A configuration package to enable AWS Config Rule Automatic Remediation for non-compliant environment changes. Remediation is carried out using SSM Documents, and an IAM Role with the required permissions is included in the template. The following rules are available:
In addition to the above services, the following additional configuration can be enabled:
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
ConfigRule1:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "Auto remediation configuration to configure S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
RemediationForConfigRule1:
Type: "AWS::Config::RemediationConfiguration"
Properties:
Automatic: true
ConfigRuleName:
Ref: "ConfigRule1"
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: "AWS-EnableS3BucketEncryption"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- Fn::GetAtt:
- "AutoRemediationIamRole"
- "Arn"
BucketName:
ResourceValue:
Value: "RESOURCE_ID"
AutoRemediationIamRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "events.amazonaws.com"
- "ssm.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
Policies:
- PolicyName: "AllowPutEncryptionConfiguration"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AllowPutEncryptionConfiguration"
Effect: "Allow"
Action: "s3:PutEncryptionConfiguration"
Resource: "arn:aws:s3:::*"
- PolicyName: "AllowPutBucketVersioning"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AllowPutBucketVersioning"
Effect: "Allow"
Action: "s3:PutBucketVersioning"
Resource: "arn:aws:s3:::*"
- PolicyName: "ReleaseElasticIPPermissions"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "ReleaseElasticIPPermissions"
Effect: "Allow"
Action: "ec2:ReleaseAddress"
Resource: "*"
AutomationPassRolePolicy:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: "passAutomationRole"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "iam:PassRole"
Resource:
Fn::GetAtt:
- "AutoRemediationIamRole"
- "Arn"
Roles:
- Ref: "AutoRemediationIamRole"
ConfigRule2:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-versioning-enabled"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_VERSIONING_ENABLED"
RemediationForConfigRule2:
Type: "AWS::Config::RemediationConfiguration"
Properties:
Automatic: true
ConfigRuleName:
Ref: "ConfigRule2"
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: "AWS-ConfigureS3BucketVersioning"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- Fn::GetAtt:
- "AutoRemediationIamRole"
- "Arn"
BucketName:
ResourceValue:
Value: "RESOURCE_ID"
ConfigRule4:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "ec2-instance-no-public-ip"
Scope:
ComplianceResourceTypes:
- "AWS::EC2::Instance"
Description: "Auto remediation configuration to stop or terminate EC2 instances with public IP addresses. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
Source:
Owner: "AWS"
SourceIdentifier: "EC2_INSTANCE_NO_PUBLIC_IP"
RemediationForConfigRule4:
Type: "AWS::Config::RemediationConfiguration"
Properties:
Automatic: true
ConfigRuleName:
Ref: "ConfigRule4"
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: "AWS-StopEC2Instance"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- Fn::GetAtt:
- "AutoRemediationIamRole"
- "Arn"
InstanceId:
ResourceValue:
Value: "RESOURCE_ID"
ConfigRule9:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "eip-attached"
Scope:
ComplianceResourceTypes:
- "AWS::EC2::EIP"
Description: "Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
Source:
Owner: "AWS"
SourceIdentifier: "EIP_ATTACHED"
RemediationForConfigRule9:
Type: "AWS::Config::RemediationConfiguration"
Properties:
Automatic: true
ConfigRuleName:
Ref: "ConfigRule9"
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: "AWS-ReleaseElasticIP"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- Fn::GetAtt:
- "AutoRemediationIamRole"
- "Arn"
AllocationId:
ResourceValue:
Value: "RESOURCE_ID"
Parameters: {}
Metadata: {}
Conditions: {}