Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Manual remediation config works, automatic remediation config fails

0

SOLVED! There was a syntax problem in the runbook, that is not detected when manually remediating. In the content of the remediation doc (that was created using Cloudformation), I used a parameter declaration: parameters: InstanceID: type: 'AWS::EC2::Instance::Id'

It should be: parameters: InstanceID: type: String

=====================================================================================

I have a remediation runbook that creates Cloudwatch alarms for the metric 'CPUUtilization' for any EC2 instances that have none defined. The runbook is configured as a remediation document for a config rule that checks for the absence of such alarms. When I configure the remediation on the rule as manual, all goes well. When I configure the remediation with the exact same runbook as automatic, the remediation fails with this error (snippet): "StepDetails": [ { "Name": "Initialization", "State": "FAILED", "ErrorMessage": "Invalid Automation document content for Create-CloudWatch-Alarm-EC2-CPUUtilization", "StartTime": "2022-05-09T17:30:02.361000+02:00", "StopTime": "2022-05-09T17:30:02.361000+02:00" } ],

This is the remediation configuration for the automatic remediation. The only difference with the manual remediation configuration is obviously the value for key "Automatic" being "false"

{

"RemediationConfigurations": [
    {
        "ConfigRuleName": "rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists",
        "TargetType": "SSM_DOCUMENT",
        "TargetId": "Create-CloudWatch-Alarm-EC2-CPUUtilization",
        "TargetVersion": "$DEFAULT",
        "Parameters": {
            "AutomationAssumeRole": {
                "StaticValue": {
                    "Values": [
                        "arn:aws:iam::123456789012:role/rol_ssm_full_access_to_cloudwatch"
                    ]
                }
            },
            "ComparisonOperator": {
                "StaticValue": {
                    "Values": [
                        "GreaterThanThreshold"
                    ]
                }
            },
            "InstanceID": {
                "ResourceValue": {
                    "Value": "RESOURCE_ID"
                }
            },
            "Period": {
                "StaticValue": {
                    "Values": [
                        "300"
                    ]
                }
            },
            "Statistic": {
                "StaticValue": {
                    "Values": [
                        "Average"
                    ]
                }
            },
            "Threshold": {
                "StaticValue": {
                    "Values": [
                        "10"
                    ]
                }
            }
        },
        "Automatic": true,
        "MaximumAutomaticAttempts": 5,
        "RetryAttemptSeconds": 60,
        "Arn": "arn:aws:config:eu-west-2:123456789012:remediation-configuration/rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists/5e3a81a7-fc55-4cbe-ad75-6b27be8da79a"
    }
]

}

The error message is rather cryptic, I can't find documentation on possible root causes. Any suggestions would be very welcome! Thanks!

Temas
Gestión y gobierno
Etiquetas
AWS ConfigAWS Command Line InterfaceAmazon CloudWatchAWS CloudTrail
Idioma
English
AWS-User-A862173
preguntada hace 2 años466 visualizaciones
1 Respuesta
0

Check Systems Manager->Automation and look at the output for the execution that failed for Create-CloudWatch-Alarm-EC2-CPUUtilization. Find the step that failed. Clicking on the step will show the failure details. It sounds like Create-CloudWatch-Alarm-EC2-CPUUtilization is not a valid document - either not defined or there is an error in it.

AWS
Mike_O
respondido hace 2 años
  • AWS-User-A862173
    hace 2 años

    Thanks for your answer. The document Create-CloudWatch-Alarm-EC2-CPUUtilization is definitely there, since I refer to it when doing the remediation manually. With automatic remediation, there is not even an execution output at all in Systems Manager -> Automation. The step details (see snippet above, obtained via CLI describe-remediation-execution-status) mentions as step name: "Initialization". This a step that seems to come before the first real step in my runbook, and leaves no execution output traces...

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante