Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to add remediation actions to the Config rules of Conformance Pack?

0

Hi all

I deployed AWS Config Conformance Pack for FedRAMP Moderate - https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html. I want to add remediation actions but this doc says I need to "add the remediation action to the conformance pack template itself, and then update the conformance pack with your updated template." - https://docs.aws.amazon.com/config/latest/developerguide/service-linked-awsconfig-rules.html.

But the doc does not say much about how. Is there an example on how to achieve this?

Thanks.

Topics
Management & Governance
Tags
FedRAMPAWS Config
Language
English
asked a year ago322 views
1 Answer
0

Here's how to add remediation actions to a Conformance Pack template:

Basic Structure for Adding Remediation:


Resources:
  # Original Config Rule
  YourConfigRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: rule-name
      Source:
        Owner: AWS
        SourceIdentifier: RULE_IDENTIFIER

  # Add Remediation
  YourRemediationConfig:
    Type: AWS::Config::RemediationConfiguration
    Properties:
      ConfigRuleName: !Ref YourConfigRule
      TargetId: AWS-RunPowerShell  # or other SSM automation
      TargetType: SSM_DOCUMENT
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values: 
              - !Sub arn:aws:iam::${AWS::AccountId}:role/YourRemediationRole

** Example with Specific Rule and Remediation:**

Resources:
  # S3BucketPublicReadProhibited Rule
  S3PublicReadRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-public-read-prohibited
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED

  # Remediation for S3 Public Read
  S3PublicReadRemediation:
    Type: AWS::Config::RemediationConfiguration
    Properties:
      ConfigRuleName: !Ref S3PublicReadRule
      TargetId: AWS-DisableS3BucketPublicReadWrite
      TargetType: SSM_DOCUMENT
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values: 
              - !Sub arn:aws:iam::${AWS::AccountId}:role/RemediationRole
        S3BucketName:
          ResourceValue:
            Value: RESOURCE_ID

** Required IAM Role:**

    
  RemediationRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ssm.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonS3FullAccess
        - arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole

** Update Conformance Pack:**

    
# Using AWS CLI
aws configservice put-conformance-pack \
  --conformance-pack-name FedRAMP-Moderate \
  --template-body file://updated-template.yaml

Or using AWS Console Navigate to AWS Config > Conformance Packs > Edit

More reference https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-remediationconfiguration.html

AWS
answered a year ago
  • Sonic
    a year ago

    Hi, thanks for your reply. I did as you said, but if I run "aws configservice put-conformance-pack" command, it says "An error occurred (ConformancePackTemplateValidationException) when calling the PutConformancePack operation: Template passed in the input parameter is invalid". It's running ok if I run the same template in the cloudformation console.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content