AWS Config Remediation Configuration

This page shows how to write Terraform and CloudFormation for AWS Config Remediation Configuration and write them securely.

aws_config_remediation_configuration (Terraform)

The Remediation Configuration in AWS Config can be configured in Terraform with the resource name aws_config_remediation_configuration. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L17
resource "aws_config_remediation_configuration" "restricted_ssh"{
  config_rule_name = aws_config_config_rule.restricted_ssh.name
  resource_type = "AWS::Config::RemediationConfiguration"
  target_type = "SSM_DOCUMENT"
  target_id = "AWS-DisablePublicAccessForSecurityGroup"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an AWS Config Remediation Configuration.

Note: Config Remediation Configuration requires an existing Config Rule to be present.

Tips: Best Practices for The Other AWS Config Resources

In addition to the aws_config_configuration_aggregator, AWS Config has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_config_configuration_aggregator

Ensure to enable AWS Config in all Regions

It's better to enable AWS Config in all Regions. AWS Config can aggregate configurations from all regions. It will reduce the risk that unmonitored configurations might cause.

Review your AWS Config settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Config::RemediationConfiguration (CloudFormation)

The RemediationConfiguration in Config can be configured in CloudFormation with the resource name AWS::Config::RemediationConfiguration. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

aws-fsbp-configremediations.yml#L62
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      ConfigRuleName: S3BucketPublicWriteProhibited
      ResourceType: "AWS::S3::Bucket"
      TargetId: "AWS-DisableS3BucketPublicReadWrite"
      TargetType: "SSM_DOCUMENT"
aws-pci-configremediations.yml#L62
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      ConfigRuleName: S3BucketPublicWriteProhibited
      ResourceType: "AWS::S3::Bucket"
      TargetId: "AWS-DisableS3BucketPublicReadWrite"
      TargetType: "SSM_DOCUMENT"
aws-pci-conformancepack-v1-1.yml#L26
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      ConfigRuleName: AutoScalingELBHealthCheck
      ResourceType: "AWS::AutoScaling::AutoScalingGroup"
      TargetId: "Custom-AutoScalingELBHealthCheck"
      TargetType: "SSM_DOCUMENT"
aws-pci-conformancepack-v1-3.yml#L26
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      ConfigRuleName: RDSNonPublicInstanceEnabled
      ResourceType: "AWS::RDS::DBInstance"
      TargetId: "Custom-ModifyRDSDBInstance"
      TargetType: "SSM_DOCUMENT"
aws-pci-conformancepack-v1-3.yml#L26
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      ConfigRuleName: RDSNonPublicInstanceEnabled
      ResourceType: "AWS::RDS::DBInstance"
      TargetId: "Custom-ModifyRDSDBInstance"
      TargetType: "SSM_DOCUMENT"
remediation.json#L32
            "Type": "AWS::Config::RemediationConfiguration",
            "Properties": {
                "Automatic": true,
                "MaximumAutomaticAttempts": 5,
                "RetryAttemptSeconds": 60,
                "ConfigRuleName": {
remediation.json#L32
            "Type": "AWS::Config::RemediationConfiguration",
            "Properties": {
                "Automatic": true,
                "MaximumAutomaticAttempts": 5,
                "RetryAttemptSeconds": 60,
                "ConfigRuleName": {
remediation.json#L32
            "Type": "AWS::Config::RemediationConfiguration",
            "Properties": {
                "Automatic": true,
                "MaximumAutomaticAttempts": 5,
                "RetryAttemptSeconds": 60,
                "ConfigRuleName": {
DisableIncomingSSHOnPort22.json#L21
            "Type": "AWS::Config::RemediationConfiguration",
            "Properties": {
                "ConfigRuleName": "Custom_Baseline_Incoming_SSH_Disabled",
                "TargetId": "AWS-DisableIncomingSSHOnPort22",
                "TargetType": "SSM_DOCUMENT",
                "Automatic": "true",
EnableEbsEncryptionByDefault.json#L16
            "Type": "AWS::Config::RemediationConfiguration",
            "Properties": {
                "ConfigRuleName": "Custom_Baseline_EC2_EBS_Encryption_By_Default",
                "TargetId": "AWSConfigRemediation-EnableEbsEncryptionByDefault",
                "TargetType": "SSM_DOCUMENT",
                "Automatic": "true",

Parameters

Explanation in CloudFormation Registry

An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.

Frequently asked questions

What is AWS Config Remediation Configuration?

AWS Config Remediation Configuration is a resource for Config of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Config Remediation Configuration?

For Terraform, the mamiotsu/cloud-bankruptcy-iac source code example is useful. See the Terraform Example section for further details.

For CloudFormation, the aws-samples/aws-config-pci-fsbp-ssmremediations, aws-samples/aws-config-pci-fsbp-ssmremediations and aws-samples/aws-config-pci-fsbp-ssmremediations source code examples are useful. See the CloudFormation Example section for further details.