By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

Auto Remediation Rules

Enable S3 Bucket Encryption If Not Configured

Auto remediation configuration to configure S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

AWS Documentation
Items
4
Size
2.4 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Auto remediation configuration to configure S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
  RemediationForConfigRule:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-EnableS3BucketEncryption"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
  AutoRemediationIamRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "events.amazonaws.com"
                - "ssm.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
      Policies:
        - PolicyName: "AllowPutEncryptionConfiguration"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowPutEncryptionConfiguration"
                Effect: "Allow"
                Action: "s3:PutEncryptionConfiguration"
                Resource: "arn:aws:s3:::*"
  AutomationPassRolePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "passAutomationRole"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "iam:PassRole"
            Resource:
              Fn::GetAtt:
                - "AutoRemediationIamRole"
                - "Arn"
      Roles:
        - Ref: "AutoRemediationIamRole"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Settings


Rule Parameters

No rule paramters

Trigger Settings

Remediation Settings

  
* Required field