How To Auto Remediate Using AWS Config Rule
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we discussed how to create a custom config rule using rdk.
https://cloudaffaire.com/how-to-create-a-custom-aws-config-rule-using-rdk/
There are multiple ways you can create automation to remediate issues in your AWS cloud landscape. One such way is to use AWS config rule remediation feature to auto remediate your resource configuration. AWS config rule remediation feature uses System Manager (SSM) automation document to either automatically or manually remediate your compliance issues.
When you create a new config rule, you can define the remediation configuration in the form of SSM automation document. If the rule evaluates a resource configuration as non-compliant, this automation document is triggered to automatically remediate the configuration and bring it back to compliant state.
How To Auto Remediate Using AWS Config Rule:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create an S3 bucket with required policy to put all your configuration snapshots.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
## Create the S3 bucket aws s3api create-bucket \ --bucket s3-for-config-recording \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file for config cat <<EOF > config_bucket_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-config-recording" }, { "Sid": "AWSConfigBucketExistenceCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::s3-for-config-recording" }, { "Sid": "AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-config-recording/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } EOF ## Create a S3 bucket policy for Config aws s3api put-bucket-policy \ --bucket s3-for-config-recording \ --policy file://config_bucket_policy.json |
This bucket will service dual purpose in this demo, 1st it will store all the configuration snapshots and 2nd we will create a config rule against it for our auto remediation demo.
Step 2: Create an IAM role with required policy for Config service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
## Create assume role policy definition cat <<'EOF'> config_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name config_iam_role \ --assume-role-policy-document file://config_assume_role_policy.json ## Create IAM policy definition for config to access S3 cat <<EOF > config_iam_policy.json { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::s3-for-config-recording/*" ], "Condition":{ "StringLike":{ "s3:x-amz-acl":"bucket-owner-full-control" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketAcl" ], "Resource":"arn:aws:s3:::s3-for-config-recording" } ] } EOF ## Update the IAM role with the above IAM policy aws iam put-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy \ --policy-document file://config_iam_policy.json ## Add AWS managed AWS_ConfigRole policy to the role aws iam attach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole |
We need to create another IAM role which will be used to execute the SSM automation document and auto remediate the compliance issue.
Step 3: Create another IAM with required policy for auto remediation.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
## Create assume role policy definition cat << EOF > config_auto_service_assume_policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "events.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] } EOF ## Create the IAM role for auto-remediation aws iam create-role \ --role-name "config_auto_remediation" \ --assume-role-policy-document file://config_auto_service_assume_policy.json ## Create auto remediation policy definition cat << EOF > config_auto_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutEncryptionConfiguration", "Effect": "Allow", "Action": "s3:PutEncryptionConfiguration", "Resource": "arn:aws:s3:::*" } ] } EOF ## Add policy to IAM role aws iam put-role-policy --role-name "config_auto_remediation" \ --policy-name "config_auto_remediation_enable_s3_encryption" \ --policy-document file://config_auto_role_policy.json ## Create policy definition for assume role AUTO_IAM_ROLE_ARN=$(aws iam get-role \ --role-name config_auto_remediation | jq -r .Role.Arn) && cat << EOF > config_auto_role_assume_policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "$AUTO_IAM_ROLE_ARN" } ] } EOF ## Add the policy to iam role aws iam put-role-policy \ --role-name "config_auto_remediation" \ --policy-name "config_pass_role_policy" \ --policy-document file://config_auto_role_assume_policy.json ## Attach SSM managed policy to the role aws iam attach-role-policy \ --role-name "config_auto_remediation" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole" |
Next, we will enable AWS config service to record S3 bucket configurations.
Step 4: Enable AWS Config service to record S3 bucket configuration.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
## Create recording group configuration cat <<'EOF' > config_recording_group.json { "allSupported": false, "includeGlobalResourceTypes": false, "resourceTypes": ["AWS::S3::Bucket"] } EOF ## Enable AWS Config using AWS CLI ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && CONFIG_IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/config_iam_role && aws configservice put-configuration-recorder \ --configuration-recorder name=myconfig,roleARN=$CONFIG_IAM_ROLE_ARN \ --recording-group file://config_recording_group.json |
Next, we will create a new config rule to evaluate S3 bucket encryption status.
Step 5: Create a new config rule.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
## Create config rule definition file cat <<'EOF' > config_rule.json { "ConfigRuleName": "myconfigrule", "Description": "Auto remediation of s3 encryption", "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", "SourceDetails": [] }, "Scope": { "ComplianceResourceTypes": [ "AWS::S3::Bucket" ] }, "InputParameters": "{}" } EOF ## Create the config rule (AWS Provided) aws configservice put-config-rule \ --config-rule <a href="file://config_rule.json">file://config_rule.json</a> |
Next, we will create a new delivery channel as S3 bucket where AWS config will store your configuration snapshots.
Step 6: Create a new delivery channel (S3 bucket) for AWS config.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
## Create config delivery channel object configuration file cat << EOF > config_delivery_channel.json { "name": "myconfig", "s3BucketName": "s3-for-config-recording", "configSnapshotDeliveryProperties": { "deliveryFrequency": "One_Hour" } } EOF ## Create config delivery channel object as S3 aws configservice put-delivery-channel \ --delivery-channel file://config_delivery_channel.json |
Step 7: Start config recordings
|
1 2 3 |
## Starts recording configurations of recording group aws configservice start-configuration-recorder \ --configuration-recorder-name myconfig |
Next, we are going to create config rule remediation configuration for auto remediation.
Step 8: Create config rule remediation configuration.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
## Create auto remediation configuration definition cat << EOF > config_auto_remediation.json [ { "Automatic": true, "ConfigRuleName": "myconfigrule", "TargetId": "AWS-EnableS3BucketEncryption", "TargetType": "SSM_DOCUMENT", "TargetVersion": "1", "Parameters": { "AutomationAssumeRole": { "StaticValue": { "Values": [ "$AUTO_IAM_ROLE_ARN" ] } }, "BucketName": { "ResourceValue": { "Value": "RESOURCE_ID" } } }, "MaximumAutomaticAttempts": 2, "RetryAttemptSeconds": 60 } ] EOF ## Create auto remediation configuration aws configservice put-remediation-configurations \ --remediation-configurations file://config_auto_remediation.json |
Step 9: Get AWS config details.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
## Get config recorder status aws configservice describe-configuration-recorder-status ## Get details on config recorder aws configservice describe-configuration-recorders ## Get all the resources discovered aws configservice get-discovered-resource-counts \ --resource-type AWS::S3::Bucket ## List all the resources discovered aws configservice list-discovered-resources \ --resource-type "AWS::S3::Bucket" ## List config delivery channels aws configservice describe-delivery-channels ## Get config delivery channel status aws configservice describe-delivery-channel-status ## Get config rule details aws configservice describe-config-rules \ --config-rule-names myconfigrule ## Get config rule status aws configservice describe-config-rule-evaluation-status \ --config-rule-names myconfigrule ## Get config rule compliance summary aws configservice get-compliance-summary-by-config-rule ## Get remediation configuration details aws configservice describe-remediation-configurations \ --config-rule-name myconfigrule ## Get remediation execution status aws configservice describe-remediation-execution-status \ --config-rule-name myconfigrule ## Get config rule compliance details aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types NON_COMPLIANT && aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types COMPLIANT |
Note: If you do not get any compliance report, then wait for few moments and try again. Config will take some time to complete the initial setup and evaluation. At the end of the evaluation, you should have a non-compliant S3 bucket.
Next, we will manually trigger config rule evaluation which will then detect the non-compliant S3 bucket and trigger the rule remediation action through SSM automation document.
Step 10: Manually trigger config rule re-evaluation.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
## Start a new evaluation for the config rule aws configservice start-config-rules-evaluation \ --config-rule-names myconfigrule ## Wait for some time ## Get config rule compliance summary aws configservice get-compliance-summary-by-config-rule ## Wait for the evaluation to complete (it take around 1 mins on avg) ## Get config rule compliance details aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types NON_COMPLIANT && aws configservice get-compliance-details-by-config-rule \ --config-rule-name myconfigrule \ --compliance-types COMPLIANT ## Get remediation execution status aws configservice describe-remediation-execution-status \ --config-rule-name myconfigrule |
Observe, the S3 bucket is now reported as compliant. We have successfully auto remediated the config rule. Next, clean-up all the resources created in this demo.
Step 11: Clean-up
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
## Stop config recorder aws configservice stop-configuration-recorder \ --configuration-recorder-name myconfig ## Delete remediation configuration aws configservice delete-remediation-configuration \ --config-rule-name myconfigrule ## delete config evaluation data aws configservice delete-evaluation-results \ --config-rule-name myconfigrule ## Delete config rule aws configservice delete-config-rule \ --config-rule-name myconfigrule ## Delete config delivery channel aws configservice delete-delivery-channel \ --delivery-channel-name myconfig ## Disable config service aws configservice delete-configuration-recorder \ --configuration-recorder-name myconfig ## Delete the S3 bucket with objects (configuration items) aws s3 rb \ s3://s3-for-config-recording --force ## Delete IAM Role & Policy aws iam detach-role-policy \ --role-name config_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole && aws iam delete-role-policy \ --role-name config_iam_role \ --policy-name config_iam_policy && aws iam delete-role \ --role-name config_iam_role aws iam detach-role-policy \ --role-name config_auto_remediation \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole && aws iam delete-role-policy \ --role-name config_auto_remediation \ --policy-name config_pass_role_policy && aws iam delete-role-policy \ --role-name config_auto_remediation \ --policy-name config_auto_remediation_enable_s3_encryption && aws iam delete-role \ --role-name config_auto_remediation |
Hope you have enjoyed this article. To know more about AWS Config, please refer below official documentation