Overview

A configuration package to enable AWS Config Rule Automatic Remediation for non-compliant environment changes. Remediation is carried out using SSM Documents, and an IAM Role with the required permissions is included in the template. The following rules are available:

  • S3:
    • Enable S3 Object Versioning if disabled
    • Enable S3 Server-Side Encryption if disabled
    • Enable S3 Server Access Logging if disabled
  • EC2  
    • Stop or Terminate EC2 instances with public IPs
    • Stop or Terminate EC2 instances with unapproved type or tenancy mode
    • Stop or Terminate EC2 instances with unapproved AMIs
  • Other
    • Automatically release Elastic IPs that are not attached to network interfaces.

In addition to the above services, the following additional configuration can be enabled:

  • AWS Config which must be enabled to add Config Rules.
  • Email Notifications: Enable notifications for Config Rules compliance change events using CloudWatch Event Rules and SNS.

Configure & Deploy

Configuration Presets

    • Enables auto-remediation rules for S3 Buckets if Versioning or Encryption are not configured.
    • Enables auto-remediation rule for EC2 instances if they contain a public IP.
    • Enables auto-remediation rule for unassigned Elastic IPs
    • Configuration to enable Config rule notifications is not included

    Configuration Template

    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    Items
    10
    Size
    6.2 KB
    AWSTemplateFormatVersion: '2010-09-09'
    Description: ''
    Resources:
      ConfigRule1:
        Type: 'AWS::Config::ConfigRule'
        Properties:
          ConfigRuleName: s3-bucket-server-side-encryption-enabled
          Description: >-
            Auto remediation configuration to configure S3 Bucket Encryption if an
            S3 bucket created without server side encryption. Detection uses a
            managed AWS Config Rule and remediation is with SSM Automation.
          Scope:
            ComplianceResourceTypes:
              - 'AWS::S3::Bucket'
          Source:
            Owner: AWS
            SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
      RemediationForConfigRule1:
        Type: 'AWS::Config::RemediationConfiguration'
        Properties:
          Automatic: true
          ConfigRuleName:
            Ref: ConfigRule1
          MaximumAutomaticAttempts: 5
          RetryAttemptSeconds: 60
          TargetId: AWS-EnableS3BucketEncryption
          TargetType: SSM_DOCUMENT
          TargetVersion: '1'
          Parameters:
            AutomationAssumeRole:
              StaticValue:
                Values:
                  - 'Fn::GetAtt':
                      - AutoRemediationIamRole
                      - Arn
            BucketName:
              ResourceValue:
                Value: RESOURCE_ID
      AutoRemediationIamRole:
        Type: 'AWS::IAM::Role'
        Properties:
          AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - ec2.amazonaws.com
                    - events.amazonaws.com
                    - ssm.amazonaws.com
                Action:
                  - 'sts:AssumeRole'
          ManagedPolicyArns:
            - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
          Policies:
            - PolicyName: AllowPutEncryptionConfiguration
              PolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Sid: AllowPutEncryptionConfiguration
                    Effect: Allow
                    Action: 's3:PutEncryptionConfiguration'
                    Resource: 'arn:aws:s3:::*'
            - PolicyName: AllowPutBucketVersioning
              PolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Sid: AllowPutBucketVersioning
                    Effect: Allow
                    Action: 's3:PutBucketVersioning'
                    Resource: 'arn:aws:s3:::*'
            - PolicyName: ReleaseElasticIPPermissions
              PolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Sid: ReleaseElasticIPPermissions
                    Effect: Allow
                    Action: 'ec2:ReleaseAddress'
                    Resource: '*'
      AutomationPassRolePolicy:
        Type: 'AWS::IAM::Policy'
        Properties:
          PolicyName: passAutomationRole
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'iam:PassRole'
                Resource:
                  'Fn::GetAtt':
                    - AutoRemediationIamRole
                    - Arn
          Roles:
            - Ref: AutoRemediationIamRole
      ConfigRule2:
        Type: 'AWS::Config::ConfigRule'
        Properties:
          ConfigRuleName: s3-bucket-versioning-enabled
          Description: >-
            Auto remediation configuration to configure S3 Bucket Versioning if
            versioning is not enabled at the time of bucket creation. Detection uses
            a managed AWS Config Rule and remediation is with SSM Automation.
          Scope:
            ComplianceResourceTypes:
              - 'AWS::S3::Bucket'
          Source:
            Owner: AWS
            SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
      RemediationForConfigRule2:
        Type: 'AWS::Config::RemediationConfiguration'
        Properties:
          Automatic: true
          ConfigRuleName:
            Ref: ConfigRule2
          MaximumAutomaticAttempts: 5
          RetryAttemptSeconds: 60
          TargetId: AWS-ConfigureS3BucketVersioning
          TargetType: SSM_DOCUMENT
          TargetVersion: '1'
          Parameters:
            AutomationAssumeRole:
              StaticValue:
                Values:
                  - 'Fn::GetAtt':
                      - AutoRemediationIamRole
                      - Arn
            BucketName:
              ResourceValue:
                Value: RESOURCE_ID
      ConfigRule4:
        Type: 'AWS::Config::ConfigRule'
        Properties:
          ConfigRuleName: ec2-instance-no-public-ip
          Description: >-
            Auto remediation configuration to stop or terminate EC2 instances with
            public IP addresses. Detection uses a managed AWS Config Rule and
            remediation is with SSM Automation.
          Scope:
            ComplianceResourceTypes:
              - 'AWS::EC2::Instance'
          Source:
            Owner: AWS
            SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
      RemediationForConfigRule4:
        Type: 'AWS::Config::RemediationConfiguration'
        Properties:
          Automatic: true
          ConfigRuleName:
            Ref: ConfigRule4
          MaximumAutomaticAttempts: 5
          RetryAttemptSeconds: 60
          TargetId: AWS-StopEC2Instance
          TargetType: SSM_DOCUMENT
          TargetVersion: '1'
          Parameters:
            AutomationAssumeRole:
              StaticValue:
                Values:
                  - 'Fn::GetAtt':
                      - AutoRemediationIamRole
                      - Arn
            InstanceId:
              ResourceValue:
                Value: RESOURCE_ID
      ConfigRule9:
        Type: 'AWS::Config::ConfigRule'
        Properties:
          ConfigRuleName: eip-attached
          Description: >-
            Auto remediation configuration to release unattached Elastic IPs.
            Detection uses a managed AWS Config Rule and remediation is with SSM
            Automation.
          Scope:
            ComplianceResourceTypes:
              - 'AWS::EC2::EIP'
          Source:
            Owner: AWS
            SourceIdentifier: EIP_ATTACHED
      RemediationForConfigRule9:
        Type: 'AWS::Config::RemediationConfiguration'
        Properties:
          Automatic: true
          ConfigRuleName:
            Ref: ConfigRule9
          MaximumAutomaticAttempts: 5
          RetryAttemptSeconds: 60
          TargetId: AWS-ReleaseElasticIP
          TargetType: SSM_DOCUMENT
          TargetVersion: '1'
          Parameters:
            AutomationAssumeRole:
              StaticValue:
                Values:
                  - 'Fn::GetAtt':
                      - AutoRemediationIamRole
                      - Arn
            AllocationId:
              ResourceValue:
                Value: RESOURCE_ID
    Parameters: {}
    Metadata: {}
    Conditions: {}