How can I add remediation actions for AWS Config organization rules?
3 minute read
I want to use remediation actions, but the organization AWS Config rule doesn't support remediation actions.
Use a custom event pattern with an Amazon EventBridge rule to match your AWS Config rule for your organization. Then, choose the AWS Systems Manager Automation runbook as the target.
In the following example, the runbook AWS-TerminateEC2Instance runs on non-compliant resources from the organization rule with the resource type AWS::EC2::Instance. The Amazon Elastic Compute Cloud (Amazon EC2) instance is terminated because it is non-compliant.
You can replace the resource type for your specific AWS service and organization rule name.
This setup is only for the AWS Organizations management account . To perform the remediation action on the resources of your member accounts, set up the EventBridge rule with a runbook using AWS CloudFormation StackSets.
1. Before you begin, make sure that you have EC2 permissions to run the AWS Systems Manager Automation runbook and a Systems Manager Automation Role trust policy similar to the following: