How can I add remediation actions for AWS Config organization rules?

Last updated: 2021-02-03

I want to use remediation actions, but the organization AWS Config rule doesn't support remediation actions.

Short description

Use a custom event pattern with an Amazon EventBridge rule to match your AWS Config rule for your organization. Then, choose the AWS Systems Manager Automation runbook as the target.

Resolution

In the following example, the runbook AWS-TerminateEC2Instance runs on non-compliant resources from the organization rule with the resource type AWS::EC2::Instance. The Amazon Elastic Compute Cloud (Amazon EC2) instance is terminated because it is non-compliant.

Note:

  • You can replace the resource type for your specific AWS service and organization rule name.
  • This setup is only for the AWS Organizations management account . To perform the remediation action on the resources of your member accounts, set up the EventBridge rule with a runbook using AWS CloudFormation StackSets.

1.    Before you begin, make sure that you have EC2 permissions to run the AWS Systems Manager Automation runbook and a Systems Manager Automation Role trust policy similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ssm.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2.    Open the EventBridge console.

3.    In the navigation pane, choose Rules, and then choose Create rule.

4.    In Name and description, enter a name and description for the rule.

5.    In Define pattern, choose Event pattern.

5.    In Event matching pattern, Choose Custom pattern.

6.    In Event pattern, copy and paste the following example event pattern, and then choose Save.

Note: Replace "TestRuleExample" with the target organization rule name in your account.

{
  "source": [
    "aws.config"
  ],
  "detail-type": [
    "Config Rules Compliance Change"
  ],
  "detail": {
    "messageType": [
      "ComplianceChangeNotification"
    ],
    "configRuleName": [
      {
        "prefix": "OrgConfigRule-TestRuleExample-"
      }
    ],
    "resourceType": [
      "AWS::EC2::Instance"
    ],
    "newEvaluationResult": {
      "complianceType": [
        "NON_COMPLIANT"
      ]
    }
  }
}

7.    Choose the Target dropdown list, and then choose SSM Automation.

8.    Choose the Document dropdown list, and then choose AWS-TerminateEC2Instance.

9.    Expand Configure document version, and choose Latest.

10.    Expand Configure automation parameter(s), and then choose Input Transformer.

11.    In the Input Path text box, copy and paste the following:

{"instanceid":"$.detail.resourceId"}

12.    In the Instance ID text box, copy and paste the following:

{"InstanceId":[<instanceid>],"AutomationAssumeRole":["arn:aws:iam::123456789012:role/SSMRoleExample"]}

Note: Replace the AutomationAssumeRole ARN value with your SSM role ARN.

13.    Choose either Create a new role or Use existing role, and then choose Create.

Note: Be sure that the EventBridge rule status is Enabled.

For more information about the organization AWS Config rule status and to get a list, see describe-organization-config-rule-statuses and describe-organization-config-rules.