Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to Complete CloudQuest Security Task

0

I'm getting the following error on the CloudQuest task for "Compliance Enforcement" . I've tried following every step exactly and even recreating my environment to no avail.

“RemediationConfiguration(s) for AWS Config Rule(s) required-tags are missing required document parameters. Specify all required document parameters and try again.”

I have specified instanceId > RESOURCE_ID and I still get this error.

This is the code for the Systems Manager doc:

description: |-
  *Use this SSM automation document to remediate ec2 instance that have not been properly tagged.*  

  ---
  # How does it work?
  This SSM automation doc will invoke the lambda function labFunction that will add tags to instances.
  The lambda function will tag any non-compliant EC2 resources with the Environment:Prod key value pair
  ## Pre-requisites
  1. Make sure to replace <account-id> with the actual account id of your provisioned lab account.
 

  You can create a [link to another webpage](https://aws.amazon.com/).
schemaVersion: '0.3'
parameters:
  instanceId:
    type: 'AWS::EC2::Instance::Id'
mainSteps:
  - name: updatetags
    action: 'aws:invokeLambdaFunction'
    inputs:
      InvocationType: Event
      Payload: '"{{instanceId}}"'
      FunctionName: 'arn:aws:lambda:us-east-1:<account-id>:function:labFunction'

Obviously I changed out the account id.

Thanks in advance, Theron

Topics
Training and CertificationManagement & Governance
Tags
Training and CertificationAWS Systems ManagerAWS Config
Language
English
asked 10 months ago104 views
1 Answer
1

The error you're encountering with the CloudQuest "Compliance Enforcement" task is related to missing required document parameters in your AWS Config remediation configuration.

The issue is likely in how you've mapped the parameters between AWS Config and your SSM document. When setting up the remediation configuration for the AWS Config rule "required-tags", you need to ensure that all required parameters for the SSM document are properly specified.

In your case, you've mapped instanceId to RESOURCE_ID, which is correct, but there might be additional requirements:

  1. Make sure you've replaced <account-id> in the Lambda function ARN with your actual AWS account ID in the SSM document.

  2. Verify that the parameter mapping in the remediation configuration is exactly as required. The parameter name should be instanceId (case-sensitive) and the value should be RESOURCE_ID.

  3. Check if there are any other required parameters that you might have missed. Sometimes AWS Config remediation requires additional parameters beyond what's explicitly defined in your document.

  4. Ensure that the IAM role associated with the remediation action has the necessary permissions to invoke the SSM document and the Lambda function.

  5. Verify that the Lambda function "labFunction" exists and has the correct permissions to tag EC2 instances.

If you've already checked all these points and are still encountering the error, try recreating the remediation configuration from scratch, ensuring that all parameter mappings are correctly specified.
Sources
Why is EventBridge getting Invalid input for target message from Systems Manager Document | AWS re:Post
Use DescribeDocument with a CLI - AWS SDK Code Examples

answered 10 months ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content