By using AWS re:Post, you agree to the Terms of Use
/Manual remediation config works, automatic remediation config fails/

Manual remediation config works, automatic remediation config fails

0

SOLVED! There was a syntax problem in the runbook, that is not detected when manually remediating. In the content of the remediation doc (that was created using Cloudformation), I used a parameter declaration: parameters: InstanceID: type: 'AWS::EC2::Instance::Id'

It should be: parameters: InstanceID: type: String

=====================================================================================

I have a remediation runbook that creates Cloudwatch alarms for the metric 'CPUUtilization' for any EC2 instances that have none defined. The runbook is configured as a remediation document for a config rule that checks for the absence of such alarms. When I configure the remediation on the rule as manual, all goes well. When I configure the remediation with the exact same runbook as automatic, the remediation fails with this error (snippet): "StepDetails": { "Name": "Initialization", "State": "FAILED", "ErrorMessage": "Invalid Automation document content for Create-CloudWatch-Alarm-EC2-CPUUtilization", "StartTime": "2022-05-09T17:30:02.361000+02:00", "StopTime": "2022-05-09T17:30:02.361000+02:00" } ,

This is the remediation configuration for the automatic remediation. The only difference with the manual remediation configuration is obviously the value for key "Automatic" being "false"

{

"RemediationConfigurations": [
    {
        "ConfigRuleName": "rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists",
        "TargetType": "SSM_DOCUMENT",
        "TargetId": "Create-CloudWatch-Alarm-EC2-CPUUtilization",
        "TargetVersion": "$DEFAULT",
        "Parameters": {
            "AutomationAssumeRole": {
                "StaticValue": {
                    "Values": [
                        "arn:aws:iam::123456789012:role/rol_ssm_full_access_to_cloudwatch"
                    ]
                }
            },
            "ComparisonOperator": {
                "StaticValue": {
                    "Values": [
                        "GreaterThanThreshold"
                    ]
                }
            },
            "InstanceID": {
                "ResourceValue": {
                    "Value": "RESOURCE_ID"
                }
            },
            "Period": {
                "StaticValue": {
                    "Values": [
                        "300"
                    ]
                }
            },
            "Statistic": {
                "StaticValue": {
                    "Values": [
                        "Average"
                    ]
                }
            },
            "Threshold": {
                "StaticValue": {
                    "Values": [
                        "10"
                    ]
                }
            }
        },
        "Automatic": true,
        "MaximumAutomaticAttempts": 5,
        "RetryAttemptSeconds": 60,
        "Arn": "arn:aws:config:eu-west-2:123456789012:remediation-configuration/rul-ensure-cloudwatch-alarm-ec2-cpuutilization-exists/5e3a81a7-fc55-4cbe-ad75-6b27be8da79a"
    }
]

}

The error message is rather cryptic, I can't find documentation on possible root causes. Any suggestions would be very welcome! Thanks!

1 Answers
0

Check Systems Manager->Automation and look at the output for the execution that failed for Create-CloudWatch-Alarm-EC2-CPUUtilization. Find the step that failed. Clicking on the step will show the failure details. It sounds like Create-CloudWatch-Alarm-EC2-CPUUtilization is not a valid document - either not defined or there is an error in it.

answered 15 days ago
  • Thanks for your answer. The document Create-CloudWatch-Alarm-EC2-CPUUtilization is definitely there, since I refer to it when doing the remediation manually. With automatic remediation, there is not even an execution output at all in Systems Manager -> Automation. The step details (see snippet above, obtained via CLI describe-remediation-execution-status) mentions as step name: "Initialization". This a step that seems to come before the first real step in my runbook, and leaves no execution output traces...

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions