How can I troubleshoot failed remediation actions in AWS Config?

3 minute read
0

I followed the instructions for remediating noncompliant AWS resources with AWS Config rules. However, the remediation action failed with the error "Action execution failed (details)". I reviewed the error details, but there isn't enough information to troubleshoot the issue.

Resolution

Follow these instructions to troubleshoot the remediation actions failure using the AWS Command Line Interface (AWS CLI) or AWS CloudTrail event history.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

AWS CLI

To find the error information related to the failed remediation action, complete the following steps in the AWS CLI:

  1. To get a more detailed error message, state information, and timestamps for remediation action steps, run the describe-remediation-execution-status AWS CLI command.
    See the following example:

    aws configservice describe-remediation-execution-status \
      --config-rule-name example-rule \
      --region example-region \
      --resource-keys resourceType=example-resource-type,resourceId=example-resource-ID

    Note: For your command, replace example-rule, example-region, example-resource-type, and example-resource-ID with your AWS Config rule name, AWS Region, resource type, and resource ID.

  2. Review your command output.
    See the following example:

    {
      "RemediationExecutionStatuses": [
        {
          "InvocationTime": 1560680582.419,
          "LastUpdatedTime": 1560680583.67,
          "ResourceKey": {
            "resourceId": "vol-0b399a24561582586",
            "resourceType": "AWS::EC2::Volume"
          },
          "State": "FAILED",
          "StepDetails": [
            {
              "ErrorMessage": "Automation Step Execution fails when it is creating a CloudFormation stack. 
    Get Exception from CreateStack API of cloudformation Service. Exception Message from CreateStack API:
    [User: arn:aws:sts::xxxxx:assumed-role/config-remediation-sshpublic-role-zkga0ot3/config-remediation-sshpublic is not authorized to perform: cloudformation:CreateStack on resource: arn:aws:cloudformation:eu-west-2:xxxxx:stack/DetachEBSVolumeStack2f6d3590-ea2c-424a-97ea-045749f07164/* 
    (Service: AmazonCloudFormation; Status Code: 403; Error Code: AccessDenied; Request ID: b8f41dd6-9020-11e9-897d-f9719db1a9e6)]. 
    Please refer to Automation Service Troubleshooting Guide for more diagnosis details.",
              "Name": "createDocumentStack",
              "StartTime": 1560680582.675,
              "State": "FAILED",
              "StopTime": 1560680582.884
            },  
            {
              "Name": "detachVolume",
              "State": "PENDING"
            },
            {  
              "Name": "deleteCloudFormationTemplate",
              "State": "PENDING"
            }
          ]
        }
      ]
    }
  3. In the StepDetails list, review the error message information.
    Note: Timestamps in the error are in epoch time format. To convert the timestamp into UTC, use a free online converter, such as EpochConverter.

CloudTrail event history

To find the error information related to the failed remediation action, complete the following steps in the CloudTrail and AWS Systems Manager consoles:

  1. Open the CloudTrail console.
  2. Follow the instructions for Viewing recent CloudTrail management events with the CloudTrail console.
  3. The StartAutomationExecution API action is invoked when AWS Config initiates a remediation action. On the Event history page, filter by the Event name lookup attribute, and then search for StartAutomationExecution.
  4. Choose the related API event.
  5. On the event details page, in the event JSON, copy the requestID value.
  6. Open the Systems Manager console.
  7. In the navigation pane, choose Automation.
  8. On the Automation executions page, filter by the Execution ID property, and then search for the requestID value copied in step 4.
  9. Review the information on the execution details page. Determine whether the failure details relate to AWS Identity and Access Management (IAM) permissions, syntax issues, or incorrect parameters configured in the remediation action. Use these details to remediating your noncompliant resources.

Related information

How can I troubleshoot AWS Config console error messages?

View, update or add, and delete rules (AWS CLI)

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago