Auto Remediation Rules: AWS Auto Remediation Rule Package

Items
Size
6.2 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule1:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: s3-bucket-server-side-encryption-enabled
      Description: >-
        Auto remediation configuration to configure S3 Bucket Encryption if an
        S3 bucket created without server side encryption. Detection uses a
        managed AWS Config Rule and remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::S3::Bucket'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
  RemediationForConfigRule1:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule1
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-EnableS3BucketEncryption
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        BucketName:
          ResourceValue:
            Value: RESOURCE_ID
  AutoRemediationIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - events.amazonaws.com
                - ssm.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
      Policies:
        - PolicyName: AllowPutEncryptionConfiguration
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowPutEncryptionConfiguration
                Effect: Allow
                Action: 's3:PutEncryptionConfiguration'
                Resource: 'arn:aws:s3:::*'
        - PolicyName: AllowPutBucketVersioning
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowPutBucketVersioning
                Effect: Allow
                Action: 's3:PutBucketVersioning'
                Resource: 'arn:aws:s3:::*'
        - PolicyName: ReleaseElasticIPPermissions
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: ReleaseElasticIPPermissions
                Effect: Allow
                Action: 'ec2:ReleaseAddress'
                Resource: '*'
  AutomationPassRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: passAutomationRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iam:PassRole'
            Resource:
              'Fn::GetAtt':
                - AutoRemediationIamRole
                - Arn
      Roles:
        - Ref: AutoRemediationIamRole
  ConfigRule2:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: s3-bucket-versioning-enabled
      Description: >-
        Auto remediation configuration to configure S3 Bucket Versioning if
        versioning is not enabled at the time of bucket creation. Detection uses
        a managed AWS Config Rule and remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::S3::Bucket'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
  RemediationForConfigRule2:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule2
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-ConfigureS3BucketVersioning
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        BucketName:
          ResourceValue:
            Value: RESOURCE_ID
  ConfigRule4:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: ec2-instance-no-public-ip
      Description: >-
        Auto remediation configuration to stop or terminate EC2 instances with
        public IP addresses. Detection uses a managed AWS Config Rule and
        remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::EC2::Instance'
      Source:
        Owner: AWS
        SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
  RemediationForConfigRule4:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule4
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-StopEC2Instance
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        InstanceId:
          ResourceValue:
            Value: RESOURCE_ID
  ConfigRule9:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: eip-attached
      Description: >-
        Auto remediation configuration to release unattached Elastic IPs.
        Detection uses a managed AWS Config Rule and remediation is with SSM
        Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::EC2::EIP'
      Source:
        Owner: AWS
        SourceIdentifier: EIP_ATTACHED
  RemediationForConfigRule9:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule9
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-ReleaseElasticIP
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        AllocationId:
          ResourceValue:
            Value: RESOURCE_ID
Parameters: {}
Metadata: {}
Conditions: {}
Security Control

Configuration Packages

Service

Security Strategy Guides

Solutions, Guides & Tools

Overview

Configure & Deploy

Configuration Presets

Configuration Template

A Secure Cloud
