By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Auto Remediation Rules

Automatically Release Unattached Elastic IPs (EIP)

Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

This config rule supports Auto Remediation actions using SSM Automation. The following actions are supported:

  • Release Elastic IP: Unused Elastic IPs are released.

In addition to an action, a notification using an SNS Topic can be added to send a custom message when a non-compliant resource is detected. (Make sure to update the email address from the default email@example.com)

Items
4
Size
2.3 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "eip-attached"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::EIP"
      Description: "Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "EIP_ATTACHED"
  RemediationForConfigRule:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-ReleaseElasticIP"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        AllocationId:
          ResourceValue:
            Value: "RESOURCE_ID"
  AutoRemediationIamRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "events.amazonaws.com"
                - "ssm.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
      Policies:
        - PolicyName: "ReleaseElasticIPPermissions"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "ReleaseElasticIPPermissions"
                Effect: "Allow"
                Action: "ec2:ReleaseAddress"
                Resource: "*"
  AutomationPassRolePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "passAutomationRole"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "iam:PassRole"
            Resource:
              Fn::GetAtt:
                - "AutoRemediationIamRole"
                - "Arn"
      Roles:
        - Ref: "AutoRemediationIamRole"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Settings


Rule Parameters

No rule paramters

Trigger Settings

Remediation Settings

  
* Required field