Upcoming Features
No Items in Stack
Browse
Browse

Security Control

Config Rules
Auto Remediation
Amazon GuardDuty
Amazon Inspector
Security Hub
Billing and Cost
S3 Bucket Policies
CloudWatch Alarms & Rules
Logging & Monitoring
Service Control Policies
AWS Systems Manager
Security Groups & NACLs
KMS
IAM Policies

Configuration Packages

Custom VPC Template
Enable Logging Services
Threat Detection
Monitoring & Compliance
Auto Remediation Rules
EC2 Patch Management
Common SCPs Package
CIS AWS Benchmark

Service

VPC
S3
EC2
IAM
CloudFormation
Lambda
EMR
DynamoDB
RDS

Security Strategy Guides

EC2 Security Strategy
S3 Security Strategy

Solutions, Guides & Tools

Security Solutions
Security Tools
Close
     
Auto Remediation Rules

AWS Auto Remediation Rule Package

Overview

A configuration package to enable AWS Config Rule Automatic Remediation for non-compliant environment changes. Remediation is carried out using SSM Documents, and an IAM Role with the required permissions is included in the template. The following rules are available:

  • S3:
    • Enable S3 Object Versioning if disabled
    • Enable S3 Server-Side Encryption if disabled
    • Enable S3 Server Access Logging if disabled
  • EC2  
    • Stop or Terminate EC2 instances with public IPs
    • Stop or Terminate EC2 instances with unapproved type or tenancy mode
    • Stop or Terminate EC2 instances with unapproved AMIs
  • Other
    • Automatically release Elastic IPs that are not attached to network interfaces.

In addition to the above services, the following additional configuration can be enabled:

  • AWS Config which must be enabled to add Config Rules.
  • Email Notifications: Enable notifications for Config Rules compliance change events using CloudWatch Event Rules and SNS.

Configure & Deploy

Configuration Presets

    • Enables auto-remediation rules for S3 Buckets if Versioning or Encryption are not configured.
    • Enables auto-remediation rule for EC2 instances if they contain a public IP.
    • Enables auto-remediation rule for unassigned Elastic IPs
    • Configuration to enable Config rule notifications is not included

    Configuration Template

    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    EDIT
    Items
    10
    Size
    6.2 KB
    AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule1:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: s3-bucket-server-side-encryption-enabled
      Description: >-
        Auto remediation configuration to configure S3 Bucket Encryption if an
        S3 bucket created without server side encryption. Detection uses a
        managed AWS Config Rule and remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::S3::Bucket'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
  RemediationForConfigRule1:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule1
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-EnableS3BucketEncryption
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        BucketName:
          ResourceValue:
            Value: RESOURCE_ID
  AutoRemediationIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - events.amazonaws.com
                - ssm.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
      Policies:
        - PolicyName: AllowPutEncryptionConfiguration
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowPutEncryptionConfiguration
                Effect: Allow
                Action: 's3:PutEncryptionConfiguration'
                Resource: 'arn:aws:s3:::*'
        - PolicyName: AllowPutBucketVersioning
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AllowPutBucketVersioning
                Effect: Allow
                Action: 's3:PutBucketVersioning'
                Resource: 'arn:aws:s3:::*'
        - PolicyName: ReleaseElasticIPPermissions
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: ReleaseElasticIPPermissions
                Effect: Allow
                Action: 'ec2:ReleaseAddress'
                Resource: '*'
  AutomationPassRolePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: passAutomationRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iam:PassRole'
            Resource:
              'Fn::GetAtt':
                - AutoRemediationIamRole
                - Arn
      Roles:
        - Ref: AutoRemediationIamRole
  ConfigRule2:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: s3-bucket-versioning-enabled
      Description: >-
        Auto remediation configuration to configure S3 Bucket Versioning if
        versioning is not enabled at the time of bucket creation. Detection uses
        a managed AWS Config Rule and remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::S3::Bucket'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
  RemediationForConfigRule2:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule2
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-ConfigureS3BucketVersioning
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        BucketName:
          ResourceValue:
            Value: RESOURCE_ID
  ConfigRule4:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: ec2-instance-no-public-ip
      Description: >-
        Auto remediation configuration to stop or terminate EC2 instances with
        public IP addresses. Detection uses a managed AWS Config Rule and
        remediation is with SSM Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::EC2::Instance'
      Source:
        Owner: AWS
        SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
  RemediationForConfigRule4:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule4
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-StopEC2Instance
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        InstanceId:
          ResourceValue:
            Value: RESOURCE_ID
  ConfigRule9:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: eip-attached
      Description: >-
        Auto remediation configuration to release unattached Elastic IPs.
        Detection uses a managed AWS Config Rule and remediation is with SSM
        Automation.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::EC2::EIP'
      Source:
        Owner: AWS
        SourceIdentifier: EIP_ATTACHED
  RemediationForConfigRule9:
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: ConfigRule9
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: AWS-ReleaseElasticIP
      TargetType: SSM_DOCUMENT
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - 'Fn::GetAtt':
                  - AutoRemediationIamRole
                  - Arn
        AllocationId:
          ResourceValue:
            Value: RESOURCE_ID
Parameters: {}
Metadata: {}
Conditions: {}