5.3 Run an AWS Config Rule auto remediation routine from CloudFormation

Review and ensure that you have setup your development environment before going through the steps below. Also, go to Disable AWS Config to disable any AWS Config resources.

Elastic IP Auto Remediation in CloudFormation

1. Change the directory.

cd ~/environment/ccoa

2. Create a new file.

touch ccoa-5-config-recorder.yml

3. Copy the source contents from the ccoa-5-config-recorder.yml file and save it to your local file in your Cloud9 environment called ccoa-5-config-recorder.yml. Save the file. This template provisions an AWS Config Recorder and Delivery Channel.

Launch the CloudFormation stack to enable the ConfigRecorder

From your AWS Cloud9 environment, run the following command:

aws cloudformation create-stack --stack-name ccoa-5-config-recorder --template-body file:///home/ec2-user/environment/ccoa/ccoa-5-config-recorder.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Launch Config Rule for Elastic IP Auto Remediation

1. Create a new file.

touch ccoa-5-ec2-eip-remediation.yml

2. Copy the source contents from the ccoa-5-ec2-eip-remediation.yml file and save it to your local file in your Cloud9 environment called ccoa-5-ec2-eip-remediation.yml. Save the file. This template provisions an AWS Config Rule that detects and remediates unused Elastic IP Addresses.

3. Run the EIP Config Rule Remediation stack by typing the following from your Cloud9 terminal:

aws cloudformation create-stack --stack-name ccoa-5-eip --template-body file:///home/ec2-user/environment/ccoa/ccoa-5-ec2-eip-remediation.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

4. Once the CloudFormation stack has completed successfully, go to the AWS Config Rules console and choose the eip-attached rule and click the Re-evaluate button.
5. Then, go to the Elastic IPs within the EC2 console.
6. Click Allocate new address (and create a few of these).
7. Choose from the Amazon pool and click Allocate.
8. Go back to the Elastic IPs to verify that the EIPs have been removed.

Additional Exercises

Get a list of SSM Documents

aws ssm list-documents --filters Key=DocumentType,Values=Automation

Manual Auto Remediation (Example)

aws ssm start-automation-execution --document-name AWS-EnableCloudTrail --parameters TrailName=my-trail,S3BucketName=mybucket,AutomationAssumeRole=arn:aws:iam::123456789012:role/AutomationRole

Create CloudFormation stack for CloudTrail Log File Validation Config Rule

1. Change the directory.

cd ~/environment/ccoa

2. Create a new file.

touch ccoa-5-cloudtrail.yml

3. Copy the source contents from the ccoa-5-cloudtrail.yml file and save it to your local file in your Cloud9 environment called ccoa-5-cloudtrail.yml. Save the file. This template provisions an AWS Config Rule that checks whether AWS CloudTrail creates a signed digest file with logs. The rule is noncompliant if the validation is not enabled.

Launch the CloudFormation stack to enable the Config Rules

From your AWS Cloud9 environment, run the following command:

aws cloudformation create-stack --stack-name ccoa-5-cloudtrail --template-body file:///home/ec2-user/environment/ccoa/ccoa-5-cloudtrail.yml --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Check CloudFormation stack status

aws cloudformation describe-stacks --stack-name ccoa-lesson5-cloudtrail

or, go to the CloudFormation console.

View AWS Config Rules

Launch AWS Config Rules console.

Update CloudTrail Settings for a Trail

1. Go to CloudTrail Settings.
2. Select one of the trails.
3. Scroll down to Storage location and click on the Edit Pencil icon.
4. Select the Yes radio button for Enable log file validation.
5. Click Save.
6. Go back to the AWS Config Rules console and refresh the rule.

Additional Resources

• ec2-eip-remediation.yml
• AWS::Config::ConfigRule properties
• Start Automation Execution Examples
• AWS-ReleaseElasticIP SSM Automation

Cleanup

Go to Cleanup to remove any resources you created in this sublesson.