How do I resolve permission errors with auto remediation for the AWS Config rule s3-bucket-logging-enabled?

Short description

The AWS Config rule s3-bucket-logging-enabled uses the AWS Systems Manager Automation document AWS-ConfigureS3BucketLogging to remediate noncompliant resources. The Systems Manager service must be allowed in the Automation role trust policy using AWS Identity and Access Management (IAM), which is passed as the AutomationAssumeRole parameter. Also, the Automation role must have PutBucketLogging permissions, and the target Amazon S3 bucket must be configured to store logs.

Resolution

For a more detailed error message, run the AWS Command Line Interface (AWS CLI) command describe-remediation-execution-status. Then, follow these instructions to troubleshoot the error message. For more information, see How can I troubleshoot failed remediation executions in AWS Config?

**Important:**Before you begin, be sure that you have installed and configured the AWS CLI. If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

"Step fails when it is Execute/Cancelling action. An error occurred (MalformedXML) when calling the PutBucketLogging operation: The XML you provided was not well-formed or did not validate against our published schema. Please refer to Automation Service Troubleshooting Guide for more diagnosis details".

To resolve this error message, see Why did the AWS Config auto remediation action for the SSM document AWS-ConfigureS3BucketLogging fail with the error "(MalformedXML)" when calling the PutBucketLogging API?

"Step fails when it is Execute/Cancelling action. An error occurred (AccessDenied) when calling the PutBucketLogging operation: Access Denied. Please refer to Automation Service Troubleshooting Guide for more diagnosis details."

This error occurs because the AutomationAssumeRole role doesn't have permissions to call the PutBucketLogging API on the noncompliant S3 buckets. You can use the following example policy to allow the role to call the PutBucketLogging API:

{
    "Version": "2012-10-17",
    "Statement": [
            {
            "Effect": "Allow",
            "Action": "s3:PutBucketLogging",
            "Resource": [
                            "arn:aws:s3:::<BUCKET_NAME_1>",
                            "arn:aws:s3:::<BUCKET_NAME_2>",
                            "arn:aws:s3:::<BUCKET_NAME_3>"
                         ]
             }
           ]
}

Note: If you require that remediation happens on all the buckets in an AWS Region, limit the role's permission to a specific Region using the condition key aws:RequestedRegion.

"Invalid execution parameters sent to Systems Automation. The defined assume role is unable to be assumed."

This error occurs because the IAM AutomationAssumeRole role can't be assumed by the Systems Manager Automation service. Use the following example policy to allow Systems Manager to assume the IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
  {
      "Effect": "Allow",
      "Principal": {
      "Service": "ssm.amazonaws.com"
  },
   "Action": "sts:AssumeRole"
  }
 ]
}

Related information

Remediating noncompliant AWS resources by AWS Config rules

Amazon S3 bucket compliance using AWS Config Auto Remediation feature