Create a Jira issue using an AWS Config remediation action
AWS Config can create issue entries in the Jira Service Management platform when it determines an AWS resource is noncompliant. In this blog post, I show you how to configure an AWS Config rule to create a Jira issue after the rule detects a noncompliant AWS resource. I also share Jira Service Desk configuration changes you might need to make for your Jira Service Desk project to receive Jira issues sent by an AWS Config rule remediation action.
Example remediation action scenario
Suppose an IT governance team wants to receive alerts when Amazon Elastic Container Service (Amazon ECS) task definitions specify images not registered in the governance team’s Amazon Elastic Container Registry (Amazon ECR) private registry. The container images they store in their ECR private registry have completed company-mandated security scans and contain company-mandated packages and agents. A custom AWS Config rule named ECS_ECRIMAGE_CHECK, available in the AWS Config rules repository, assesses Amazon ECS task definitions and determines if task definition images are sourced from an Amazon ECR private registry. This custom rule verifies the image location based on its path prefix. Amazon ECR private registry images start with a name prefix using this format:
Here is an example task definition that uses a container image stored in an Amazon ECR private registry. The
image key:value pair in the JSON output shows this compliant format.
Jira issue JiraURL field
The AWS Config rule remediation action named AWS-CreateJiraIssue uses an AWS Systems Manager document also named AWS-CreateJiraIssue. This document uses Jira’s RESTful API version 2, which uses this API path to create the Jira issue:
The AWS Lambda function included in the AWS-CreateJiraIssue Systems Manager document appends this API path to the
JiraURL parameter that was used to configure the AWS-CreateJiraIssue remediation action for the AWS Config rule. The
JiraURL parameter must include the protocol, subdomain, and domain name portions of the Jira URL.
Here is an example
Do not place a forward slash (/) at the end of the
JiraURL parameter when you enter it into the remediation action parameter field.
Jira issue DueDate field
AWS Config passes the value you enter for DueDate to Jira without modification or offset. This due date does not change when AWS Config invokes a remediation action. Because this due date is fixed, you can enter the Jira issue due date in your Jira Service Management Cloud account or Jira Service Management Server instead of entering it in the AWS-CreateJiraIssue remediation action’s parameter.
Jira does not include the due date by default in the Configure Screen. It includes the fields the Jira issue will accept and display. To successfully pass an issue due date to Jira, edit the page for your Jira Service Management project. From the Select Field dropdown, add Due date, as shown in Figure 1:
Figure 1: Configure Screen
Set up the AWS-CreateJiraIssue remediation action
Follow these steps to assign the AWS-CreateJiraIssue remediation action to the ECS_ECRIMAGE_CHECK custom AWS Config rule.
Step 1: Configure automatic remediation
In the AWS Config console, on the Edit: Remediation action page, choose Automatic remediation. In case of failure, configure this automatic remediation action to retry. For Retries in, enter
1. For Seconds, enter
120, as shown in Figure 2.
Figure 2: Select remediation method and configure retries
Step 2: Select the AWS-CreateJiraIssue remediation action
In Remediation action details, for Choose remediation action, choose AWS-CreateJiraIssue, as shown in Figure 3.
Figure 3: Remediation action details
Step 3: Set concurrent action rate limits (optional)
Limit the number of simultaneous remediation action invocations for this AWS Config rule. In Rate Limits, specify a concurrent executions rate to use when this AWS Config rule detects multiple noncompliant resources. Enter a maximum failure percentage to limit failed Systems Manager document executions. In Figure 4, Concurrent Execution Rate is set to
2. Error Rate is set to
Figure 4: Rate Limits
Step 4: Pass the noncompliant resource ID to the Jira issue
Pass the noncompliant resource ID as a value to the Jira issue. In Resource ID parameter, choose IssueDescription, as shown in Figure 5:
Figure 5: Resource ID parameter
Step 5: Enter the remediation action parameters
The following table lists the AWS Config rule remediation action parameter names, examples, and descriptions that correspond to the parameters in the AWS-CreateJiraIssue Systems Manager document.
|Parameter key||Example value||Description|
|JiraUsernameemail@example.com||Email address of registered Jira user with create issue Jira permissions.|
|SSMParameterName||/config-rule-jira-demo/jira-user-api-key||AWS Systems Manager Parameter Store location of your Jira API token.*|
|IssueSummary||“Noncompliant unregistered container image”||The title for your Jira issue.|
|IssueDescription||RESOURCE_ID||AWS Config inserts the resource ID of the noncompliant AWS resource.|
|IssueTypeName||Task||The issue category recognized by Jira.|
|ProjectKey||DEMOITPROJ||The name of your Jira project key to update. This key prefixes all Jira tasks (for example, DEMOITPROJ-1).|
|JiraURL||https://aws-mg-demos.atlassian.net||The URL of your Jira instance, including the protocol, subdomain, and domain portions.|
|DueDate||2021-05-25||Required issue completion date in YYYY-MM-DD format.|
|AutomationAssumeRole||arn:aws:iam::123456789012:role/SSM_Remediation_Role||IAM role used by this Systems Manager Automation document.**|
* This Atlassian Support article explains how to create API tokens for your Atlassian Jira Cloud platform account. If you are using the Atlassian Jira Server platform instead, this article explains how to use your password instead of an API token for basic authentication.
** The AutomationAssumeRole is an AWS Identity and Access Management (IAM) role that enables AWS Systems Manager to invoke the document steps configured in the AWS-CreateJiraIssue AWS Systems Manager document.
To create a Jira issue when this AWS Config rule detects a noncompliant resource, enter the Jira Service Desk Project parameters used by the AWS Systems Manager AWS-CreateJiraIssue document. Figure 6 displays the parameter values listed in the table.
Figure 6: Parameters
Step 6: Save changes
To save this remediation action, choose Save changes.
Example noncompliant resource detection and Jira issue creation
The AWS Config rule, ECS_ECRIMAGE_CHECK, detected an Amazon ECS task definition configured to use a image located outside the Amazon ECR private registry. AWS Config marked this resource as Noncompliant, as shown in Figure 7. The AWS-CreateJiraIssue remediation action was invoked successfully. Under Resources in scope, a status of Action executed successfully is displayed.
Figure 7: ECS_ECRIMAGE_CHECK
Figure 8 shows the Jira issue created by the AWS-CreateJiraIssue remediation action for the noncompliant Amazon ECS task definition as shown in the Jira Service Desk console:
Figure 8: Noncompliant unregistered container image
The resource ID of the noncompliant AWS resource, first-run-task-definition, appears in the Description field of this Jira issue. AWS Config passed this resource ID to the AWS Systems Manager document, AWS-CreateJiraIssue, through the IssueDescription field.
To avoid charges to your AWS account, after you test the AWS-CreateJiraIssue rule remediation action, issue these AWS CLI commands to delete the ECS_ECRIMAGE_CHECK rule and its remediation action:
In this blog post, I showed you how to assign and configure the AWS-CreateJiraIssue remediation action to a custom AWS Config rule from the AWS Config rules repository. This remediation action creates a Jira issue in a Jira Service Management project using the configured remediation action parameters. It passes the noncompliant resource ID to the Jira issue using the IssueDescription remediation action parameter. Use this procedure to assign and configure the AWS-CreateJiraIssue remediation action to your AWS Config rules. You might also consider using Change Manager, an AWS Systems Manager capability, to automate the change request, request approval, and automation action to remediate a noncompliant resource.