How do I add remediation actions for AWS Config organizational rules?

3 minute read
0

I want to use remediation actions, but the AWS Config organizational rule doesn't support remediation actions.

Short description

To match your AWS Config rule for your organization, use a custom event pattern with an Amazon EventBridge rule. Then, choose the AWS Systems Manager Automation runbook as the target.

Resolution

In this example procedure, the runbook AWS-TerminateEC2Instance runs on noncompliant resources from the organizational rule with the resource type AWS::EC2::Instance. The Amazon Elastic Compute Cloud (Amazon EC2) instance is terminated because it's noncompliant.

Note:

  • Use a resource type that's specific to your AWS service and organizational rule name.
  • Use AWS CloudFormation StackSets to perform the remediation action on the resources of your member accounts, and set up the EventBridge rule with a runbook.
  • Make sure that you have Amazon EC2 permissions to run the AWS Systems Manager Automation runbook.

Complete the following steps:

  1. Make sure that you have a Systems Manager Automation role trust policy similar the following one:

    {  "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "ssm.amazonaws.com"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  2. Open the EventBridge console.

  3. In the navigation pane, choose Rules, and then choose Create rule.

  4. In Name and description, enter a name and description for the rule.

  5. In Define pattern, choose Event pattern.

  6. In Event matching pattern, choose Custom pattern.

  7. In Event pattern, enter the following example event pattern. Replace TestRuleExample with the target organizational rule name in your account:

    {  "source": [
        "aws.config"
      ],
      "detail-type": [
        "Config Rules Compliance Change"
      ],
      "detail": {
        "messageType": [
          "ComplianceChangeNotification"
        ],
        "configRuleName": [
          {
            "prefix": "OrgConfigRule-TestRuleExample-"
          }
        ],
        "resourceType": [
          "AWS::EC2::Instance"
        ],
        "newEvaluationResult": {
          "complianceType": [
            "NON_COMPLIANT"
          ]
        }
      }
    }
  8. Choose Save.

  9. For Target, choose SSM Automation.

  10. For Document, choose AWS-TerminateEC2Instance.

  11. Expand Configure document version, and then choose Latest.

  12. Expand Configure automation parameter(s), and then choose Input transformer.

  13. For Input Path, enter the following:

    {"instanceid":"$.detail.resourceId"}
  14. For Instance ID text box, enter the following. Replace the example ARN with your Systems Manager role's ARN:

    {"InstanceId":[instanceid],"AutomationAssumeRole":["arn:aws:iam::123456789012:role/SSMRoleExample"]}
  15. Choose either Create a new role or Use existing role, and then choose Create.
    Note: Be sure that the EventBridge rule status is Enabled.

For more information about the AWS Config organizational rule status and to get a list of AWS Config rules, see describe-organization-config-rule-statuses and describe-organization-config-rules.

Related information

How can I receive custom email notifications when a resource is created in my AWS account with AWS Config service?

Use AWS Config rules to automatically remediate noncompliant resources

Tutorial: Use input transformer to customize what EventBridge passes to the event target

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
2 Comments

Does this mean we cannot configure remediation to organizational rules at the moment?

I get this error when trying to associate a remediation configuration to an organizational rule:

InsufficientPermissionsException: Calling service principals does not contain the owner of the SLCR

Is there a workaround?

Ashley
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago