Class ConfigRuleRemediation

SecurityConfig / AwsConfig / AwsConfigRuleSet / ConfigRule / ConfigRuleRemediation

A remediation for the config rule, auto remediation to automatically remediate noncompliant resources.

Example

Managed Config rule with remediation:

- name: accelerator-s3-bucket-server-side-encryption-enabled
  identifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
  complianceResourceTypes:
    - AWS::S3::Bucket
  remediation:
    rolePolicyFile: path/to/policy.json
    automatic: true
    targetId: Put-S3-Encryption
    retryAttemptSeconds: 60
    maximumAutomaticAttempts: 5
    parameters:
      - name: BucketName
        value: RESOURCE_ID
        type: String
      - name: KMSMasterKey
        value: ${ACCEL_LOOKUP::KMS}
        type: StringList

Hierarchy

  • ConfigRuleRemediation

Implements

Constructors

constructor

Properties

automatic excludeRegions maximumAutomaticAttempts parameters retryAttemptSeconds rolePolicyFile targetAccountName targetDocumentLambda targetId targetVersion

Constructors

constructor

Properties

Readonly automatic

automatic: true = true

The remediation is triggered automatically.

Readonly excludeRegions

excludeRegions: string[] = []

List of AWS Region names to be excluded from applying remediation

Readonly maximumAutomaticAttempts

maximumAutomaticAttempts: 0 = 0

The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.

For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, AWS Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds.

Readonly parameters

parameters: never[] = []

List of remediation parameters

Readonly retryAttemptSeconds

retryAttemptSeconds: 0 = 0

Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number, the default is 60 seconds.

For example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, AWS Config will run auto-remediations 5 times within 50 seconds before throwing an exception.

Readonly rolePolicyFile

rolePolicyFile: "" = ''

Remediation assume role policy definition json file. This file must be present in config repository.

Create your own custom remediation actions using AWS Systems Manager Automation documents. When a role needed to be created to perform custom remediation actions, role permission needs to be defined in this file.

Readonly targetAccountName

targetAccountName: "" = ''

Name of the account owning the public document to perform custom remediation actions. Accelerator creates these documents in Audit account and shared with other accounts.

Readonly targetDocumentLambda

targetDocumentLambda: {
    handler: string;
    rolePolicyFile: string;
    runtime: string;
    sourceFilePath: string;
    timeout: number;
} = ...

Target SSM document remediation lambda function

Type declaration

  • handler: string

    The name of the method within your code that Lambda calls to execute your function. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-features.html#gettingstarted-features-programmingmodel.

  • rolePolicyFile: string

    Lambda execution role policy definition file

  • runtime: string

    The runtime environment for the Lambda function that you are uploading. For valid values, see the Runtime property in the AWS Lambda Developer Guide.

  • sourceFilePath: string

    The source code file path of your Lambda function. This is a zip file containing lambda function, this file must be available in config repository.

  • timeout: number

    Lambda function execution timeout in seconds

Readonly targetId

targetId: "" = ''

Target ID is the name of the public document.

The name of the AWS SSM document to perform custom remediation actions.

Readonly targetVersion

targetVersion: "" = ''

Version of the target. For example, version of the SSM document.

If you make backward incompatible changes to the SSM document, you must call PutRemediationConfiguration API again to ensure the remediations can run.

Settings

Member Visibility

Theme

Generated using TypeDoc