5.2 - PaulDuvall/aws-compliance-workshop GitHub Wiki
Review and ensure that you have setup your development environment before going through the steps below.
- Go to the AWS Config console.
- Click the Add Rule button.
- Type
eipin the textbox and select eip-attached from the managed Config Rules. - Click Save.
- Once saved, click the rule and copy the Config rule ARN for later.
- Go to AWS IAM.
- Click on Roles.
- Click Create role.
- Select EC2 and click Next: Permissions.
- Type
SSMand choose the checkbox next to AmazonSSMAutomationRole and click Next: Tags. - Click Next: Review.
- Type
ccoa-5-ssm-rolefor the Role name and click Create role.
- From the AWS IAM console, select Roles.
- Select the ccoa-5-ssm-role IAM Role you just created.
- Click the Trust relationships tab.
- Click the Edit Trust Relationship button
- Paste the contents from below into the text area to add events and ssm as trusted entities.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ssm.amazonaws.com",
"ec2.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
- Click the Update Trust Policy button.
- Click on the Permissions tab.
- Click on the Add inline policy link.
- Click on the JSON tab and replace the text area with the contents below (replacing
ACCOUNTIDwith your AWS Account Id).
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::ACCOUNTID:role/ccoa-5-ssm-role",
"Effect": "Allow"
}
]
}
- Click the Review Policy button.
- Enter the name
passAutomationRoleand click the Create policy button. - Click on the Permissions tab again.
- Click on the Add inline policy link.
- Click on the JSON tab and replace the text area with the contents below (replacing
ACCOUNTIDwith your AWS Account Id).
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:ReleaseAddress",
"Resource": "*",
"Effect": "Allow",
"Sid": "ReleaseElasticIPPermissions"
}
]
}
- Click the Review Policy button.
- Enter the name
ReleaseElasticIPPermissionsand click the Create policy button. - Select the role and copy the Role ARN to use later.
- Go to Amazon CloudWatch.
- Click on Rules.
- Click the Create Rule button.
- With the Event Pattern radio button selected, click on the Edit link.
- Paste the contents below replacing the value of configRuleARN with the Config Rule ARN you saved when creating your Config Rule. If you do not recall the name, go back to AWS Config, select Rules, select the rule you created, and copy the value for Config rule ARN.
{
"detail-type": [
"Config Rules Compliance Change"
],
"source": [
"aws.config"
],
"detail": {
"configRuleARN": [
"arn:aws:config:us-east-1:ACCOUNTID:config-rule/config-rule-abcdef"
],
"newEvaluationResult": {
"complianceType": [
"NON_COMPLIANT"
]
}
}
}
- In the Targets area, choose SSM Automation.
- For the Document, choose AWS-ReleaseElasticIP.
- Choose Input Transformer and paste the following in the first text field:
{"eipalloc":"$.detail.resourceId"}
- Then, paste the following in the next text field (replacing with your
ACCOUNTID):
{"AllocationId":[<eipalloc>],"AutomationAssumeRole":["arn:aws:iam::ACCOUNTID:role/ccoa-5-ssm-role"]}
- Select the Use existing role radio button and type
ccoa-5-ssm-roleand click the Configure details button. - In the Name field, enter
ccoa-6-cwe-eip-ruleand click the Create rule button.
- Go to the Elastic IPs within the EC2 console.
- Click Allocate new address (and create a few of these).
- Choose from the Amazon pool and click Allocate.
- Go back to the AWS Config console.
- Choose Rules.
- Choose the eip-attached rule and click the Re-evaluate button.
- Go to the EC2 console and click on Elastic IPs to verify the unattached Elastic IPs have been removed.
aws ssm describe-document --name "AWS-ReleaseElasticIP"
Go to Cleanup to remove any resources you created in this sublesson.