# Remediating Noncompliant Resources with AWS Config
Remediation

 AWS Config allows you to remediate noncompliant resources that are evaluated by AWS Config Rules. AWS Config applies remediation using [AWS Systems Manager Automation documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html). These documents define the actions to be performed on noncompliant AWS resources evaluated by AWS Config Rules. You can associate SSM documents by using AWS Management Console or by using APIs.

AWS Config provides a set of managed automation documents with remediation actions. You can also create and associate custom automation documents with AWS Config rules. 

**Topics**
+ [

## Region Support
](#region-support-config-remediation)
+ [Setting Up Manual Remediation](setup-manualremediation.md)
+ [Setting Up Auto Remediation](setup-autoremediation.md)
+ [Deleting Remediation Actions](delete-remediation-action.md)

## Region Support


Currently, remediation actions for AWS Config Rules is supported in the following regions:

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/config/latest/developerguide/remediation.html)

# Setting Up Manual Remediation for AWS Config
Setting Up Manual Remediation

To apply remediation on noncompliant resources, you can either choose the remediation action you want to associate from a prepopulated list or create your own custom remediation actions using SSM documents. AWS Config provides a recommended list of remediation action in the AWS Management Console. 

------
#### [ Setting Up Manual Remediation (Console) ]

In the AWS Management Console, you can either choose to manually remediate noncompliant resources by associating remediation actions with AWS Config rules. With all remediation actions, you can either choose manual or automatic remediation.

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. Choose **Rules** on the left and then on the **Rules** page, choose **Add Rule** to add new rules to the rule list 

   For existing rules, select the noncompliant rule from the rule list and choose the **Actions** dropdown list.

1. From the **Actions** dropdown list, choose **Manage remediation**. Select "Manual remediation" and then choose the appropriate remediation action from the recommended list.
**Note**  
You can only manage remediations for non-service linked AWS Config rules. For more information, see [ Service-Linked AWS Rules](https://docs.aws.amazon.com/config/latest/developerguide/service-linked-awsconfig-rules.html).

   Depending on the selected remediation action, you see specific parameters or no parameters.

1. (Optional): If you want to pass the resource ID of noncompliant resources to the remediation action, choose **Resource ID parameter**. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated.

   Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the dropdown list, you can enter values for each key. If you choose a resource ID parameter from the dropdown list, you can enter values for all the other keys except the selected resource ID parameter. 

1. Choose **Save**. The **Rules** page is displayed.

For troubleshooting failed remediation actions, you can run the AWS Command Line Interface command `describe-remediation-execution-status` to get detailed view of a Remediation Execution for a set of resources. The details include state, timestamps for remediation execution steps, and any error messages for the failed steps.

------
#### [ Setting Up Manual Remediation (API) ]

Use the following AWS Config API operation to set up manual remediation:
+ [PutRemediationConfigurations](https://docs.aws.amazon.com/config/latest/APIReference/API_PutRemediationConfigurations.html), adds or updates the remediation configuration with a specific AWS Config rule with the selected target or action.
+ [StartRemediationExecution](https://docs.aws.amazon.com/config/latest/APIReference/API_StartRemediationExecution.html), runs an on-demand remediation for the specified AWS Config rules against the last known remediation configuration. 
+ [DescribeRemediationExecutionStatus](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeRemediationExecutionStatus.html), provides a detailed view of a Remediation Execution for a set of resources including state, timestamps for when steps for the remediation execution occur, and any error messages for steps that have failed. 
+ [DescribeRemediationConfigurations](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeRemediationConfigurations.html), returns the details of one or more remediation configurations.

------

# Setting Up Auto Remediation for AWS Config
Setting Up Auto Remediation

To apply remediation on noncompliant resources, you can either choose the remediation action you want to associate from a prepopulated list or create your own custom remediation actions using SSM documents. AWS Config provides a list of remediation action in the AWS Management Console. 

------
#### [ Setting Up Auto Remediation (Console) ]

In the AWS Management Console, you can either choose to automatically remediate noncompliant resources by associating remediation actions with AWS Config rules. With all remediation actions, you can either choose manual or automatic remediation.

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. Choose **Rules** on the left and then on the **Rules** page, choose **Add Rule** to add new rules to the rule list. 

   For existing rules, select the noncompliant rule from the rule list and choose the **Actions** dropdown list.

1. From the **Actions** dropdown list, choose **Manage remediation**. Select "Automatic remediation" and then choose the appropriate remediation action from the list.
**Note**  
You can only manage remediations for non-service linked AWS Config rules. For more information, see [ Service-Linked AWS Rules](https://docs.aws.amazon.com/config/latest/developerguide/service-linked-awsconfig-rules.html).

   Depending on the selected remediation action, you see specific parameters or no parameters.

1. Choose **Auto remediation** to automatically remediate noncompliant resources.

   If a resource is still noncompliant after auto remediation, you can set the rule to try auto remediation again. Enter the desired retries and seconds.
**Note**  
There are costs associated with running a remediation script multiple times. Retries only occur if remediation fails and work within the specified time period; for example, 5 retries in 300 seconds. For more information, see [Systems Manager Automation Pricing ](https://aws.amazon.com/systems-manager/pricing/#Automation).

1. (Optional): If you want to pass the resource ID of noncompliant resources to the remediation action, choose **Resource ID parameter**. If selected, at runtime that parameter is substituted with the ID of the resource to be remediated.

   Each parameter has either a static value or a dynamic value. If you do not choose a specific resource ID parameter from the dropdown list, you can enter values for each key. If you choose a resource ID parameter from the dropdown list, you can enter values for all the other keys except the selected resource ID parameter. 

1. Choose **Save**. The **Rules** page is displayed.

**For troubleshooting failed remediation actions**

For troubleshooting failed remediation actions, you can run the AWS Command Line Interface command `describe-remediation-execution-status` to get detailed view of a Remediation Execution for a set of resources. The details include state, timestamps for remediation execution steps, and any error messages for the failed steps.

**Auto remediation can be initiated even for compliant resources**

If you enable auto remediation for a specific AWS Config rule using the [PutRemediationConfigurations](https://docs.aws.amazon.com/config/latest/APIReference/API_PutRemediationConfigurations.html) API or the AWS Config console, it initiates the remediation process for all noncompliant resources for that specific rule. The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis. Any noncompliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.

This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.

------
#### [ Setting Up Auto Remediation (API) ]

Use the following AWS Config API operation to set up auto remediation:
+ [PutRemediationExceptions](https://docs.aws.amazon.com/config/latest/APIReference/API_PutRemediationExceptions.html), adds a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.
+ [DescribeRemediationExceptions](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeRemediationExceptions.html), returns the details of one or more remediation exceptions.

------

# Deleting Remediation Actions for AWS Config
Deleting Remediation Actions

You can use the AWS Config console or the AWS CLI to delete remediation actions.

------
#### [ Deleting remediation actions (Console) ]

1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).

1. Choose **Rules** on the left and then on the **Rules** page, select the rule from the rule list and choose **View details**.

1. On the *name of the rule* page, go to the **Remediation action** section. Expand the section to view additional details.

1. In the **Remediation action** section, choose **Delete** and confirm your delete action.
**Note**  
If remediation is in progress, a remediation action won't be deleted. Once you choose delete a remediation action, you cannot retrieve the remediation action. Deleting a remediation action does not delete the associated rule.

   If a remediation action is deleted, the **Resource ID parameter** will be empty and display N/A. On the **Rules** page, the remediation action column displays **Not set** for the associated rule.

------
#### [ Deleting remediation actions (API) ]

Use the following AWS Config API operation to set up auto remediation:
+ [DeleteRemediationConfiguration](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteRemediationConfiguration.html), deletes the remediation configuration.
+ [DeleteRemediationExceptions](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteRemediationExceptions.html), deletes one or more remediation exceptions mentioned in the resource keys.

------