Trusted Advisor checks supported by Trusted Remediator - AMS Accelerate User Guide

Trusted Advisor checks supported by Trusted Remediator

The following table lists the supported Trusted Advisor checks, SSM automation documents, preconfigured parameters, and the expected outcome of the automation documents. Review the expected outcome to help you understand possible risks based on your business requirements before you enable an SSM automation document for check remediation.

Check ID and name

SSM document name and expected outcome

Supported preconfigured parameters

Constraints

Cost optimization checks

Z4AUBRNSmz - Unassociated Elastic IP Addresses

AWSManagedServices-TrustedRemediatorReleaseElasticIP - Releases an elastic IP address that is not associated with any resource.

No preconfigured parameters are allowed.

No constraints

c18d2gz128 - Amazon ECR Repository Without Lifecycle Policy Configured

AWSManagedServices-TrustedRemediatorPutECRLifecyclePolicy - Creates a lifecycle policy for the specified repository if a lifecycle policy does not already exist.

  • ImageAgeLimit: The maximum age limit in days (1-365) for 'any' image in the Amazon ECR repository.

No constraints

DAvU99Dc4C - Underutilized Amazon EBS Volumes

AWSManagedServices-DeleteUnusedEBSVolume - Deletes underutilized Amazon EBS volumes if the volumes are unattached for the last 7 days. An Amazon EBS snapshot is created by default.

  • CreateSnapshot: If set to true, then the automation creates a snapshot of the Amazon EBS volume before it's deleted. The default setting is true. Valid values are true and false (case-sensitive).

  • MinimumUnattachedDays: Minimum unattached days of the EBS volume to delete, up to 62 days. If set to 0, then the SSM document doesn't check the unattached period and deletes the volume if the volume is currently unattached. The default is value is 7.

No constraints

hjLMh88uM8 - Idle Load Balancers

AWSManagedServices-DeleteIdleClassicLoadBalancer - Deletes an idle Classic Load Balancer if it's unused and no instances are registered.

  • IdleLoadBalancerDays: The number of days that the Classic Load Balancer has 0 requested connections before considering it idle. The default is 7 days.

If auto execution is enabled, then the automation deletes idle Classic Load Balancers only if there are no active back-end instances. For all idle Classic Load Balancers that have active back-end instances, but don't have healthy back-end instances, auto remediation isn't used and OpsItems for manual remediation are created.

Ti39halfu8 - RDS; Idle DB Instances

AWSManagedServices-StopIdleRDSInstance - Amazon RDS DB instance that has been in an idle state for the last 7 days is stopped.

  • No preconfigured parameters are allowed.

No constraints

COr6dfpM05 - AWS Lambda over-provisioned functions for memory size

AWSManagedServices-ResizeLambdaMemory - AWS Lambda function's memory size is resized to the recommended memory size provided by Trusted Advisor.

  • RecommendedMemorySize: The recommended memory allocation for the Lambda function. Value range is between 128 and 10240.

If the Lambda function size was modified before the automation runs, then the settings might be overwritten by this automation with the value recommended by Trusted Advisor.

Qch7DwouX1 - Low Utilization Amazon EC2 Instances

AWSManagedServices-StopEC2Instance (Default SSM document for both auto and manual execution mode.) Amazon EC2 instances with low utilization are stopped.

  • ForceStopWithInstanceStore: Set to true to force stop instances using instance store. Otherwise, set to false. The default value of false prevents instance from stopping. Valid values are true or false (case-sensitive).

No constraints

AWSManagedServices-ResizeInstanceByOneLevel - Amazon EC2 instance is resized by one instance type down in the same instance family type. The instance is stopped and started during the resize operation and returned to the initial state after the SSM document run completes. This automation doesn't support resizing instances that are in an Auto Scaling Group.

  • MinimumDaysSinceLastChange: Minimum number of days since the last instance type change. If the instance type was modified within a specified time, then the instance type isn't changed. Use 0 to skip this validation. The default is 7.

  • CreateAMIBeforeResize: Set this option to true or false to create the instance AMI as a backup before resizing. The default is false. Valid values are true and false (case-sensitive).

No constraints

AWSManagedServices-TerminateInstance - Low utilized Amazon EC2 instances are terminated if not part of an Auto Scaling Group and termination protection isn't enabled. An AMI is created by default.

  • CreateAMIBeforeTermination: Set this option to true or false to create an instance AMI as a backup before terminating the EC2 instance. The default is true. Valid values are true and false (case-sensitive).

No constraints

G31sQ1E9U - Underutilized Amazon Redshift Clusters

AWSManagedServices-PauseRedshiftCluster - The Amazon Redshift cluster is paused.

  • No preconfigured parameters are allowed.

No constraints

Security checks

Hs4Ma3G323 - DynamoDB tables should have deletion protection enabled

Corresponding AWS Security Hub check: DynamoDB.6

AWSManagedServices-TrustedRemediatorEnableDynamoDBTableDeletionProtection - Enables deletion protection for non-AMS DynamoDB tables.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G247 - Amazon EC2 Transit Gateway should not automatically accept VPC attachment requests

Corresponding AWS Security Hub check: EC2.23

AWSManagedServices-TrustedRemediatorDisableTGWAutoVPCAttach - Disables the automatic acceptance of VPC attachment requests for the specified non-AMS Amazon EC2 Transit Gateway.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G308 - Amazon DocumentDB clusters should have deletion protection enabled

Corresponding AWS Security Hub check: DocumentDB.5

AWSManagedServices-TrustedRemediatorEnableDocumentDBClusterDeletionProtection - Enables deletion protection for Amazon DocumentDB cluster.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G299 - Amazon DocumentDB manual cluster snapshots should not be public

Corresponding AWS Security Hub check: Neptune.4

AWSManagedServices-TrustedRemediatorEnableNeptuneDBClusterDeletionProtection - Enables deletion protection for Amazon Neptune cluster.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G306 - Neptune DB clusters should have deletion protection enabled

Corresponding AWS Security Hub check: DocumentDB.3

AWSManagedServices-TrustedRemediatorDisablePublicAccessOnDocumentDBSnapshot - Removes public access from Amazon DocumentDB manual cluster snapshot.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G109 - CloudTrail log file validation should be enabled

Corresponding AWS Security Hub check: CloudTrail.4

AWSManagedServices-TrustedRemediatorEnableCloudTrailLogValidation - Enables CloudTrail trail log validation.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G217 - CodeBuild project environments should have a logging AWS configuration

Corresponding AWS Security Hub check: CodeBuild.4

AWSManagedServices-TrustedRemediatorEnableCodeBuildLoggingConfig - Enables the logging for CodeBuild project.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G158 - SSM documents should not be public

Corresponding AWS Security Hub check: SSM.4

AWSManagedServices-TrustedRemediatorDisableSSMDocPublicSharing - Disables the public sharing of SSM document.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G319 - Network Firewall firewalls should have deletion protection enabled

Corresponding AWS Security Hub check: NetworkFirewall.9

AWSManagedServices-TrustedRemediatorEnableNetworkFirewallDeletionProtection - Enables the delete protection for AWS Network Firewall.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G105 - Amazon Redshiftshould have automatic upgrades to major versions enabled

Corresponding AWS Security Hub check: Redshift.6

AWSManagedServices-EnableRedshiftClusterVersionAutoUpgrade - Major version upgrades are applied automatically to the cluster during the maintenance window. There is no immediate downtime for the Amazon Redshift cluster, but your Amazon Redshift cluster might have downtime during its maintenance window if it upgrades to a major version.

  • No preconfigured parameters are allowed.

No constraints

Hs4Ma3G177 -

Corresponding AWS Security Hub check - Auto scaling groups associated with a load balancer should use load balancer health checks AutoScaling.1

AWSManagedServices-TrustedRemediatorEnableAutoScalingGroupELBHealthCheck - Elastic Load Balancing health checks are enabled for the Auto Scaling Group.

  • HealthCheckGracePeriod: The amount of time, in seconds, that Auto Scaling waits before checking the health status of an Amazon Elastic Compute Cloud instance that has come into service.

Turning on Elastic Load Balancing health checks might result in replacing a running instance if any of the Elastic Load Balancing load balancers attached to the Auto Scaling group report it as unhealthy. For more information, see Attach an Elastic Load Balancing load balancer to your Auto Scaling group

Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled

Corresponding AWS Security Hub check: Redshift.4

AWSManagedServices-TrustedRemediatorEnableRedshiftClusterAuditLogging - Audit logging is enabled to your Amazon Redshift cluster during the maintenance window.

  • BucketName: The name of the Amazon Simple Storage Service bucket that you want to upload logs to.

  • S3KeyPrefix: The Amazon S3 key prefix (subfolder) that you want to upload logs to.

To enable auto remediation, the following preconfigured parameters must be provided.

  • BucketName: The bucket must be in the same AWS Region. The cluster must have read bucket and put object permissions.

If Redshift cluster logging is enabled before the automation execution, then the logging settings might be overwritten by this automation with the BucketName and S3KeyPrefix values configured in the preconfigured parameters.

Hs4Ma3G135 - AWS KMS keys should not be deleted unintentionally

Corresponding AWS Security Hub check: KMS.3

AWSManagedServices-CancelKeyDeletion - AWS KMS key deletion is canceled.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G198 - Amazon RDS DB instances should have deletion protection enabled

Corresponding AWS Security Hub check: RDS.8

AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection - Deletion protection is enabled for Amazon RDS instances.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G190 - Amazon RDS clusters should have deletion protection enabled

Corresponding AWS Security Hub check: RDS.7

AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection - Deletion protection is enabled for Amazon RDS clusters.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G104 - Amazon Redshift clusters should use enhanced VPC routing

Corresponding AWS Security Hub check: Redshift.7

AWSManagedServices-TrustedRemediatorEnableRedshiftClusterEnhancedVPCRouting - Enhanced VPC routing is enabled for Amazon Redshift clusters.

No preconfigured parameters are allowed.

No constraints

rSs93HQwa1 - Amazon RDS Public Snapshots

AWSManagedServices-DisablePublicAccessOnRDSSnapshotV2 - Public access for Amazon RDS snapshot is disabled.

No preconfigured parameters are allowed.

No constraints

ePs02jT06w - Amazon EBS Public Snapshots

AWSManagedServices-TrustedRemediatorDisablePublicAccessOnEBSSnapshot

- Public access for Amazon EBS snapshot is disabled.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G194 - Amazon RDS snapshot should be private

Corresponding AWS Security Hub check: RDS.1

AWSManagedServices-DisablePublicAccessOnRDSSnapshotV2 - Public access for Amazon RDS snapshot is disabled.

No preconfigured parameters are allowed.

No constraints

Pfx0RwqBli - Amazon S3 Bucket Permissions

AWSManagedServices-TrustedRemediatorBlockS3BucketPublicAccess - Block public access

No preconfigured parameters are allowed.

This check consists of multiple alert criteria. This automation remediates public access issues. Remediation for other configuration issues flagged by Trusted Advisor isn't supported. This remediation does support remediating AWS service created S3 buckets (for example, cf-templates-000000000000).

Hs4Ma3G209 - Unused Network Access Control Lists are removed

Corresponding AWS Security Hub check: EC2.16

AWSManagedServices-DeleteUnusedNACL - Delete unused network ACL

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G189 - Enhanced monitoring are configured for Amazon RDS DB instances

Corresponding AWS Security Hub check: RDS.6

AWSManagedServices-TrustedRemediatorEnableRDSEnhancedMonitoring - Enable enhanced monitoring for Amazon RDS DB instances

  • MonitoringInterval: The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. Valid intervals are 0, 1, 5, 10, 15, 30 and 60. To disable collecting Enhanced Monitoring metrics, specify 0.

  • MonitoringRoleName: The name of the IAM role that permits Amazon RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. If a role isn't specified, then the default role rds-monitoring-role is used or created, if it doesn't exist.

If enhanced monitoring is enabled before the automation execution, then the settings might be overwritten by this automation with the MonitoringInterval and MonitoringRoleName values configured in the preconfigured parameters.

Hs4Ma3G215 - Unused Amazon EC2 security groups should be removed

Corresponding AWS Security Hub check: EC2.22

AWSManagedServices-DeleteSecurityGroups - Delete unused security groups.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G245 - >AWS CloudFormation stacks should be integrated with Amazon Simple Notification Service

Corresponding AWS Security Hub check: CloudFormation.1

AWSManagedServices-EnableCFNStackNotification - Associate a CloudFormation stack with an Amazon SNS topic for notification.

  • NotificationARNs: The ARNs of the Amazon SNS topics to be associated with selected CloudFormation stacks.

To enable auto remediation, The NotificationARNs preconfigured parameter must be provided.

Hs4Ma3G103 - Amazon Redshift clusters should prohibit public access

Corresponding AWS Security Hub check: Redshift.1

AWSManagedServices-DisablePublicAccessOnRedshiftCluster - Public access on Amazon Redshift cluster is disabled.

No preconfigured parameters are allowed.

Disabling public access blocks all clients coming from the internet. And the Amazon Redshift cluster is in the modifying state for a few minutes while the remediation disables public access on the cluster.

Hs4Ma3G121 - EBS default encryption should be enabled

Corresponding AWS Security Hub check: EC2.7

AWSManagedServices-EncryptEBSByDefault - Amazon EBS encryption by default is enabled for the specific AWS Region

No preconfigured parameters are allowed.

Encryption by default is a Region-specific setting. If you enable it for a Region, you can't disable it for individual volumes or snapshots in that Region.

Hs4Ma3G117 - Attached EBS volumes should be encrypted at-rest

Corresponding AWS Security Hub check: EC2.3

AWSManagedServices-EncryptInstanceVolume - The attached Amazon EBS volume on the instance is encrypted.

  • KMSKeyId: AWS KMS key id or ARN to encrypt the volume.

  • DeleteStaleNonEncryptedSnapshotBackups: A flag that decides whether the snapshot backup of the old unencrypted volumes should be deleted.

The instance is rebooted as a part of the remediation and rollback is possible if DeleteStaleNonEncryptedSnapshotBackups is set to false which helps with restore.

Hs4Ma3G183 - Application load balancer should be configured to drop HTTP headers

Corresponding AWS Security Hub check: ELB.4

AWSConfigRemediation-DropInvalidHeadersForALB - Application Load Balancer is configured to invalid header fields.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G179 - SNS topics should be encrypted at-rest using AWS KMS

Corresponding AWS Security Hub check: SNS.1

AWSManagedServices-EnableSNSEncryptionAtRest - SNS topic is configured with server-side encryption.

  • KmsKeyId: The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK to be used for server-side encryption (SSE). Default is set to alias/aws/sns.

If a custom AWS KMS key is used, it must be configured with the correct permissions. For more information, see Enabling server-side encryption (SSE) for an Amazon SNS topic

Hs4Ma3G216 - SNS topics should be encrypted at-rest using AWS KMS

Corresponding AWS Security Hub check: SNS.1

AWSManagedServices-EnableSNSEncryptionAtRest - SNS topic is configured with server-side encryption.

  • KmsKeyId: The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK to be used for server-side encryption (SSE). Default is set to alias/aws/sns.

If a custom AWS KMS key is used, it must be configured with the correct permissions. For more information, see Enabling server-side encryption (SSE) for an Amazon SNS topic

Hs4Ma3G162 - RDS automatic minor version upgrades should be enabled

Corresponding AWS Security Hub check: RDS.13

AWSManagedServices-UpdateRDSInstanceMinorVersionUpgrade - Automatic minor version upgrade configuration for Amazon RDS is enabled.

No preconfigured parameters are allowed.

The Amazon RDS instance must be in the available state for this remediation to happen.

Hs4Ma3G160 - IAM authentication should be configured for RDS instances

Corresponding AWS Security Hub check: RDS.10

AWSManagedServices-UpdateRDSIAMDatabaseAuthentication - AWS Identity and Access Management authentication is enabled for the RDS instance.

  • ApplyImmediately: Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible, Choose true to apply the change immediately, or false to schedule the change for the next maintenance window.

No constraints

Hs4Ma3G161 - IAM authentication should be configured for RDS clusters

Corresponding AWS Security Hub check: RDS.12

AWSManagedServices-UpdateRDSIAMDatabaseAuthentication - IAM authentication is enabled for the RDS cluster.

  • ApplyImmediately: Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible, Choose true to apply the change immediately, or false to schedule the change for the next maintenance window.

No constraints

Hs4Ma3G207 - EC2 subnets should not automatically assign public IP addresses

Corresponding AWS Security Hub check: EC2.15

AWSManagedServices-UpdateAutoAssignPublicIpv4Addresses - VPC subnets are configured to not automatically assign public IP addresses.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G235 - ECR private repositories should have tag immutability configured

Corresponding AWS Security Hub check: ECR.2

AWSManagedServices-TrustedRemediatorSetImageTagImmutability - Sets the image tag mutability settings to IMMUTABLE for the specified repository.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G184 - Application Load Balancers and Classic Load Balancers logging should be enabled

Corresponding AWS Security Hub check: ELB.5

AWSManagedServices-EnableELBLogging - Application Load Balancer and Classic Load Balancer logging is enabled.

  • BucketName: The bucket name (not the ARN). Make sure that the bucket policy is correctly configured for logging.

  • S3KeyPrefix: The prefix for the location in the Amazon S3 bucket for the Elastic Load Balancing logs.

To enable auto remediation, the following preconfigured parameters must be provided:

  • BucketName

  • S3KeyPrefix: The Amazon S3 bucket must have a bucket policy that grants Elastic Load Balancing permission to write the access logs to the bucket.

Hs4Ma3G221 - OpenSearch domains should have audit logging enabled

Corresponding AWS Security Hub check: Opensearch.5

AWSManagedServices-EnableOpenSearchLogging - OpenSearch domains are configured with audit logging enabled.

  • CloudWatchLogGroupArn: The ARN of the CloudWatch Logsgroup to publish logs to.

To enable auto remediation, the following preconfigured parameters must be provided:

  • CloudWatchLogGroupArn

Amazon CloudWatch resource policy must be configured with permissions. For more information, see Enabling audit logs in the Amazon OpenSearch Service User Guide

Hs4Ma3G220 - Connections to OpenSearch domains should be encrypted using TLS 1.2

Corresponding AWS Security Hub check: Opensearch.8

AWSManagedServices-EnableOpenSearchEndpointEncryptionTLS1.2 - TLS policy is set to `Policy-Min-TLS-1-2-2019-07` and only encrypted connections over HTTPS (TLS) are allowed.

No preconfigured parameters are allowed.

Connections to OpenSearch domains are required to use TLS 1.2. Encrypting data in transit can affect performance. Test your applications with this feature to understand the performance profile and the impact of TLS.

Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period

Corresponding AWS Security Hub check: EC2.4

AWSManagedServices-TerminateInstance - Amazon EC2 instances stopped for 30 days are terminated.

  • CreateAMIBeforeTermination: Set this option to true or false to create the instance AMI as a backup before terminating the EC2 instance. The default is true.

No constraints

Hs4Ma3G108 - CloudTrail trails should be integrated with Amazon CloudWatch Logs

Corresponding AWS Security Hub check: CloudTrail.5

AWSManagedServices-IntegrateCloudTrailWithCloudWatch - AWS CloudTrail is integrated with CloudWatch Logs.

  • CloudWatchLogsLogGroupArn: The Amazon Resource Name (ARN) of an Amazon CloudWatch Logs log group.

  • CloudWatchLogsRoleArn: The ARN of an IAM role used by AWS CloudTrail to integrate with CloudWatch.

To enable auto remediation, the following preconfigured parameters must be provided:

  • CloudWatchLogsLogGroupArn

  • CloudWatchLogsRoleArn

Hs4Ma3G163 - RDS DB clusters should be configured to copy tags to snapshots

Corresponding AWS Security Hub check: RDS.16

AWSManagedServices-UpdateRDSCopyTagsToSnapshots - CopyTagtosnapshot setting for Amazon RDS clusters is enabled.

No preconfigured parameters are allowed.

Amazon RDS instances must be in available state for this remediation to happen.

Hs4Ma3G164 - RDS DB instances should be configured to copy tags to snapshots

Corresponding AWS Security Hub check: RDS.17

AWSManagedServices-UpdateRDSCopyTagsToSnapshots - CopyTagsToSnapshot setting for Amazon RDS is enabled.

No preconfigured parameters are allowed.

Amazon RDS instances must be in available state for this remediation to happen.

Hs4Ma3G136 - Amazon SQS queues should be encrypted at rest

Corresponding AWS Security Hub check: SQS.1

AWSManagedServices-EnableSQSEncryptionAtRest - Messages in Amazon SQS are encrypted.

  • SqsManagedSseEnabled: Set to true to enable server-side queue encryption using Amazon SQS owned encryption keys, set to false to enable server-side queue encryption using an AWS KMS key.

  • KMSKeyId: The ID or alias of an AWS managed customer master key (CMK) for Amazon SQS or a custom CMK to be used for server-side encryption for the queue. If not provided, alias/aws/sqs is used.

  • KmsDataKeyReusePeriodSeconds: The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). This setting is ignored if SqsManagedSseEnabled is set to true.

Anonymous SendMessage and ReceiveMessage requests to the encrypted queue are rejected. All requests to queues with SSE enabled must use HTTPS and Signature Version 4.

Hs4Ma3G223 - OpenSearch domains should encrypt data sent between nodes

Corresponding AWS Security Hub check: OpenSearch.3

AWSManagedServices-EnableOpenSearchNodeToNodeEncryption - Node to Node encryption is enabled for the domain.

No preconfigured parameters are allowed.

After node-to-node encryption is enabled, you can't disable the setting. Instead, take a manual snapshot of the encrypted domain, create another domain, migrate your data, and then delete the old domain.

Hs4Ma3G129 - API Gateway REST API stages should have AWS X-Ray tracing enabled

Corresponding AWS Security Hub check: APIGateway.3

AWSManagedServices-EnableApiGateWayXRayTracing - X-Ray tracing is enabled on the API stage.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G230 - S3 bucket server access logging should be enabled

Corresponding AWS Security Hub check: S3.9

AWSManagedServices-EnableBucketAccessLogging - Amazon S3 server access logging is enabled.

  • TargetBucket: The name of S3 bucket to store server access logs.

  • TargetPrefix: Specifies an S3 prefix where the log files are stored.

To enable auto remediation, the following preconfigured parameters must be provided:

  • TargetBucket

  • TargetPrefix

If access logging is enabled before the automation runs, then the settings might be overwritten by this automation with the TargetBucket and TargetPrefix values configured in the preconfigured parameters.

Hs4Ma3G222 - OpenSearch domain error logging to CloudWatch Logs should be enabled

Corresponding AWS Security Hub check: Opensearch.4

AWSManagedServices-EnableOpenSearchLogging - Error logging is enabled for the OpenSearch domain.

  • CloudWatchLogGroupArn: The ARN of anAmazon CloudWatch Logs log group.

To enable auto remediation, the following preconfigured parameters must be provided:

  • CloudWatchLogGroupArn

Amazon CloudWatch resource policy must be configured with permissions. For more information, see Enabling audit logs in the Amazon OpenSearch Service User Guide

Hs4Ma3G210 - CloudFront distributions should have logging enabled

Corresponding AWS Security Hub check: CloudFront.2

AWSManagedServices-EnableCloudFrontDistributionLogging - Logging is enabled for Amazon CloudFront distributions.

  • BucketName

  • S3KeyPrefix

  • IncludeCookies

For this remediations constraints, see How do I turn on logging for my CloudFront distribution?

12Fnkpl8Y5 - Exposed Access Keys

AWSManagedServices-TrustedRemediatorDeactivateIAMAccessKey - The exposed IAM access key is deactivated.

No preconfigured parameters are allowed.

Applications configured with an exposed IAM access key can't authenticate.

Hs4Ma3G173 - S3 Block Public Access setting should be enabled at the bucket-level

Corresponding AWS Security Hub check: S3.8

AWSManagedServices-TrustedRemediatorBlockS3BucketPublicAccess - Bucket-level public access blocks are applied for the Amazon S3 bucket.

No preconfigured parameters are allowed.

This remediation might affect S3 object availability. For information on how Amazon S3 evaluates access, see Blocking public access to your Amazon S3 storage.

Hs4Ma3G202 - API Gateway REST API cache data should be encrypted at rest

Corresponding AWS Security Hub check: APIGateway.5

AWSManagedServices-EnableAPIGatewayCacheEncryption - Enable encryption at rest for API Gateway REST API cache data if the API Gateway REST API stage has cache enabled.

No preconfigured parameters are allowed.

No constraints

Hs4Ma3G192 - RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration

Corresponding AWS Security Hub check: RDS.2

AWSManagedServices-TrustedRemediatorDisablePublicAccessOnRDSInstance - Disable public access on RDS DB instance.

No preconfigured parameters are allowed.

No constraints

Fault tolerance checks

c18d2gz138 -Amazon DynamoDB Point-in-time Recovery

AWSManagedServices-TrustedRemediatorEnableDDBPITR - Enables point-in-time recovery for DynamoDB tables.

No preconfigured parameters are allowed.

No constraints

R365s2Qddf - Amazon S3 Bucket Versioning

AWSManagedServices-TrustedRemediatorEnableBucketVersioning - Amazon S3 bucket versioning is enabled.

No preconfigured parameters are allowed.

This remediation doesn't support remediating AWS service created S3 buckets (for example cf-templates-000000000000).

BueAdJ7NrP - Amazon S3 Bucket Logging

AWSManagedServices-EnableBucketAccessLogging - Amazon S3 bucket logging is enabled.

  • TargetBucket: The name of the S3 bucket to store server access logs.

  • TargetPrefix: Specifies an S3 prefix where the log files will be stored.

To enable auto remediation, the following preconfigured parameters must be provided:

  • TargetBucket

  • TargetPrefix

If access logging was enabled before the automation runs, then the settings might be overwritten by this automation with the TargetBucket and TargetPrefix values configured in the preconfigured parameters.

f2iK5R6Dep - Amazon RDS Multi-AZ

AWSManagedServices-TrustedRemediatorEnableRDSMultiAZ - Multi-Availability Zone deployment is enabled.

  • ApplyImmediately: Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible. Choose true to apply the change immediately, or false to schedule the change for the next maintenance window.

There is a possible performance degradation during this change.

H7IgTzjTYb - Amazon EBS Snapshots

AWSManagedServices-TrustedRemediatorCreateEBSSnapshot - Amazon EBSsnapshots are created.

No preconfigured parameters are allowed.

No constraints

opQPADkZvH - RDS Backups

AWSManagedServices-EnableRDSBackupRetention - Amazon RDS backup retention is enabled for the DB.

  • BackupRetentionPeriod: The number of days (1-35) to retain automated backups.

  • ApplyImmediately: Indicates if the RDS backup retention change and any pending modifications are asynchronously applied as soon as possible. Choose true to apply the change immediately, or false to schedule the change for the next maintenance window.

If the ApplyImmediately parameter is set to true, the pending changes on the db are applied along with RDSBackup retention setting.

Performance checks

COr6dfpM06 - AWS Lambda under-provisioned functions for memory size

AWSManagedServices-ResizeLambdaMemory - Lambda functionss memory size are resized to the recommended memory size provided by Trusted Advisor.

  • RecommendedMemorySize: The recommended memory allocation for the Lambda function. Value range is between 128 and 10240.

If Lambda function size is modified before the automation execution, then this automation might overwrite the settings with the value recommended by Trusted Advisor.

ZRxQlPsb6c - High Utilization Amazon EC2 Instances

AWSManagedServices-ResizeInstanceByOneLevel - Amazon EC2 instances are resized by one instance type up in the same instance family type. The instances are stopped and started during the resize operation and returned to the initial state after the execution is complete. This automation doesn't support resizing instances that are in an Auto Scaling Group.

  • MinimumDaysSinceLastChange: The minimum number of days since the last instance type change. If the instance type was modified within the specified time, the instance type isn't changed. Use 0 to skip this validation. The default is 7.

No constraints

Service limit checks

lN7RR0l7J9 - EC2-VPC Elastic IP Address

AWSManagedServices-UpdateVpcElasticIPQuota - A new limit for EC2-VPC elastic IP addresses are requested. By default, the limit is be increased by 3.

  • Increment: The number to increase the current quota. The default is 3.

If this automation is run multiple times before the Trusted Advisor check is updated with the OK status, then there might be a higher limit increase.

kM7QQ0l7J9 - VPC Internet Gateways

AWSManagedServices-IncreaseServiceQuota - A new limit for VPC internet gateways are requested. By default, the limit is increased by 3.

  • Increment: The number to increase the current quota. The default is 3.

If this automation is run multiple times before the Trusted Advisor check is updated with the OK status, then there might be a higher limit increase.

jL7PP0l7J9 - VPC

AWSManagedServices-IncreaseServiceQuota - A new limit for VPC is requested. By default, the limit is increased by 3.

  • Increment: The number to increase the current quota. The default is 3.

If this automation is run multiple times before the Trusted Advisor check is updated with the OK status, then there might be a higher limit increase.

fW7HH0l7J9 - Auto Scaling Groups

AWSManagedServices-IncreaseServiceQuota - A new limit for Auto Scaling Groups is requested. By default, the limit is increased by 3.

  • Increment: The number to increase the current quota. The default is 3.

If this automation is run multiple times before the Trusted Advisor check is updated with the OK status, then there might be a higher limit increase.

3Njm0DJQO9 - RDS Option Groups

AWSManagedServices-IncreaseServiceQuota - A new limit for Amazon RDS option groups is requested. By default, the limit is increased by 3.

  • Increment: The number to increase the current quota. The default is 3.

If this automation is run multiple times before the Trusted Advisor check is updated with the OK status, then there might be a higher limit increase.