Default remediation configurations Customize remediation with resource tags Customize remediation with resource override tags

Configure Trusted Advisor check remediation in Trusted Remediator

You can configure remediations on a per-resource basis or per Trusted Advisor check basis. You can apply exceptions using resource tags.

Configurations are stored in AWS AppConfig as part of the Trusted Remediator application. Each Trusted Advisor check category has a separate configuration profile. For more information on Trusted Advisor categories, see View check categories.

Note

The remediation of Trusted Advisor findings is currently configured using AWS AppConfig, and this feature is fully supported today. AMS anticipates that this will change in the future. It's a best practice to avoid building automations that depend on AWS AppConfig, as this method is subject to change. Be aware that you might need to update or modify automations built around the current AWS AppConfig implementation in the future for compatibility.

Default remediation configurations

The configurations for individual Trusted Advisor checks are stored as AWS AppConfig flags. The flag name matches the check name. Each check configuration contains the following attributes:

execution-mode: Determines how Trusted Remediator performs default remediation:
- Automated: Trusted Remediator automatically remediates resources by creating an OpsItem, running the SSM document, and then resolving the OpsItem after successful execution.
- Manual: An OpsItem is created, but the SSM document isn't executed automatically. You review and manually run the SSM document from the OpsItem in the AWS Systems Manager OpsCenter console.
- Conditional: Remediation is disabled by default. You can enable it for specific resources using tags. For more information, see the following sections Customize remediation with resource tags and Customize remediation with resource override tags.
- Inactive: Remediation doesn't occur, and no OpsItem are created. You can't override the execution mode for the Trusted Advisor check that is set to inactive.
preconfigured-parameters: Enter values for SSM document parameters that are required for automated remediation.
alternative-automation-document: This attribute helps override the existing automation document with another supported document (if available for the specific check). By default, this attribute is not selected. For information on supported checks and the automation documents, see Trusted Advisor checks supported by Trusted Remediator

Note
The alternative-automation-document attribute doesn't support custom automation documents. You can use existing supported Trusted Remediator automation documents.

Tip

Before you apply the default configurations for your Trusted Advisor checks, it's a best practice to consider using the Resource tagging and Resource override features described in the following sections. The default configurations apply to all resources within the account, which might not be desirable in all cases.

The following is an example console screenshot with the execution-mode set to Manual.

An illustration of Trusted Remediator execution mode decision workflow.

Customize remediation with resource tags

The automated-for-tagged-only and manual-for-tagged-only attributes in the check configuration allow you to specify resource tags for how you want to remediate individual checks. It's a best practice to use this method when you need to apply a consistent remediation behavior to a group of resources that share the same tag or tags. The following are descriptions for these tags:

automated-for-tagged-only: Specify resource tags for checks to remediate automatically, regardless of the default execution mode.
manual-for-tagged-only: Specify resource tags for which remediation should be executed manually, regardless of the default execution mode.

For example, if you want to enable automated remediation for all non-production resources and enforce manual remediation for production resources, you might set your configuration as follows:


"execution-mode": "Conditional", 
"automated-for-tagged-only": "Environment=Non-Production", 
"manual-for-tagged-only": "Environment=Production",

With the preceding configurations set on your resources, check remediation behavior is as follows:

Resources tagged with `Environment=Non-Production` are remediated automatically.
Resources tagged with `Environment=Production` require manual intervention for remediation.
Resources without the `Environment` tag follow the default execution mode (`Conditional` in this case. So no actions is taken on the remaining resources).

For additional support with your configurations, contact your Cloud Architect.

Customize remediation with resource override tags

Resource override tags allow you to customize the remediation behavior for individual resources, regardless of their tags. By adding a specific tag to a resource, you override the default execution mode for that resource and the Trusted Advisor check. The resource override tag takes precedence over the default configuration and the resource tagging settings. So, if you set the default execution mode to Automated, Manual, or Conditional for a resource using the resource override tag, it overrides the default execution mode and any resource tagging configurations.

To override the execution mode for a resource, complete the following steps:

Identify the resources for which you want to override the remediation configuration.
Determine the Trusted Advisor check ID for the check that you want to override. You can find the check IDs for supported Trusted Advisor checks in Trusted Advisor checks supported by Trusted Remediator.
Add a tag to the resources with the following key and value:
- Tag key: TR-Trusted Advisor check ID-Execution-Mode (case-sensitive)
  
  In the preceding tag key example, replace Trusted Advisor check ID with the unique identified of the Trusted Advisor check that you want to override.
- Tag value: Use one of the following values for the tag value:
  - Automated: Trusted Remediator automatically remediates the resource for this Trusted Advisor check.
  - Manual: An OpsItem is created for the resource, but remediation isn't performed automatically. You review and run the remediation manually from the OpsItem.
  - Inactive: Remediation and OpsItem creation isn't performed for this resource and the specified Trusted Advisor check.

For example, to automatically remediate an Amazon EBS volume with the Trusted Advisor check ID DAvU99Dc4C add a tag to the EBS volume. The tag key is TR-DAvU99Dc4C-Execution-Mode and the tag value is Automated.

The following is an example of the console showing the Tags section:

An example of the Tags section on the console.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported Trusted Advisor checks

Execution mode decision workflow