Questions tagged with AWS Config

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS Config Rule Automatic Remediation Failed (SSM Automation shows Success)

Hello, i try to use AWS Config Rule with Auto Remediation, the rule should detect security groups with open SSH and remove the ingress. I Use "INCOMING_SSH_DISABLED" (restricted-ssh) managed rule and AWS-DisablePublicAccessForSecurityGroup SSM document, the remediation is configured with terraform: ``` target_id = "AWS-DisablePublicAccessForSecurityGroup" target_type = "SSM_DOCUMENT" resource_type = "AWS::EC2::SecurityGroup" target_version = "1" parameter { name = "AutomationAssumeRole" static_value = aws_iam_role.ssh-remediation-role.arn } parameter { name = "GroupId" resource_value = "RESOURCE_ID" ``` The role is: ``` data "aws_iam_policy_document" "ssm-automation-assume-role" { version = "2012-10-17" statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { identifiers = ["ssm.amazonaws.com"] type = "Service" } condition { test = "StringEquals" variable = "aws:SourceAccount" values = [local.account-id] } condition { test = "ArnLike" variable = "aws:SourceArn" values = ["arn:aws:ssm:*:${local.account-id}:automation-execution/*"] } } } resource "aws_iam_role" "ssh-remediation-role" { assume_role_policy = data.aws_iam_policy_document.ssm-automation-assume-role.json managed_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole", "arn:aws:iam::aws:policy/AmazonEC2FullAccess" ] ``` When i create such security group AWS Config detects it, runs remediation, the Automation finishes with result 'Success' (and the security group is properly updated, so the remediation works) but AWS Config shows "Failed", when i try to see some details with `aws configservice describe-remediation-execution-status ` i get: ``` "State": "FAILED", "StepDetails": [ { "Name": "GetAutomationExecution", "State": "FAILED", "ErrorMessage": "AccessDeniedException while calling STS for execution: SsmExecutionId(value=d69b27e5-da83-43de-b563-9d9040c2cf03)" } ], ``` I tried to google this error but i have not found anything. How can i solve this issue? Thank you for your help.
0
answers
0
votes
14
views
bielosx
asked 4 days ago

Lamdba to pull Cloudfront from AWS Config query

Hi, I am trying to use a lamdba to pull from multi accounts and grab CloudFront information, but the following aliases "cname" won't come back ``` selectExpression = "select accountId,resourceId,awsRegion,arn,resourceCreationTime,configurationItemStatus,configuration.domainName,configuration.lastModifiedTime,configuration.distributionConfig.aliases.items,configuration.distributionConfig.origins.items.customOriginConfig.*,configuration.distributionConfig.origins.items.customOriginConfig.httpPort,configuration.distributionConfig.origins.items.customOriginConfig.httpsPort,configuration.distributionConfig.origins.items.customOriginConfig.originSslProtocols,configuration.distributionConfig.origins.items.domainName" selectExpression = selectExpression + " where resourceType = 'AWS::CloudFront::Distribution' print(result['configuration']['distributionConfig']['aliases']['items']) ``` gets an error below but get origin works fine: ``` print(result['configuration']['distributionConfig']['origins']['items']) ``` Any suggestions? also in their docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-aliases and works with CLI ``` Error: Response { "errorMessage": "'Aliases'", "errorType": "KeyError", "requestId": "345fga5-a4f4-405b-8c43-319f750e6f1a", "stackTrace": [ " File \"/var/task/lambda_function.py\", line 62, in lambda_handler\n print(result['configuration']['distributionConfig']['Aliases']['items'])\n" ] } ``` ``` { "aliases": { "items": [ "www.foo.com" ] }, "origins": { "items": [ { "domainName": "awseb-e-j-AWSEBLA-1XXXXXXXXXX.us-east-2.elb.amazonaws.com", "customOriginConfig": { "originSslProtocols": { "quantity": 3, "items": [ "TLSv1.2" ] }, "httpPort": 80, "httpsPort": 443 } } ] } } ```
1
answers
0
votes
30
views
asked 2 months ago