Overview

Auto remediation configuration to configure S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Configuration Templates

Items
4
Size
3.0 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: s3-bucket-server-side-encryption-enabled
      Description: >-
        Auto remediation configuration to configure S3 Bucket Encryption if an
        S3 bucket created without server side encryption. Detection uses a
        managed AWS Config Rule and remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::S3::Bucket'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
  AuoRemediationEventRule:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: auto-remediate-s3-bucket-server-side-encryption-enabled
      Description: >-
        auto remediation rule for config rule:
        s3-bucket-server-side-encryption-enabled
      State: ENABLED
      EventPattern:
        detail-type:
          - Config Rules Compliance Change
        source:
          - aws.config
        detail:
          newEvaluationResult:
            complianceType:
              - NON_COMPLIANT
          configRuleARN:
            - 'Fn::GetAtt':
                - ConfigRule
                - Arn
      Targets:
        - Id: RemediationAction
          RoleArn:
            'Fn::GetAtt':
              - AutoRemediationIamRole
              - Arn
          Arn:
            'Fn::Sub': >-
              arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/AWS-EnableS3BucketEncryption
          InputTransformer:
            InputPathsMap:
              bucket_name: $.detail.resourceId
            InputTemplate:
              'Fn::Sub': >-
                {"BucketName":[<bucket_name>],"SSEAlgorithm":["AES256"],"AutomationAssumeRole":["${AutoRemediationIamRole.Arn}"]}
  AutoRemediationIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - events.amazonaws.com
                - ssm.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
      Policies:
        - PolicyName: AllowPutEncryptionConfiguration
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowPutEncryptionConfiguration
                Effect: Allow
                Action: 's3:PutEncryptionConfiguration'
                Resource: 'arn:aws:s3:::*'
  AutomationPassRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: passAutomationRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iam:PassRole'
            Resource:
              'Fn::GetAtt':
                - AutoRemediationIamRole
                - Arn
      Roles:
        - Ref: AutoRemediationIamRole
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Rule Parameters

No rule paramters
 
  
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: