Overview

Auto remediation configuration to enable S3 Bucket Logging if an S3 bucket created with logging disabled. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Configuration Templates

Items
4
Size
2.4 KB
Missing Parameters
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: s3-bucket-logging-enabled
      Description: >-
        Auto remediation configuration to enable S3 Bucket Logging if an S3
        bucket created with logging disabled. Detection uses a managed AWS
        Config Rule and remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::S3::Bucket'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
  RemediationForConfigRule:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-ConfigureS3BucketLogging
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        BucketName:
          ResourceValue:
            Value: RESOURCE_ID
  AutoRemediationIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - events.amazonaws.com
                - ssm.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
      Policies:
        - PolicyName: AllowPutBucketLogging
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowPutBucketLogging
                Effect: Allow
                Action: 's3:PutBucketLogging'
                Resource: 'arn:aws:s3:::*'
  AutomationPassRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: passAutomationRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iam:PassRole'
            Resource:
              'Fn::GetAtt':
                - AutoRemediationIamRole
                - Arn
      Roles:
        - Ref: AutoRemediationIamRole
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Rule Parameters

 
  
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: