Overview

Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Configuration Templates

Items
4
Size
2.9 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: s3-bucket-versioning-enabled
      Description: >-
        Auto remediation configuration to configure S3 Bucket Versioning if
        versioning is not enabled at the time of bucket creation. Detection uses
        a managed AWS Config Rule and remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::S3::Bucket'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
  AuoRemediationEventRule:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: auto-remediate-s3-bucket-versioning-enabled
      Description: 'auto remediation rule for config rule: s3-bucket-versioning-enabled'
      State: ENABLED
      EventPattern:
        detail-type:
          - Config Rules Compliance Change
        source:
          - aws.config
        detail:
          newEvaluationResult:
            complianceType:
              - NON_COMPLIANT
          configRuleARN:
            - 'Fn::GetAtt':
                - ConfigRule
                - Arn
      Targets:
        - Id: RemediationAction
          RoleArn:
            'Fn::GetAtt':
              - AutoRemediationIamRole
              - Arn
          Arn:
            'Fn::Sub': >-
              arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/AWS-ConfigureS3BucketVersioning
          InputTransformer:
            InputPathsMap:
              bucket_name: $.detail.resourceId
            InputTemplate:
              'Fn::Sub': >-
                {"BucketName":[<bucket_name>],"AutomationAssumeRole":["${AutoRemediationIamRole.Arn}"]}
  AutoRemediationIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - events.amazonaws.com
                - ssm.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
      Policies:
        - PolicyName: AllowPutBucketVersioning
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowPutBucketVersioning
                Effect: Allow
                Action: 's3:PutBucketVersioning'
                Resource: 'arn:aws:s3:::*'
  AutomationPassRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: passAutomationRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iam:PassRole'
            Resource:
              'Fn::GetAtt':
                - AutoRemediationIamRole
                - Arn
      Roles:
        - Ref: AutoRemediationIamRole
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Rule Parameters

 
  
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: