My Saved Presets
You must be logged in to view saved presets

Loading Library ...

Stop/Terminate EC2 Instances Running Unapproved EC2 Instance Types

Auto remediation configuration to stop or terminate EC2 instances using unapproved instance types. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

This config rule supports Auto Remediation actions using SSM Automation. The following actions are supported:

  • Stop Instance: Non-compliant instances are stopped.
  • Terminate Instance: Non-compliant instances are terminated (Be careful when selecting this option to not accidentally terminate existing resources).

In addition to an action, a notification using an SNS Topic can be added to send a custom message when a non-compliant resource is detected. (Make sure to update the email address from the default email@example.com)

Items
4
Size
2.0 KB
Missing Parameters
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: desired-instance-type
      Scope:
        ComplianceResourceTypes:
          - 'AWS::EC2::Instance'
      Description: Auto remediation configuration to stop or terminate EC2 instances using unapproved instance types. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.
      Source:
        Owner: AWS
        SourceIdentifier: DESIRED_INSTANCE_TYPE
  RemediationForConfigRule:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-StopEC2Instance
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        InstanceId:
          ResourceValue:
            Value: RESOURCE_ID
  AutoRemediationIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - events.amazonaws.com
                - ssm.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
  AutomationPassRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: passAutomationRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iam:PassRole'
            Resource:
              'Fn::GetAtt':
                - AutoRemediationIamRole
                - Arn
      Roles:
        - Ref: AutoRemediationIamRole
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Settings


Rule Parameters


Trigger Settings

Remediation Settings

  
* Required field

© 2024 asecurecloud. All rights reserved.