By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Auto Remediation Rules

Enable S3 Bucket Versioning If Not Configured

Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Items
4
Size
2.4 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-versioning-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_VERSIONING_ENABLED"
  RemediationForConfigRule:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-ConfigureS3BucketVersioning"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
  AutoRemediationIamRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "events.amazonaws.com"
                - "ssm.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
      Policies:
        - PolicyName: "AllowPutBucketVersioning"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowPutBucketVersioning"
                Effect: "Allow"
                Action: "s3:PutBucketVersioning"
                Resource: "arn:aws:s3:::*"
  AutomationPassRolePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "passAutomationRole"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "iam:PassRole"
            Resource:
              Fn::GetAtt:
                - "AutoRemediationIamRole"
                - "Arn"
      Roles:
        - Ref: "AutoRemediationIamRole"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Settings


Rule Parameters


Trigger Settings

Remediation Settings

  
* Required field