Guided Walkthroughs

Configuration Packages

Custom Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

Guided Walkthroughs

Configuration Packages

Custom Packages

By Service Protected

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

Reference Guides

Other

Auto Remediation Rules

AWS Auto Remediation Rule Package

A configuration package to enable AWS Config Rule Automatic Remediation for non-compliant environment changes. Remediation is carried out using SSM Documents, and an IAM Role with the required permissions is included in the template. The following rules are available:

  • S3:
    • Enable S3 Object Versioning if disabled
    • Enable S3 Server-Side Encryption if disabled
    • Enable S3 Server Access Logging if disabled
  • EC2  
    • Stop or Terminate EC2 instances with public IPs
    • Stop or Terminate EC2 instances with unapproved type or tenancy mode
    • Stop or Terminate EC2 instances with unapproved AMIs
  • Other
    • Automatically release Elastic IPs that are not attached to network interfaces.

In addition to the above services, the following additional configuration can be enabled:

  • AWS Config which must be enabled to add Config Rules.
  • Email Notifications: Enable notifications for Config Rules compliance change events using CloudWatch Event Rules and SNS.

A premium subscription is required for this content
You can browse all Config Rules and Auto Remediation Rules in our repository for free! Go to Library

Items
10
Size
6.2 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule1:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Auto remediation configuration to configure S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
  RemediationForConfigRule1:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule1"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-EnableS3BucketEncryption"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
  AutoRemediationIamRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "events.amazonaws.com"
                - "ssm.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
      Policies:
        - PolicyName: "AllowPutEncryptionConfiguration"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowPutEncryptionConfiguration"
                Effect: "Allow"
                Action: "s3:PutEncryptionConfiguration"
                Resource: "arn:aws:s3:::*"
        - PolicyName: "AllowPutBucketVersioning"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowPutBucketVersioning"
                Effect: "Allow"
                Action: "s3:PutBucketVersioning"
                Resource: "arn:aws:s3:::*"
        - PolicyName: "ReleaseElasticIPPermissions"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "ReleaseElasticIPPermissions"
                Effect: "Allow"
                Action: "ec2:ReleaseAddress"
                Resource: "*"
  AutomationPassRolePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "passAutomationRole"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "iam:PassRole"
            Resource:
              Fn::GetAtt:
                - "AutoRemediationIamRole"
                - "Arn"
      Roles:
        - Ref: "AutoRemediationIamRole"
  ConfigRule2:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-versioning-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_VERSIONING_ENABLED"
  RemediationForConfigRule2:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule2"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-ConfigureS3BucketVersioning"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
  ConfigRule4:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "ec2-instance-no-public-ip"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::Instance"
      Description: "Auto remediation configuration to stop or terminate EC2 instances with public IP addresses. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "EC2_INSTANCE_NO_PUBLIC_IP"
  RemediationForConfigRule4:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule4"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-StopEC2Instance"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        InstanceId:
          ResourceValue:
            Value: "RESOURCE_ID"
  ConfigRule9:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "eip-attached"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::EIP"
      Description: "Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "EIP_ATTACHED"
  RemediationForConfigRule9:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule9"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-ReleaseElasticIP"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        AllocationId:
          ResourceValue:
            Value: "RESOURCE_ID"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT