By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

Auto Remediation Rules

AWS Auto Remediation Rule Package

A configuration package to enable AWS Config Rule Automatic Remediation for non-compliant environment changes. Remediation is carried out using SSM Documents, and an IAM Role with the required permissions is included in the template. The following rules are available:

  • S3:
    • Enable S3 Object Versioning if disabled
    • Enable S3 Server-Side Encryption if disabled
    • Enable S3 Server Access Logging if disabled
  • EC2  
    • Stop or Terminate EC2 instances with public IPs
    • Stop or Terminate EC2 instances with unapproved type or tenancy mode
    • Stop or Terminate EC2 instances with unapproved AMIs
  • Other
    • Automatically release Elastic IPs that are not attached to network interfaces.

In addition to the above services, the following additional configuration can be enabled:

  • AWS Config which must be enabled to add Config Rules.
  • Email Notifications: Enable notifications for Config Rules compliance change events using CloudWatch Event Rules and SNS.

Items
10
Size
6.2 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ConfigRule1:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Auto remediation configuration to configure S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
  RemediationForConfigRule1:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule1"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-EnableS3BucketEncryption"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
  AutoRemediationIamRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "events.amazonaws.com"
                - "ssm.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
      Policies:
        - PolicyName: "AllowPutEncryptionConfiguration"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowPutEncryptionConfiguration"
                Effect: "Allow"
                Action: "s3:PutEncryptionConfiguration"
                Resource: "arn:aws:s3:::*"
        - PolicyName: "AllowPutBucketVersioning"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "AllowPutBucketVersioning"
                Effect: "Allow"
                Action: "s3:PutBucketVersioning"
                Resource: "arn:aws:s3:::*"
        - PolicyName: "ReleaseElasticIPPermissions"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: "ReleaseElasticIPPermissions"
                Effect: "Allow"
                Action: "ec2:ReleaseAddress"
                Resource: "*"
  AutomationPassRolePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "passAutomationRole"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "iam:PassRole"
            Resource:
              Fn::GetAtt:
                - "AutoRemediationIamRole"
                - "Arn"
      Roles:
        - Ref: "AutoRemediationIamRole"
  ConfigRule2:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "s3-bucket-versioning-enabled"
      Scope:
        ComplianceResourceTypes:
          - "AWS::S3::Bucket"
      Description: "Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "S3_BUCKET_VERSIONING_ENABLED"
  RemediationForConfigRule2:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule2"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-ConfigureS3BucketVersioning"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
  ConfigRule4:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "ec2-instance-no-public-ip"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::Instance"
      Description: "Auto remediation configuration to stop or terminate EC2 instances with public IP addresses. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "EC2_INSTANCE_NO_PUBLIC_IP"
  RemediationForConfigRule4:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule4"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-StopEC2Instance"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        InstanceId:
          ResourceValue:
            Value: "RESOURCE_ID"
  ConfigRule9:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "eip-attached"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::EIP"
      Description: "Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation."
      Source:
        Owner: "AWS"
        SourceIdentifier: "EIP_ATTACHED"
  RemediationForConfigRule9:
    Type: "AWS::Config::RemediationConfiguration"
    Properties:
      Automatic: true
      ConfigRuleName:
        Ref: "ConfigRule9"
      MaximumAutomaticAttempts: 5
      RetryAttemptSeconds: 60
      TargetId: "AWS-ReleaseElasticIP"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - Fn::GetAtt:
                  - "AutoRemediationIamRole"
                  - "Arn"
        AllocationId:
          ResourceValue:
            Value: "RESOURCE_ID"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT