Setting Up Manual Remediation - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting Up Manual Remediation

To apply remediation on noncompliant resources, you can either choose the remediation action you want to associate from a prepopulated list or create your own custom remediation actions using SSM documents. Amazon Config provides a recommended list of remediation action in the Amazon Web Services Management Console.

Setting Up Manual Remediation (Console)

In the Amazon Web Services Management Console, you can either choose to manually remediate noncompliant resources by associating remediation actions with Amazon Config rules. With all remediation actions, you can either choose manual or automatic remediation.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. Choose Rules on the left and then on the Rules page, choose Add Rule to add new rules to the rule list

    For existing rules, select the noncompliant rule from the rule list and choose the Actions dropdown list.

  3. From the Actions dropdown list, choose Manage remediation. Select "Manual remediation" and then choose the appropriate remediation action from the recommended list.

    Note

    You can only manage remediations for non-service linked Amazon Config rules. For more information, see Service-Linked Amazon Rules.

    Depending on the selected remediation action, you see specific parameters or no parameters.

  4. (Optional): If you want to pass the resource ID of noncompliant resources to the remediation action, choose Resource ID parameter. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated.

    Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the dropdown list, you can enter values for each key. If you choose a resource ID parameter from the dropdown list, you can enter values for all the other keys except the selected resource ID parameter.

  5. Choose Save. The Rules page is displayed.

For troubleshooting failed remediation actions, you can run the Amazon Command Line Interface command describe-remediation-execution-status to get detailed view of a Remediation Execution for a set of resources. The details include state, timestamps for remediation execution steps, and any error messages for the failed steps.

Setting Up Manual Remediation (API)

Use the following Amazon Config API operation to set up manual remediation:

  • PutRemediationConfigurations, adds or updates the remediation configuration with a specific Amazon Config rule with the selected target or action.

  • StartRemediationExecution, runs an on-demand remediation for the specified Amazon Config rules against the last known remediation configuration.

  • DescribeRemediationExecutionStatus, provides a detailed view of a Remediation Execution for a set of resources including state, timestamps for when steps for the remediation execution occur, and any error messages for steps that have failed.

  • DescribeRemediationConfigurations, returns the details of one or more remediation configurations.