AWS Config
Developer Guide

Remediating Noncompliant AWS Resources by AWS Config Rules

AWS Config allows you to remediate noncompliant resources that are evaluated by AWS Config Rules. AWS Config applies remediation using AWS Systems Manager Automation documents. These documents define the actions to be performed on noncompliant AWS resources evaluated by AWS Config Rules. You can associate SSM documents with using the AWS Management Console or by using the APIs.

To apply remediation on noncompliant resources, AWS Config provides a set of managed automation documents with remediation actions. You can also create and associate custom automation documents with AWS Config Rules.

Prerequisites

Before you begin to apply remediation on noncompliant resources, you must select a rule and set up remediation for the rule. You can set up remediation from three places in the console. The following procedures provide more details about each workflow.

Setting Up Remediation (Console)

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. Choose Rules on the left and then on the Rules page, choose Add Rule to add new rules to the rule list.

    For existing rules, select the noncompliant rule from the rule list and choose Edit.

  3. On the Edit name of the rule page, in the Choose remediation action section, choose the appropriate remediation action from the recommended list.

    Depending on the selected remediation action, you see specific parameters or no parameters.

  4. (Optional): If you want to pass the resource ID of noncompliant resources to the remediation action, choose Resource ID parameter. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated.

    Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the drop-down list, you can enter values for each key. If you choose a resource ID parameter from the drop-down list, you can enter values for all the other keys except the selected resource ID parameter.

  5. Choose Save. The Rules page is displayed.

Setting Up and Applying a Remediation Action Using Rules (Console)

You can apply a remediation action to a noncompliant rule from Rules on the left.

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. Choose Rules on the left and then on the Rules page, choose Add Rule to add new rules to the rule list.

    For existing rules, select the noncompliant rule from the rule list and choose Edit.

  3. Choose Manage remediation and on the Manage remediation: name of the rule page, select the appropriate remediation action from the recommended list. The remediation actions are related to Amazon EC2 Systems Manager automation documents.

    Depending on the selected remediation action, you will see either specific parameters or no parameters.

  4. If you want to pass the resource ID of noncompliant resources to the remediation action, choose Resource ID parameter. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated.

    Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the drop-down list, you can enter values for each key. If you choose a resource ID parameter from the drop-down list, you can enter values for all the other keys except the selected resource ID parameter.

  5. Choose Save.

  6. In the Choose resources in scope section, choose all the noncompliant resources. The resources in scope include those resources where this rule is applied and their compliance status.

    For more information about a resource, choose Resource actions and either choose View details, Configuration timeline, or Compliance timeline.

  7. Choose Remediate.

    If the resources are remediated, the resource compliance status is compliant. To view the compliant resources, select Compliant from the compliance status list.

    If the resources are not remediated, the action status column displays Action execution failed (details). Choose (details) to view the main action steps invoked during the execution of the remediation action and the status of each action step.

    Note

    For troubleshooting failed remediation actions, you can run the AWS Command Line Interface (AWS CLI) command describe-remediation-execution-status to get detailed view of a Remediation Execution for a set of resources. The details include state, timestamps for remediation execution steps, and any error messages for the failed steps.

Setting Up and Applying a Remediation Action Using Resources (Console)

You can also apply a remediation action to a noncompliant rule from Resources on the left.

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. Choose Resources on the left and then on the Resource inventory page, Resources is selected by default.

  3. Select one or more resources from the resource type and choose Look up.

  4. Choose the name of the appropriate noncompliant resource from the resource table.

  5. On the Resource details: name of the resource page, choose one or more noncompliant rules from the rules in scope.

  6. Choose Rule actions and select Manage remediation.

  7. On the Manage remediation: name of the rule page, select the appropriate remediation action.

    Depending on the selected remediation action, you will see either specific parameters or no parameters.

  8. If you want to pass the resource ID of noncompliant resources to the remediation action, choose Resource ID parameter. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated.

    Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the drop-down list, you can enter values for each key. If you choose a resource ID parameter from the drop-down list, you can enter values for all the other keys except the selected resource ID parameter.

  9. Choose Save.

  10. In the Choose resources in scope section, choose all the noncompliant resources. The resources in scope include those resources where this rule is applied and their compliance status.

    For more information about a resource, choose Resource actions and either choose View details, Configuration timeline, or Compliance timeline.

  11. Choose Remediate.

    If the resources are remediated, the resource compliance status is compliant. To view the compliant resources, select Compliant from the compliance status list.

    If the resources are not remediated, the action status column displays Action execution failed (details). Choose (details) to view the main action steps invoked during the execution of the remediation action and the status of each action step.

    Note

    For troubleshooting failed remediation actions, you can run the AWS Command Line Interface (AWS CLI) command describe-remediation-execution-status to get detailed view of a Remediation Execution for a set of resources. The details include state, timestamps for remediation execution steps, and any error messages for the failed steps.

Delete Remediation Action (Console)

To delete a rule first you must delete remediation action associated with that rule.

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.

  2. Choose Rules on the left and then on the Rules page, select the rule from the rule list and choose Edit.

  3. On the rule page, choose Edit again.

  4. On the Edit name of the rule page, in the Choose remediation action section, choose Delete remediation action and confirm your delete action.

    Note

    If remediation is in progress, the remediation action is not deleted. If you choose Delete remediation action, you cannot retrieve the remediation action. When you delete a remediation action, AWS Config does not delete a rule.

    If the remediation action is deleted, the Resource ID parameter is empty and displays N/A. On the Rules page, the remediation action column displays Not set for the corresponding rule.

Managing Remediation (API)

Use the following AWS Config API actions to manage remediation: