Remediating Noncompliant Resources with Amazon Config Rules
Amazon Config allows you to remediate noncompliant resources that are evaluated by Amazon Config Rules. Amazon Config applies remediation using Amazon Systems Manager Automation documents. These documents define the actions to be performed on noncompliant Amazon resources evaluated by Amazon Config Rules. You can associate SSM documents by using Amazon Web Services Management Console or by using APIs.
Amazon Config provides a set of managed automation documents with remediation actions. You can also create and associate custom automation documents with Amazon Config rules.
To apply remediation on noncompliant resources, you can either choose the remediation action you want to associate from a prepopulated list or create your own custom remediation actions using SSM documents. Amazon Config provides a recommended list of remediation action in the Amazon Web Services Management Console.
In the Amazon Web Services Management Console, you can either choose to manually or automatically remediate noncompliant resources by associating remediation actions with Amazon Config rules. With all remediation actions, you can either choose manual or automatic remediation.
Topics
Prerequisite
Before you begin to apply remediation on noncompliant resources, you must select a rule and set up remediation (manual or auto) for the rule.
Setting Up Manual Remediation (Console)
Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/
. -
Choose Rules on the left and then on the Rules page, choose Add Rule to add new rules to the rule list
For existing rules, select the noncompliant rule from the rule list and choose the Actions dropdown list.
-
From the Actions dropdown list, choose Manage remediation. Select "Manual remediation" and then choose the appropriate remediation action from the recommended list.
Note
You can only manage remediations for non-service linked Amazon Config rules. For more information, see Service-Linked Amazon Rules.
Depending on the selected remediation action, you see specific parameters or no parameters.
-
(Optional): If you want to pass the resource ID of noncompliant resources to the remediation action, choose Resource ID parameter. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated.
Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the dropdown list, you can enter values for each key. If you choose a resource ID parameter from the dropdown list, you can enter values for all the other keys except the selected resource ID parameter.
-
Choose Save. The Rules page is displayed.
For troubleshooting failed remediation actions, you can run the Amazon Command Line
Interface command describe-remediation-execution-status to get detailed
view of a Remediation Execution for a set of resources. The details include state,
timestamps for remediation execution steps, and any error messages for the failed
steps.
Setting Up Auto Remediation (Console)
Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/
. -
Choose Rules on the left and then on the Rules page, choose Add Rule to add new rules to the rule list.
For existing rules, select the noncompliant rule from the rule list and choose the Actions dropdown list.
-
From the Actions dropdown list, choose Manage remediation. Select "Automatic remediation" and then choose the appropriate remediation action from the recommended list.
Note
You can only manage remediations for non-service linked Amazon Config rules. For more information, see Service-Linked Amazon Rules.
Depending on the selected remediation action, you see specific parameters or no parameters.
-
Choose Auto remediation to automatically remediate noncompliant resources.
If a resource is still noncompliant after auto remediation, you can set the rule to try auto remediation again. Enter the desired retries and seconds.
Note
There are costs associated with running a remediation script multiple times. Retries only occur if remediation fails and work within the specified time period; for example, 5 retries in 300 seconds.
-
(Optional): If you want to pass the resource ID of noncompliant resources to the remediation action, choose Resource ID parameter. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated.
Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the dropdown list, you can enter values for each key. If you choose a resource ID parameter from the dropdown list, you can enter values for all the other keys except the selected resource ID parameter.
-
Choose Save. The Rules page is displayed.
For troubleshooting failed remediation actions
For troubleshooting failed remediation actions, you can run the Amazon Command Line
Interface command describe-remediation-execution-status to get detailed
view of a Remediation Execution for a set of resources. The details include state,
timestamps for remediation execution steps, and any error messages for the failed
steps.
Auto remediation can be initiated even for compliant resources
If you enable auto remediation for a specific Amazon Config rule using the PutRemediationConfigurations API or the Amazon Config console, it initiates the remediation process for all noncompliant resources for that specific rule. The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis. Any noncompliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.
This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.
Delete Remediation Action (Console)
To delete a rule first you must delete remediation action associated with that rule.
Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/
. -
Choose Rules on the left and then on the Rules page, select the rule from the rule list and choose View details.
-
On the
name of the rulepage, go to the Remediation action section. Expand the section to view additional details. -
In the Remediation action section, choose Delete and confirm your delete action.
Note
If remediation is in progress, a remediation action won't be deleted. Once you choose delete a remediation action, you cannot retrieve the remediation action. Deleting a remediation action does not delete the associated rule.
If a remediation action is deleted, the Resource ID parameter will be empty and display N/A. On the Rules page, the remediation action column displays Not set for the associated rule.
Managing Remediation (API)
Manual Remediation
Use the following Amazon Config API actions to manage remediation:
-
DeleteRemediationConfiguration, deletes the remediation configuration.
-
DescribeRemediationConfigurations, returns the details of one or more remediation configurations.
-
DescribeRemediationExecutionStatus, provides a detailed view of a Remediation Execution for a set of resources including state, timestamps for when steps for the remediation execution occur, and any error messages for steps that have failed.
-
PutRemediationConfigurations, adds or updates the remediation configuration with a specific Amazon Config rule with the selected target or action.
-
StartRemediationExecution, runs an on-demand remediation for the specified Amazon Config rules against the last known remediation configuration.
Auto Remediation
Use the following Amazon Config API actions to manage auto remediation:
-
PutRemediationExceptions, adds a new exception or updates an exisiting exception for a specific resource with a specific Amazon Config rule.
-
DescribeRemediationExceptions, returns the details of one or more remediation exceptions.
-
DeleteRemediationExceptions, deletes one or more remediation exceptions mentioned in the resource keys.
Region Support
Currently, remediation actions for Amazon Config Rules is supported in the following regions:
| Region Name | Region | Endpoint | Protocol |
|---|---|---|---|
| US East (Ohio) | us-east-2 | config.us-east-2.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | config.us-east-1.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | config.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | config.us-west-2.amazonaws.com | HTTPS |
| Africa (Cape Town) | af-south-1 | config.af-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Hong Kong) | ap-east-1 | config.ap-east-1.amazonaws.com | HTTPS |
| Asia Pacific (Hyderabad) | ap-south-2 | config.ap-south-2.amazonaws.com | HTTPS |
| Asia Pacific (Jakarta) | ap-southeast-3 | config.ap-southeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Melbourne) | ap-southeast-4 | config.ap-southeast-4.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | config.ap-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Osaka) | ap-northeast-3 | config.ap-northeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 | config.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | config.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | config.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | config.ap-northeast-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | config.ca-central-1.amazonaws.com | HTTPS |
| Canada West (Calgary) | ca-west-1 | config.ca-west-1.amazonaws.com | HTTPS |
| China (Beijing) | cn-north-1 | config.cn-north-1.amazonaws.com.cn | HTTPS |
| China (Ningxia) | cn-northwest-1 | config.cn-northwest-1.amazonaws.com.cn | HTTPS |
| Europe (Frankfurt) | eu-central-1 | config.eu-central-1.amazonaws.com | HTTPS |
| Europe (Ireland) | eu-west-1 | config.eu-west-1.amazonaws.com | HTTPS |
| Europe (London) | eu-west-2 | config.eu-west-2.amazonaws.com | HTTPS |
| Europe (Milan) | eu-south-1 | config.eu-south-1.amazonaws.com | HTTPS |
| Europe (Paris) | eu-west-3 | config.eu-west-3.amazonaws.com | HTTPS |
| Europe (Spain) | eu-south-2 | config.eu-south-2.amazonaws.com | HTTPS |
| Europe (Stockholm) | eu-north-1 | config.eu-north-1.amazonaws.com | HTTPS |
| Europe (Zurich) | eu-central-2 | config.eu-central-2.amazonaws.com | HTTPS |
| Israel (Tel Aviv) | il-central-1 | config.il-central-1.amazonaws.com | HTTPS |
| Middle East (Bahrain) | me-south-1 | config.me-south-1.amazonaws.com | HTTPS |
| Middle East (UAE) | me-central-1 | config.me-central-1.amazonaws.com | HTTPS |
| South America (São Paulo) | sa-east-1 | config.sa-east-1.amazonaws.com | HTTPS |