You are currently viewing How To Auto Remediate Using AWS Config Rule

How To Auto Remediate Using AWS Config Rule

How To Auto Remediate Using AWS Config Rule

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we discussed how to create a custom config rule using rdk.

There are multiple ways you can create automation to remediate issues in your AWS cloud landscape. One such way is to use AWS config rule remediation feature to auto remediate your resource configuration. AWS config rule remediation feature uses System Manager (SSM) automation document to either automatically or manually remediate your compliance issues.

When you create a new config rule, you can define the remediation configuration in the form of SSM automation document. If the rule evaluates a resource configuration as non-compliant, this automation document is triggered to automatically remediate the configuration and bring it back to compliant state.

How To Auto Remediate Using AWS Config Rule:


  • AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.

Step 1: Create an S3 bucket with required policy to put all your configuration snapshots.

This bucket will service dual purpose in this demo, 1st it will store all the configuration snapshots and 2nd we will create a config rule against it for our auto remediation demo.

Step 2: Create an IAM role with required policy for Config service.

We need to create another IAM role which will be used to execute the SSM automation document and auto remediate the compliance issue.

Step 3: Create another IAM with required policy for auto remediation.

Next, we will enable AWS config service to record S3 bucket configurations.

Step 4: Enable AWS Config service to record S3 bucket configuration.

Next, we will create a new config rule to evaluate S3 bucket encryption status.

Step 5: Create a new config rule.

Next, we will create a new delivery channel as S3 bucket where AWS config will store your configuration snapshots.

Step 6: Create a new delivery channel (S3 bucket) for AWS config.

Step 7: Start config recordings

Next, we are going to create config rule remediation configuration for auto remediation.

Step 8: Create config rule remediation configuration.

Step 9: Get AWS config details.

Note: If you do not get any compliance report, then wait for few moments and try again. Config will take some time to complete the initial setup and evaluation. At the end of the evaluation, you should have a non-compliant S3 bucket.

Next, we will manually trigger config rule evaluation which will then detect the non-compliant S3 bucket and trigger the rule remediation action through SSM automation document.

Step 10: Manually trigger config rule re-evaluation.

Observe, the S3 bucket is now reported as compliant. We have successfully auto remediated the config rule. Next, clean-up all the resources created in this demo.

Step 11: Clean-up

Hope you have enjoyed this article. To know more about AWS Config, please refer below official documentation

Leave a Reply