Remediating noncompliant resources
You can set up manual or automatic remediation for your rules to remediate noncompliant resources that are evaluated by AWS Config rules. AWS Config uses AWS Systems Manager Automation Documents to apply remediation. You can use one of the more than 100 -pre-configured documents included in AWS Systems Manager or create your own Systems Manager document to remediate non-compliant resources.
Under the hood, RDK creates an AWS::Config::RemediationConfiguration CloudFormation resource and associates it with your rule when you create or modify a rule with remediation actions. To learn more about this resource view AWS::Config::RemediationConfiguration - AWS CloudFormation on AWS documentations.
You can set AWS::Config::RemediationConfiguration resource properties when creating or modifying a rule by including RDK rule remediation arguments. Following table includes a list of arguments that you can pass to rdk create or rdk modify to configure remediation action and how they map to AWS::Config::RemediationConfiguration properties.
rdk create/rdk modify argument |
RemediationConfiguration property | Description |
|---|---|---|
--remediation-action |
TargetId | SSM Document name |
--remediation-action-version |
TargetVersion | SSM Document version |
--auto-remediate |
Automatic | The remediation is triggered automatically. |
--auto-remediation-retry-attempts |
MaximumAutomaticAttempts | The maximum number of failed attempts for auto-remediation. |
--auto-remediation-retry-time |
RetryAttemptSeconds | Maximum time in seconds that AWS Config runs auto-remediation. |
--remediation-concurrent-execution-percent |
ExecutionControls.SsmControls.ConcurrentExecutionRatePercentage | The maximum percentage of remediation actions allowed to run in parallel on the non-compliant resources. |
--remediation-error-rate-percent |
ExecutionControls.SsmControls.ErrorPercentage | The percentage of errors that are allowed before SSM stops running automations on non-compliant resources. |
--remediation-parameters |
Parameters | SSM Document parameters. |
Some SSM Documents require input parameters to work properly. When setting up rule remediation, you can use --remediation-parameters to pass parameters to selected Document. This argument takes a JSON string containing Document parameters and has the following structure:
{
"SSMDocumentParameterX": {
"StaticValue": {
"Values": [
"StaticValue1"
]
}
},
"SSMDocumentParameterY": {
"ResourceValue": {
"Value": [
"RESOURCE_ID"
]
}
}
}
Note that there are two types of values: static value and resource value. Static value can take a list of values, whereas resource value can only take one value and it should be RESOURCE_ID. When you pass resource value as an input parameter, the actual value is determined during runtime and it would be the resource ID of noncompliant resource evaluated by AWS Config.
Imagine you want to have a remediation action for the rule we created in previous section and delete all the noncompliant IAM Roles with no policies. First, check the list of AWS managed Document (available on the Systems Manager console) to see if a Document meeting our goal already exists. Matching our need, AWS SSM offers a managed Document named “AWSConfigRemediation-DeleteIAMRole”. Navigate to Document’s Detail tab and review the required parameters. This Document requires two parameters “AutomationAssumeRole” and “IAMRoleID”. First, you need to create an IAM role for the SSM Documents to complete its steps. Review step inputs for each step of the Rule under Description tab to determine required permissions for “AutomationAssumeRole” Role. For “IAMRoleID” we are going to pass the resource ID of noncompliant resources dynamically. Finally, you can issue the following command to modify your rule and specify “AWSConfigRemediation-DeleteIAMRole” Document as the remediation action with its required parameters:
rdk modify IAM_ROLE --runtime python3.9 --remediation-action AWSConfigRemediation-DeleteIAMRole --remediation-parameters '{"AutomationAssumeRole":{"StaticValue":{"Values":["arn:aws:iam::123456789012:role/managed/DocumentRole"]}},"IAMRoleID":{"ResourceValue":{"Value":"RESOURCE_ID"}}}'
Note that the remediation actions for AWS Config Rules is only supported in certain regions.