Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How to add "RESOURCE_ID" to a custom "message" parameter when using AWS-PublishSNSNotification SSM document as a AWS Config rule remediation?
Hi all
I'm using the AWS-PublishSNSNotification SSM document as a remediation action for some AWS Config rules. I'd love to customize the "Message" parameter and also want to include "RESOURCE_ID". How can I do that? I'm using cloudformation to create it. The following is my cfn which is not working.
S3AccountLevelPublicAccessBlocksPeriodicRemediation:
DependsOn: S3AccountLevelPublicAccessBlocksPeriodic
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: S3AccountLevelPublicAccessBlocksPeriodic
TargetId: "AWS-PublishSNSNotification"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- !GetAtt SNSRole.Arn
Message:
StaticValue:
Values:
- Fn::Join:
- " "
- - "ConfigRuleName: S3AccountLevelPublicAccessBlocksPeriodic, "
- "the account level public access block settings is NOT configured in account "
ResourceValue:
Value: "RESOURCE_ID"
TopicArn:
StaticValue:
Values:
- !Ref SNSPublishMessageTopicARN
ExecutionControls:
SsmControls:
ConcurrentExecutionRatePercentage: 10
ErrorPercentage: 10
Automatic: True
MaximumAutomaticAttempts: 10
RetryAttemptSeconds: 600
Thanks.
- Topics
- Management & Governance
- Language
- English
- Newest
- Most votes
- Most comments
You can include the "RESOURCE_ID" in your custom "Message" parameter by using the ResourceValue property within the Message parameter. Here's an updated version of your CloudFormation template that should work:
S3AccountLevelPublicAccessBlocksPeriodicRemediation: DependsOn: S3AccountLevelPublicAccessBlocksPeriodic Type: 'AWS::Config::RemediationConfiguration' Properties: ConfigRuleName: S3AccountLevelPublicAccessBlocksPeriodic TargetId: "AWS-PublishSNSNotification" TargetType: "SSM_DOCUMENT" TargetVersion: "1" Parameters: AutomationAssumeRole: StaticValue: Values: - !GetAtt SNSRole.Arn Message: StaticValue: Values: - !Sub "ConfigRuleName: S3AccountLevelPublicAccessBlocksPeriodic, the account level public access block settings is NOT configured in account ${RESOURCE_ID}" TopicArn: StaticValue: Values: - !Ref SNSPublishMessageTopicARN ExecutionControls: SsmControls: ConcurrentExecutionRatePercentage: 10 ErrorPercentage: 10 Automatic: True MaximumAutomaticAttempts: 10 RetryAttemptSeconds: 600
In this updated template:
- We've simplified the Message parameter by using the !Sub function, which allows for string interpolation.
- We've included ${RESOURCE_ID} directly in the message string. AWS Config will automatically replace this with the actual resource ID when the remediation runs.
- We've moved the SNS topic ARN to the TopicArn parameter, which is the correct parameter name for the AWS-PublishSNSNotification document.
This configuration will create a custom message that includes the Config rule name and the resource ID of the non-compliant resource. The message will be published to the specified SNS topic when the remediation action is triggered.
Remember that the RESOURCE_ID in this context refers to the AWS account ID, as the S3AccountLevelPublicAccessBlocks rule operates at the account level.
Sources
How to reference a shared ssm parameter(ram based) with Cloudformation | AWS re:Post
AWS CloudFormation configuration properties reference - AWS CloudFormation
Relevant content
- AWS OFFICIALUpdated 2 years ago
Not working - error message: "Template format error: Unresolved resource dependencies [RESOURCE_ID] in the Resources block of the template"