I want to use remediation actions, but the AWS Config organizational rule doesn't support remediation actions.
Short description
To match your AWS Config rule for your organization, use a custom event pattern with an Amazon EventBridge rule. Then, choose the AWS Systems Manager Automation runbook as the target.
Resolution
In this example procedure, the runbook AWS-TerminateEC2Instance runs on noncompliant resources from the organizational rule with the resource type AWS::EC2::Instance. The Amazon Elastic Compute Cloud (Amazon EC2) instance is terminated because it's noncompliant.
Note:
- Use a resource type that's specific to your AWS service and organizational rule name.
- Use AWS CloudFormation StackSets to perform the remediation action on the resources of your member accounts, and set up the EventBridge rule with a runbook.
- Make sure that you have Amazon EC2 permissions to run the AWS Systems Manager Automation runbook.
Complete the following steps:
-
Make sure that you have a Systems Manager Automation role trust policy similar the following one:
{ "Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ssm.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
-
Open the EventBridge console.
-
In the navigation pane, choose Rules, and then choose Create rule.
-
In Name and description, enter a name and description for the rule.
-
In Define pattern, choose Event pattern.
-
In Event matching pattern, choose Custom pattern.
-
In Event pattern, enter the following example event pattern. Replace TestRuleExample with the target organizational rule name in your account:
{ "source": [
"aws.config"
],
"detail-type": [
"Config Rules Compliance Change"
],
"detail": {
"messageType": [
"ComplianceChangeNotification"
],
"configRuleName": [
{
"prefix": "OrgConfigRule-TestRuleExample-"
}
],
"resourceType": [
"AWS::EC2::Instance"
],
"newEvaluationResult": {
"complianceType": [
"NON_COMPLIANT"
]
}
}
}
-
Choose Save.
-
For Target, choose SSM Automation.
-
For Document, choose AWS-TerminateEC2Instance.
-
Expand Configure document version, and then choose Latest.
-
Expand Configure automation parameter(s), and then choose Input transformer.
-
For Input Path, enter the following:
{"instanceid":"$.detail.resourceId"}
-
For Instance ID text box, enter the following. Replace the example ARN with your Systems Manager role's ARN:
{"InstanceId":[instanceid],"AutomationAssumeRole":["arn:aws:iam::123456789012:role/SSMRoleExample"]}
-
Choose either Create a new role or Use existing role, and then choose Create.
Note: Be sure that the EventBridge rule status is Enabled.
For more information about the AWS Config organizational rule status and to get a list of AWS Config rules, see describe-organization-config-rule-statuses and describe-organization-config-rules.
Related information
How can I receive custom email notifications when a resource is created in my AWS account with AWS Config service?
Use AWS Config rules to automatically remediate noncompliant resources
Tutorial: Use input transformer to customize what EventBridge passes to the event target