SOLVED!
There was a syntax problem in the runbook, that is not detected when manually remediating.
In the content of the remediation doc (that was created using Cloudformation), I used a parameter declaration:
parameters:
InstanceID:
type: 'AWS::EC2::Instance::Id'
It should be:
parameters:
InstanceID:
type: String
=====================================================================================
I have a remediation runbook that creates Cloudwatch alarms for the metric 'CPUUtilization' for any EC2 instances that have none defined.
The runbook is configured as a remediation document for a config rule that checks for the absence of such alarms.
When I configure the remediation on the rule as manual, all goes well. When I configure the remediation with the exact same runbook as automatic, the remediation fails with this error (snippet):
"StepDetails": [
{
"Name": "Initialization",
"State": "FAILED",
"ErrorMessage": "Invalid Automation document content for Create-CloudWatch-Alarm-EC2-CPUUtilization",
"StartTime": "2022-05-09T17:30:02.361000+02:00",
"StopTime": "2022-05-09T17:30:02.361000+02:00"
}
],
This is the remediation configuration for the automatic remediation. The only difference with the manual remediation configuration is obviously the value for key "Automatic" being "false"
{
"RemediationConfigurations": [
{
"ConfigRuleName": "rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists",
"TargetType": "SSM_DOCUMENT",
"TargetId": "Create-CloudWatch-Alarm-EC2-CPUUtilization",
"TargetVersion": "$DEFAULT",
"Parameters": {
"AutomationAssumeRole": {
"StaticValue": {
"Values": [
"arn:aws:iam::123456789012:role/rol_ssm_full_access_to_cloudwatch"
]
}
},
"ComparisonOperator": {
"StaticValue": {
"Values": [
"GreaterThanThreshold"
]
}
},
"InstanceID": {
"ResourceValue": {
"Value": "RESOURCE_ID"
}
},
"Period": {
"StaticValue": {
"Values": [
"300"
]
}
},
"Statistic": {
"StaticValue": {
"Values": [
"Average"
]
}
},
"Threshold": {
"StaticValue": {
"Values": [
"10"
]
}
}
},
"Automatic": true,
"MaximumAutomaticAttempts": 5,
"RetryAttemptSeconds": 60,
"Arn": "arn:aws:config:eu-west-2:123456789012:remediation-configuration/rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists/5e3a81a7-fc55-4cbe-ad75-6b27be8da79a"
}
]
}
The error message is rather cryptic, I can't find documentation on possible root causes.
Any suggestions would be very welcome! Thanks!
AWS OFICIALAtualizada há 3 anos
Thanks for your answer. The document Create-CloudWatch-Alarm-EC2-CPUUtilization is definitely there, since I refer to it when doing the remediation manually. With automatic remediation, there is not even an execution output at all in Systems Manager -> Automation. The step details (see snippet above, obtained via CLI describe-remediation-execution-status) mentions as step name: "Initialization". This a step that seems to come before the first real step in my runbook, and leaves no execution output traces...