Remediate non-complaint resources found by AWS Config

Question

Is it better to remediate non-complaint resources found by AWS Config via Lambda or System Manager Automation Documents?

re:Post Agent · Answer

When it comes to remediating non-compliant resources found by AWS Config, both AWS Lambda functions and AWS Systems Manager Automation documents are viable options, but Systems Manager Automation documents are generally recommended and more commonly used for this purpose.

AWS Config is designed to work seamlessly with Systems Manager Automation documents for remediation actions. These documents define the specific actions to be performed on non-compliant AWS resources evaluated by AWS Config rules. AWS Config provides a set of managed Automation documents with pre-defined remediation actions, making it easy to get started.

Using Systems Manager Automation documents offers several advantages:

1. Integration: AWS Config is built to apply remediation using Systems Manager Automation documents, providing a more integrated and streamlined approach.

2. Flexibility: You can choose from pre-populated remediation actions or create custom Automation documents to suit your specific needs.

3. Ease of use: The AWS Management Console offers a recommended list of remediation actions, simplifying the process of setting up remediation.

4. Control: You have the option to choose between manual or automatic remediation when using Systems Manager Automation documents.

5. Scalability: Systems Manager Automation documents can be run across multiple AWS Regions and accounts or organizational units from a central account, making them suitable for large-scale deployments.

While Lambda functions can also be used for remediation, especially for more complex or custom scenarios, Systems Manager Automation documents are often the preferred choice due to their native integration with AWS Config and the built-in remediation capabilities they offer.

Ultimately, the choice between Lambda and Systems Manager Automation documents may depend on your specific use case, existing infrastructure, and familiarity with the tools. However, for most standard remediation scenarios, Systems Manager Automation documents provide a more straightforward and well-integrated solution for remediating non-compliant resources found by AWS Config.  
**Sources**  
[Remediating Noncompliant Resources with AWS Config - AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html)  
[Use AWS Config Rules to Automatically Remediate Non-compliant Resources](https://aws.amazon.com/about-aws/whats-new/2019/09/use-aws-config-rules-to-automatically-remediate-non-compliant-resources/)  
[SEC04-BP04 Initiate remediation for non-compliant resources - AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_detect_investigate_events_noncompliant_resources.html)  
[Securing and automating compliance in the public sector with AWS | AWS Public Sector Blog](https://aws.amazon.com/blogs/publicsector/securing-and-automating-compliance-in-the-public-sector-with-aws/)

Remediate non-complaint resources found by AWS Config

Add your answer

Relevant content