Auto-remediate non-compliant AWS Config Findings

0

Hi AWS, we have recently deployed AWS Config Conformance packs to detect non-compliant resources and remediation was done manually. It has improved the performace score to a certain extent but now the issue is we still don't have AWS Control Tower and as folks are deploying new AWS resources more non-compliant findings come up and it has deteriorated improved performance score to some extent.

We are planning to control that by consolidating SCPs and leverage its functionality as much as we can to bring compliance in place but as you know there are certain limits with SCPs itself i.e.

  1. You cannot have more than 5 SCPs per AWS account
  2. The maximum size of an SCP is 5120 characters (hard-limit).

Currently we are planning to amalgamate as many SCPs as we can to control creation of non-compliant resources but down the line I need to know how to turn on auto-remediation for AWS Config conformance packs?

2 Answers
0

The implementation of AWS Organizations, Organizational Unit (OU) structure, account mapping within OUs, AWS Control Tower, and Service Control Policies (SCPs) necessitates a well-thought-out strategy, despite the inherent limitations of SCPs. The following links can provide guidance on developing an effective strategy for this implementation:

SCP evaluation & Strategies

How can I increase the SCP character size limit or number of SCPs for an AWS Organization?

Achieving operational excellence with design considerations for AWS Organizations SCPs

Get more out of service control policies in a multi-account environment

AWS
answered 2 months ago
0

Resources that do not comply with AWS Config rules can be automatically remediated using AWS Systems manager automation run books. The process for doing this outlined in the blog post Remediate noncompliant AWS Config rules with AWS Systems Manager Automation runbooks

The specific procedure for adding automated remediation to rules deployed via conformance packs is outlined in the blog post Deploy Conformance Packs across an Organization with Automatic Remediation

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions