You must be logged in to view saved presets
Auto Remediation Rules
AWS Auto Remediation Rule Package
A configuration package to enable AWS Config Rule Automatic Remediation for non-compliant environment changes. Remediation is carried out using SSM Documents, and an IAM Role with the required permissions is included in the template. The following rules are available:
- S3:
- Enable S3 Object Versioning if disabled
- Enable S3 Server-Side Encryption if disabled
- Enable S3 Server Access Logging if disabled
- EC2
- Stop or Terminate EC2 instances with public IPs
- Stop or Terminate EC2 instances with unapproved type or tenancy mode
- Stop or Terminate EC2 instances with unapproved AMIs
- Other
- Automatically release Elastic IPs that are not attached to network interfaces.
In addition to the above services, the following additional configuration can be enabled:
- AWS Config which must be enabled to add Config Rules.
- Email Notifications: Enable notifications for Config Rules compliance change events using CloudWatch Event Rules and SNS.
A premium subscription is required for this contentYou can browse all Config Rules and Auto Remediation Rules in our repository for free! Go to Library
Items
10
Size
6.1 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
ConfigRule1:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-server-side-encryption-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Description: Auto remediation configuration to configure S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
RemediationForConfigRule1:
Type: 'AWS::Config::RemediationConfiguration'
Properties:
Automatic: true
ConfigRuleName:
Ref: ConfigRule1
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: AWS-EnableS3BucketEncryption
TargetType: SSM_DOCUMENT
TargetVersion: '1'
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- 'Fn::GetAtt':
- AutoRemediationIamRole
- Arn
BucketName:
ResourceValue:
Value: RESOURCE_ID
AutoRemediationIamRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- events.amazonaws.com
- ssm.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole'
Policies:
- PolicyName: AllowPutEncryptionConfiguration
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowPutEncryptionConfiguration
Effect: Allow
Action: 's3:PutEncryptionConfiguration'
Resource: 'arn:aws:s3:::*'
- PolicyName: AllowPutBucketVersioning
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowPutBucketVersioning
Effect: Allow
Action: 's3:PutBucketVersioning'
Resource: 'arn:aws:s3:::*'
- PolicyName: ReleaseElasticIPPermissions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ReleaseElasticIPPermissions
Effect: Allow
Action: 'ec2:ReleaseAddress'
Resource: '*'
AutomationPassRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: passAutomationRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'iam:PassRole'
Resource:
'Fn::GetAtt':
- AutoRemediationIamRole
- Arn
Roles:
- Ref: AutoRemediationIamRole
ConfigRule2:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-versioning-enabled
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Description: Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
RemediationForConfigRule2:
Type: 'AWS::Config::RemediationConfiguration'
Properties:
Automatic: true
ConfigRuleName:
Ref: ConfigRule2
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: AWS-ConfigureS3BucketVersioning
TargetType: SSM_DOCUMENT
TargetVersion: '1'
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- 'Fn::GetAtt':
- AutoRemediationIamRole
- Arn
BucketName:
ResourceValue:
Value: RESOURCE_ID
ConfigRule4:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2-instance-no-public-ip
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::Instance'
Description: Auto remediation configuration to stop or terminate EC2 instances with public IP addresses. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.
Source:
Owner: AWS
SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
RemediationForConfigRule4:
Type: 'AWS::Config::RemediationConfiguration'
Properties:
Automatic: true
ConfigRuleName:
Ref: ConfigRule4
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: AWS-StopEC2Instance
TargetType: SSM_DOCUMENT
TargetVersion: '1'
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- 'Fn::GetAtt':
- AutoRemediationIamRole
- Arn
InstanceId:
ResourceValue:
Value: RESOURCE_ID
ConfigRule9:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: eip-attached
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::EIP'
Description: Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.
Source:
Owner: AWS
SourceIdentifier: EIP_ATTACHED
RemediationForConfigRule9:
Type: 'AWS::Config::RemediationConfiguration'
Properties:
Automatic: true
ConfigRuleName:
Ref: ConfigRule9
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 60
TargetId: AWS-ReleaseElasticIP
TargetType: SSM_DOCUMENT
TargetVersion: '1'
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- 'Fn::GetAtt':
- AutoRemediationIamRole
- Arn
AllocationId:
ResourceValue:
Value: RESOURCE_ID
Parameters: {}
Metadata: {}
Conditions: {}
© 2024 asecurecloud. All rights reserved.