AWS Config Remediation Configuration
This page shows how to write Terraform and CloudFormation for AWS Config Remediation Configuration and write them securely.
aws_config_remediation_configuration (Terraform)
The Remediation Configuration in AWS Config can be configured in Terraform with the resource name aws_config_remediation_configuration
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_config_remediation_configuration" "restricted_ssh"{
config_rule_name = aws_config_config_rule.restricted_ssh.name
resource_type = "AWS::Config::RemediationConfiguration"
target_type = "SSM_DOCUMENT"
target_id = "AWS-DisablePublicAccessForSecurityGroup"
Parameters
-
arn
optional computed - string -
config_rule_name
required - string -
id
optional computed - string -
resource_type
optional - string -
target_id
required - string -
target_type
required - string -
target_version
optional - string -
parameter
set block-
name
required - string -
resource_value
optional - string -
static_value
optional - string
-
Explanation in Terraform Registry
Provides an AWS Config Remediation Configuration.
Note: Config Remediation Configuration requires an existing Config Rule to be present.
Tips: Best Practices for The Other AWS Config Resources
In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_config_configuration_aggregator
Ensure to enable AWS Config in all Regions
It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.
AWS::Config::RemediationConfiguration (CloudFormation)
The RemediationConfiguration in Config can be configured in CloudFormation with the resource name AWS::Config::RemediationConfiguration
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: S3BucketPublicWriteProhibited
ResourceType: "AWS::S3::Bucket"
TargetId: "AWS-DisableS3BucketPublicReadWrite"
TargetType: "SSM_DOCUMENT"
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: S3BucketPublicWriteProhibited
ResourceType: "AWS::S3::Bucket"
TargetId: "AWS-DisableS3BucketPublicReadWrite"
TargetType: "SSM_DOCUMENT"
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: RDSNonPublicInstanceEnabled
ResourceType: "AWS::RDS::DBInstance"
TargetId: "Custom-ModifyRDSDBInstance"
TargetType: "SSM_DOCUMENT"
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: RDSNonPublicInstanceEnabled
ResourceType: "AWS::RDS::DBInstance"
TargetId: "Custom-ModifyRDSDBInstance"
TargetType: "SSM_DOCUMENT"
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: AutoScalingELBHealthCheck
ResourceType: "AWS::AutoScaling::AutoScalingGroup"
TargetId: "Custom-AutoScalingELBHealthCheck"
TargetType: "SSM_DOCUMENT"
"Type": "AWS::Config::RemediationConfiguration",
"Properties": {
"Automatic": true,
"MaximumAutomaticAttempts": 5,
"RetryAttemptSeconds": 60,
"ConfigRuleName": {
"Type": "AWS::Config::RemediationConfiguration",
"Properties": {
"Automatic": true,
"MaximumAutomaticAttempts": 5,
"RetryAttemptSeconds": 60,
"ConfigRuleName": {
"Type": "AWS::Config::RemediationConfiguration",
"Properties": {
"Automatic": true,
"MaximumAutomaticAttempts": 5,
"RetryAttemptSeconds": 60,
"ConfigRuleName": {
"Type": "AWS::Config::RemediationConfiguration",
"Properties": {
"ConfigRuleName": "Custom_Baseline_Incoming_SSH_Disabled",
"TargetId": "AWS-DisableIncomingSSHOnPort22",
"TargetType": "SSM_DOCUMENT",
"Automatic": "true",
"Type": "AWS::Config::RemediationConfiguration",
"Properties": {
"ConfigRuleName": "Custom_Baseline_EC2_EBS_Encryption_By_Default",
"TargetId": "AWSConfigRemediation-EnableEbsEncryptionByDefault",
"TargetType": "SSM_DOCUMENT",
"Automatic": "true",
Parameters
-
TargetVersion
optional - String -
ExecutionControls
optional - ExecutionControls -
Parameters
optional - Json -
TargetType
required - String -
ConfigRuleName
required - String -
ResourceType
optional - String -
RetryAttemptSeconds
optional - Integer -
MaximumAutomaticAttempts
optional - Integer -
TargetId
required - String -
Automatic
optional - Boolean
Explanation in CloudFormation Registry
An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.
Frequently asked questions
What is AWS Config Remediation Configuration?
AWS Config Remediation Configuration is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Config Remediation Configuration?
For Terraform, the mamiotsu/cloud-bankruptcy-iac source code example is useful. See the Terraform Example section for further details.
For CloudFormation, the aws-samples/aws-config-pci-fsbp-ssmremediations, aws-samples/aws-config-pci-fsbp-ssmremediations and aws-samples/aws-config-pci-fsbp-ssmremediations source code examples are useful. See the CloudFormation Example section for further details.