How do I resolve permission errors with auto remediation for the AWS Config rule s3-bucket-logging-enabled?

Last updated: 2020-11-20

I configured the AWS Config rule s3-bucket-logging-enabled to auto remediate noncompliant Amazon Simple Storage Service (Amazon S3) buckets. However, the remediation execution failed, and the AWS Config console displays the Action status error "Action execution failed (details." I opened the Details page, but it doesn't contain enough information to troubleshoot the issue.

Short description

The AWS Config rule s3-bucket-logging-enabled uses the AWS Systems Manager Automation document AWS-ConfigureS3BucketLogging to remediate noncompliant resources. The Systems Manager service must be allowed in the Automation role trust policy using AWS Identity and Access Management (IAM), which is passed as the AutomationAssumeRole parameter. Also, the Automation role must have PutBucketLogging permissions, and the target Amazon S3 bucket must be configured to store logs.

Resolution

For a more detailed error message, run the AWS Command Line Interface (AWS CLI) command describe-remediation-execution-status. Then, follow these instructions to troubleshoot the error message. For more information, see How can I troubleshoot failed remediation executions in AWS Config?

Important: Before you begin, be sure that you have installed and configured the AWS CLI. If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

"Step fails when it is Execute/Cancelling action. An error occurred (MalformedXML) when calling the PutBucketLogging operation: The XML you provided was not well-formed or did not validate against our published schema. Please refer to Automation Service Troubleshooting Guide for more diagnosis details".

"Step fails when it is Execute/Cancelling action. An error occurred (AccessDenied) when calling the PutBucketLogging operation: Access Denied. Please refer to Automation Service Troubleshooting Guide for more diagnosis details."

This error occurs because the AutomationAssumeRole role doesn't have permissions to call the PutBucketLogging API on the noncompliant S3 buckets. You can use the following example policy to allow the role to call the PutBucketLogging API:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:PutBucketLogging",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME_1>",
                "arn:aws:s3:::<BUCKET_NAME_2>",
                "arn:aws:s3:::<BUCKET_NAME_3>"
            ]
        }
    ]
}

Note:  If you require that remediation happens on all the buckets in an AWS Region, limit the role's permission to a specific Region using the condition key aws:RequestedRegion.

"Invalid execution parameters sent to Systems Automation. The defined assume role is unable to be assumed."

This error occurs because the IAM AutomationAssumeRole role can't be assumed by the Systems Manager Automation service. Use the following example policy to allow Systems Manager to assume the IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ssm.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}