplicationOwnerEmail, and provide the details of what attribute group is missing which essential attributes.


This solution assumes the attribute group schema definition is stored in AppRegistry. An attribute group defines a JSON object as the schema. For testing purposes, create an attribute group with the JSON object that I used in the previous example. To create an attribute group:

  1. Navigate to the AWS Service Catalog attribute groups console
  2. Select Create attribute group
    1. For Attribute Group name, enter schemaDefinition
    2. For Provide JSON content into the text area, paste the following JSON
      { "ApplicationName": "", "ApplicationOwner": "", "ApplicationOwnerEmail": "", "CostCenter": "", "OnCall": { "PrimaryName": "", "PrimaryPhone": "", "EscalationVP": "", "EscalationPhone": "" }

  3. Select Next
  4. Select Finish

Implementation and deployment details

In this section, you create a AWS CloudFormation stack that creates AWS resources for this solution. To start the deployment process, select the following Launch Stack button.

Clickable launch stack button


Note: You also can download the CloudFormation template if you want to modify the code before the deployment.

Follow these steps to complete CloudFormation stack creation:

  1. On the Create stack page, choose Next.
  2. Under Parameters:
    1. SchemaDefinitionAttributeGroupName, enter schemaDefinition
    2. AttributeGroupNamePrefixes, leave it empty for now.
      Note: Optionally, you can specify comma separated one or more prefix. Only those attribute groups will be validated with a name that starts with the prefix. For example, with AttributeGroupNamePrefix as “prod-, infra-“, attribute group with name “infra-platform” will be validated.
  3. On the Configure stack options page, choose Next.
  4. On the Review page, select the I acknowledge that AWS CloudFormation might create IAM resources check box.
  5. Choose Create stack, and then wait for the status to change to CREATE_COMPLETE.

Once the stack creation is completed, it’s time to test it out. First, let’s create a new attribute group that has missing attributes at per the schema definition.

  1. Navigate to the AWS Service Catalog attribute groups console
  2. Select Create attribute group
    1. For Attribute Group name, enter myWebAppMetadata
    2. For Provide JSON content into the text area, paste the following JSON:
      { "ApplicationOwner": "John Doe", "ApplicationOwnerEmail": "[email protected]", "OnCall": { "PrimaryName": "Jorge Souza", "PrimaryPhone": "555-0100-5678" }

  1. Select Next
  2. Select Finish

This will trigger an event in EventBridge and invoke the Lambda function to validate the schema of this attribute group.

OpsCenter becomes a central mechanism of finding and tracking the process of OpsItems that are created when an attribute group is in a non-compliant state. The following screenshot illustrates an OpsItem created in OpsCenter when the attribute group isn’t compliant with the schema definition.

Note: It might take a short period of time for the event to be triggered. If you don’t see a new OpsItem, then try to refresh the OpsCenter in a few seconds.

OpsCenter summary page view with one open OpsItem for a non-compliant attribute group in AppRegistry.

Figure 2: OpsItem for a non-compliant attribute group in AppRegistry

In the OpsCenter console, select OpsItems and click at the OpsItem ID to see details on this item. Here, you can find further details that will help you in the process of resolving this issue, as seen in the following screenshot.

OpsItem details page with detailed information about the open OpsItem for a non-compliant attribute group in AppRegistry.

Figure 3: OpsItem details of a non-compliant attribute group

Let’s go over the key details:

  • Description – The description has a link to the CloudWatch log event and it will filter the logs to show all of the payload details as shown in the sample payload above.
  • Deduplication string – This will make sure that new OpsItems aren’t created for the same non-compliant attribute group as long as this OpsItem isn’t resolved.
  • Resource ARN – This is the ARN of the attribute group that failed the schema validation.

Clean up

After you’ve tested the solution, you can clean up all the created AWS resources by deleting the CloudFormation stack.


In this post you learned how you can introduce schema to your AppRegistry attribute groups and validate that the metadata of your attribute groups conforms to the schema. If an attribute group does not conform to the schema, then an OpsItem is created in OpsCenter. You used OpsCenter, which serves as a central mechanism to find and track the resolution of OpsItem and see more details about it, such as what attribute group is missing which essential attributes, and who is the identity that created/updated the attribute group.

About the author

Artem Lovan

Artem is a senior solutions architect based in New York. He helps customers architect and optimize applications on AWS. He has been involved in IT at many levels, including infrastructure, networking, security, DevOps, and software development.