Auto Remediation Rules: Automatically Release Unattached Elastic IPs (EIP)

My Saved Presets

Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

This config rule supports Auto Remediation actions using SSM Automation. The following actions are supported:

Release Elastic IP: Unused Elastic IPs are released.

In addition to an action, a notification using an SNS Topic can be added to send a custom message when a non-compliant resource is detected. (Make sure to update the email address from the default email@example.com)

Items

Size

2.3 KB

YAML/JSON

AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: eip-attached
      Scope:
        ComplianceResourceTypes:
          - 'AWS::EC2::EIP'
      Description: Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.
      Source:
        Owner: AWS
        SourceIdentifier: EIP_ATTACHED
  RemediationForConfigRule:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-ReleaseElasticIP
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        AllocationId:
          ResourceValue:
            Value: RESOURCE_ID
  AutoRemediationIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - events.amazonaws.com
                - ssm.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
      Policies:
        - PolicyName: ReleaseElasticIPPermissions
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: ReleaseElasticIPPermissions
                Effect: Allow
                Action: 'ec2:ReleaseAddress'
                Resource: '*'
  AutomationPassRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: passAutomationRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iam:PassRole'
            Resource:
              'Fn::GetAtt':
                - AutoRemediationIamRole
                - Arn
      Roles:
        - Ref: AutoRemediationIamRole
Parameters: {}
Metadata: {}
Conditions: {}

* Required field

Loading Library ...

Automatically Release Unattached Elastic IPs (EIP)

Actions

Customize Template

Rule Settings

Rule Parameters

Trigger Settings

Remediation Settings