Guides and Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubNetwork FirewallAmazon MacieBilling and Cost ManagementS3 Bucket PoliciesCloudWatch Alarms and Event RulesLogging & Monitoring ConfigurationsAWS WAFBackups & DRAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Custom VPC TemplateAWS Logging ServicesAWS Threat Detection ServicesSecurity Monitoring and ComplianceAWS Auto Remediation Rule PackageEC2 Patch ManagementCommon SCP PackagePCI DSS Compliance Monitoring with Security HubCIS AWS Benchmark Monitoring PackageCanada GC Cloud Guardrails

Strategy Guides

By Service Protected

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubNetwork FirewallAmazon MacieBilling and Cost ManagementS3 Bucket PoliciesCloudWatch Alarms and Event RulesLogging & Monitoring ConfigurationsAWS WAFBackups & DRAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

Configuration Packages

Strategy Guides

Auto Remediation Rules

AWS Auto Remediation Rule Package

A configuration package to enable AWS Config Rule Automatic Remediation for non-compliant environment changes. Remediation is carried out using SSM Documents, and an IAM Role with the required permissions is included in the template. The following rules are available:

  • S3:
    • Enable S3 Object Versioning if disabled
    • Enable S3 Server-Side Encryption if disabled
    • Enable S3 Server Access Logging if disabled
  • EC2  
    • Stop or Terminate EC2 instances with public IPs
    • Stop or Terminate EC2 instances with unapproved type or tenancy mode
    • Stop or Terminate EC2 instances with unapproved AMIs
  • Other
    • Automatically release Elastic IPs that are not attached to network interfaces.

In addition to the above services, the following additional configuration can be enabled:

  • AWS Config which must be enabled to add Config Rules.
  • Email Notifications: Enable notifications for Config Rules compliance change events using CloudWatch Event Rules and SNS.

Items
10
Size
6.2 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule1:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Auto remediation configuration to configure S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
  RemediationForConfigRule1:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule1"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-EnableS3BucketEncryption"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
  AutoRemediationIamRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "events.amazonaws.com"
                - "ssm.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
      Policies:
        - PolicyName: "AllowPutEncryptionConfiguration"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowPutEncryptionConfiguration"
                Effect: "Allow"
                Action: "s3:PutEncryptionConfiguration"
                Resource: "arn:aws:s3:::*"
        - PolicyName: "AllowPutBucketVersioning"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowPutBucketVersioning"
                Effect: "Allow"
                Action: "s3:PutBucketVersioning"
                Resource: "arn:aws:s3:::*"
        - PolicyName: "ReleaseElasticIPPermissions"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "ReleaseElasticIPPermissions"
                Effect: "Allow"
                Action: "ec2:ReleaseAddress"
                Resource: "*"
  AutomationPassRolePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "passAutomationRole"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "iam:PassRole"
            Resource:
              Fn::GetAtt:
                - "AutoRemediationIamRole"
                - "Arn"
      Roles:
        - Ref: "AutoRemediationIamRole"
  ConfigRule2:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-versioning-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_VERSIONING_ENABLED"
  RemediationForConfigRule2:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule2"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-ConfigureS3BucketVersioning"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
  ConfigRule4:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "ec2-instance-no-public-ip"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::Instance"
      Description: "Auto remediation configuration to stop or terminate EC2 instances with public IP addresses. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "EC2_INSTANCE_NO_PUBLIC_IP"
  RemediationForConfigRule4:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule4"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-StopEC2Instance"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        InstanceId:
          ResourceValue:
            Value: "RESOURCE_ID"
  ConfigRule9:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "eip-attached"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::EIP"
      Description: "Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "EIP_ATTACHED"
  RemediationForConfigRule9:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule9"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-ReleaseElasticIP"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        AllocationId:
          ResourceValue:
            Value: "RESOURCE_ID"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT