PutRemediationExceptions
A remediation exception is when a specified resource is no longer considered for auto-remediation. This API adds a new exception or updates an existing exception for a specified resource with a specified AWS Config rule.
Note
Exceptions block auto remediation
AWS Config generates a remediation exception when a problem occurs running a remediation action for a specified resource. Remediation exceptions blocks auto-remediation until the exception is cleared.
Note
Manual remediation is recommended when placing an exception
When placing an exception on an AWS resource, it is recommended that remediation is set as manual remediation until
the given AWS Config rule for the specified resource evaluates the resource as NON_COMPLIANT.
Once the resource has been evaluated as NON_COMPLIANT, you can add remediation exceptions and change the remediation type back from Manual to Auto if you want to use auto-remediation.
Otherwise, using auto-remediation before a NON_COMPLIANT evaluation result can delete resources before the exception is applied.
Note
Exceptions can only be performed on non-compliant resources
Placing an exception can only be performed on resources that are NON_COMPLIANT.
If you use this API for COMPLIANT resources or resources that are NOT_APPLICABLE, a remediation exception will not be generated.
For more information on the conditions that initiate the possible AWS Config evaluation results,
see Concepts | AWS Config Rules in the
AWS Config Developer Guide.
Note
Exceptions cannot be placed on service-linked remediation actions
You cannot place an exception on service-linked remediation actions, such as remediation actions put by an organizational conformance pack.
Note
Auto remediation can be initiated even for compliant resources
If you enable auto remediation for a specific AWS Config rule using the PutRemediationConfigurations API or the AWS Config console, it initiates the remediation process for all non-compliant resources for that specific rule. The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis. Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.
This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.
Request Syntax
{
"ConfigRuleName": "string",
"ExpirationTime": number,
"Message": "string",
"ResourceKeys": [
{
"ResourceId": "string",
"ResourceType": "string"
}
]
}Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- ConfigRuleName
-
The name of the AWS Config rule for which you want to create remediation exception.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern:
.*\S.*Required: Yes
- ExpirationTime
-
The exception is automatically deleted after the expiration date.
Type: Timestamp
Required: No
- Message
-
The message contains an explanation of the exception.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 1024.
Required: No
- ResourceKeys
-
An exception list of resource exception keys to be processed with the current request. AWS Config adds exception for each resource key. For example, AWS Config adds 3 exceptions for 3 resource keys.
Type: Array of RemediationExceptionResourceKey objects
Array Members: Minimum number of 1 item. Maximum number of 100 items.
Required: Yes
Response Syntax
{
"FailedBatches": [
{
"FailedItems": [
{
"ConfigRuleName": "string",
"ExpirationTime": number,
"Message": "string",
"ResourceId": "string",
"ResourceType": "string"
}
],
"FailureMessage": "string"
}
]
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- FailedBatches
-
Returns a list of failed remediation exceptions batch objects. Each object in the batch consists of a list of failed items and failure messages.
Type: Array of FailedRemediationExceptionBatch objects
Errors
For information about the errors that are common to all actions, see Common Errors.
- InsufficientPermissionsException
-
Indicates one of the following errors:
-
For PutConfigRule, the rule cannot be created because the IAM role assigned to AWS Config lacks permissions to perform the config:Put* action.
-
For PutConfigRule, the AWS Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.
-
For PutOrganizationConfigRule, organization AWS Config rule cannot be created because you do not have permissions to call IAM
GetRoleaction or create a service-linked role. -
For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have the following permissions:
-
You do not have permission to call IAM
GetRoleaction or create a service-linked role. -
You do not have permission to read Amazon S3 bucket or call SSM:GetDocument.
-
-
For PutServiceLinkedConfigurationRecorder, a service-linked configuration recorder cannot be created because you do not have the following permissions: IAM
CreateServiceLinkedRole.
HTTP Status Code: 400
-
- InvalidParameterValueException
-
One or more of the specified parameters are not valid. Verify that your parameters are valid and try again.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
