AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I add remediation actions for AWS Config organizational rules?

3 minute read

I want to use remediation actions, but the AWS Config organizational rule doesn't support remediation actions.

Short description

To add remediation actions to AWS Config organizational rules, create an Amazon EventBridge rule with a custom event pattern, Then, use Automation, a capability of AWS Systems Manager, as the target. Apply this solution in each AWS account where you want remediation actions. To perform the remediation action across all member accounts in an organization, use AWS CloudFormation StackSets to deploy EventBridge and Automation.

Resolution

In the following example procedure, the AWS-TerminateEC2Instance runbook runs on noncompliant AWS::EC2::Instance resources that the organizational rule identifies. The runbook terminates the Amazon Elastic Compute Cloud (Amazon EC2) instance when the runbook detects noncompliance.

Note: Make sure that you have Amazon EC2 permissions to run the Automation runbook.

Complete the following steps:

Confirm that you have a Systems Manager Automation role trust policy similar to the following:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ssm.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Open the EventBridge console.
In the navigation pane, choose Rules, and then choose Create rule.
In Name and description, enter a name and description for the rule.
In Define pattern, choose Event pattern.
In Event matching pattern, choose Custom pattern.

In Event pattern, enter the following example event pattern:

{  "source": [    "aws.config"
  ],
  "detail-type": [
    "Config Rules Compliance Change"
  ],
  "detail": {
    "messageType": [
      "ComplianceChangeNotification"
    ],
    "configRuleName": [
      {
        "prefix": "OrgConfigRule-TestRuleExample-"
      }
    ],
    "resourceType": [
      "AWS::EC2::Instance"
    ],
    "newEvaluationResult": {
      "complianceType": [
        "NON_COMPLIANT"
      ]
    }
  }
}

Note: Replace TestRuleExample with the target organizational rule name in your account. In the event pattern, replace AWS::EC2::Instance with the resource type for your AWS service and organizational rule name.

Choose Save.
For Target, choose SSM Automation.
For Document, choose AWS-TerminateEC2Instance.
Expand Configure document version, and then choose Latest.
Expand Configure automation parameter(s), and then choose Input transformer.

For Input Path, enter the following JSON:

{"instanceid":"$.detail.resourceId"}

For the Instance ID text box, enter the following JSON:

{"InstanceId":[instanceid],"AutomationAssumeRole":["arn:aws:iam::123456789012:role/SSMRoleExample"]}

Note: Replace the example Amazon Resource Name (ARN) with your Systems Manager role's ARN.

Choose either Create a new role or Use existing role.
Choose Create.
Note: Confirm that the EventBridge rule status is Enabled.

For more information about the AWS Config organizational rule status and to get a list of AWS Config rules, see describe-organization-config-rule-statuses and describe-organization-config-rules.