Tuesday, September 30, 2025

AWS Config Remediations | Overview.



AWS Config Remediations - Overview.

Scope:

  • Intro, 
  • Types of Remediation,
  • Common Examples,
  • Key Components,
  • Configuration Limits,
  • The Concept of Remediation in AWS Config (deep dive),
  • Remediation Lifecycle (from detection  remediation),
  • Remediation Architecture flow,
  • Remediation Integrations,
  • Types of Remediation (deep dive),
  • Common AWS-Managed Remediation Actions (Samples of built-in remediations),
  • Best Practices.

Intro:

    • AWS Config remediation allows twtech to address noncompliant resources detected by its AWS Config rules automatically or manually. 
    • This process uses AWS Systems Manager (SSM) Automation documents to define and execute the corrective actions. 
Types of Remediation
    • Automatic Remediation: AWS Config triggers a specified SSM Automation document as soon as a resource is flagged as noncompliant.
    • Manual Remediation: twtech must navigate to the AWS Config console and manually initiate the remediation action for a specific noncompliant resource. 
Common Examples
    • S3 Buckets: Automatically enable S3 Bucket Encryption or S3 Bucket Versioning for noncompliant buckets.
    • Security Groups: Revoke unrestricted ingress rules for sensitive ports like SSH (port 22).
    • EC2 Instances: Stop instances that are missing required public IP restrictions or tags.
    • RDS Databases: Encrypt unencrypted Amazon RDS instances or clusters automatically. 
Key Components
    • SSM Automation Document: The runbook that performs the actual fix.
    • Remediation Action: The link between a Config rule and its corresponding SSM document.
    • AutomationAssumeRole: An IAM role that provides Systems Manager with the necessary permissions to execute actions on twtech behalf.
    • Resource ID Parameter: A setting that maps the noncompliant resource's ID (e.g., BucketName or InstanceId) into the SSM document. 
Configuration Limits
    • Retries: twtech can configure the number of retry attempts and the time interval between them if a remediation fails.
    • Rate Limits: twtech can set concurrent execution rates to avoid hitting API throttling limits during bulk remediations.

1. The Concept of Remediation in AWS Config (deep dive)

    • AWS Config rules can detect non-compliant resources
    • By default AWS Config rules only report non-complance.
    • Remediation is the automation layer that fixes drift when non-compliance occurs.
    • Remediation Actions: Defined, automated steps triggered by Config when a resource is non-compliant.
    • Execution Engine: Uses SSM Automation Documents (SSM Documents).
    • Scope: Can be scoped (configured) to specific resource types or all resources the rule applies to.

2. Remediation Lifecycle (from detection remediation):

 Rule Trigger
    • Config Rule runs (event-based or periodic).
    • Evaluates a resource’s compliance status.
Non-Compliance Detected
    • Rule returns NON_COMPLIANT for a resource.
Remediation Association
    • Config looks for an Auto-Remediation or Manual Remediation linked to the rule.
Execution
    • If auto-remediation enabled runs immediately.
    • If manual operator must trigger via console/CLI/API.
    • Config invokes SSM Automation Document (SSM Doc) with parameters.
Automation Execution
    • SSM Automation carries out steps (e.g., stop an EC2 instance, detach a policy, encrypt a volume).
    • Supports conditional logic, approvals, rollback.
Result Recording
    • Execution status sent back to Config.
    • Compliance re-evaluated after remediation.
    • Logs/audit trail stored in CloudTrail + Config Recorder + optionally in CloudWatch Logs/S3.

3. Remediation Architecture flow


4. Remediation Integrations

AWS Systems Manager (SSM)
    • SSM Docs (Automation runbooks) are the execution engine.
    • Can use AWS-provided or custom documents.
CloudTrail
    • Audits automation execution (who/what/when).
CloudWatch Events / EventBridge
    • Capture remediation start/stop/failure events.
    • Trigger alerts, Slack notifications, ticketing workflows.
SNS / ChatOps
    • Notify security/ops teams about remediation actions.
Service Catalog + Control Tower
    • Predefined remediation runbooks across accounts.
Security Hub
    • Config compliance findings feed into Security Hub remediations can be orchestrated.

5. Types of Remediation (deep dive)

Auto-Remediation
    • Fully automated.
    • Example: Encrypt unencrypted S3 buckets automatically.
Manual Remediation
    • Requires operator trigger.
    • Example: Approve security group rule removal before execution.

6. Common AWS-Managed Remediation Actions (Samples of built-in remediations):

    • Attach IAM policy AWS-AttachIAMPolicy
    • Stop non-compliant EC2 instance AWS-StopEC2Instance
    • Enable encryption on EBS AWS-EnableEBSVolumeEncryption
    • Enable CloudTrail AWS-EnableCloudTrail

NB:

  •  twtech can chain multiple actions inside custom SM ( System manager) or SSM (Simple Systems Manager as formally known in aws) Docs.

7. Best Practices

    • Use least privilege in remediation IAM roles.
    • Start with manual remediation, then move to auto-remediation after validation.
    • Always include rollback steps in SSM Docs.
    • Monitor with CloudWatch Alarms for failed remediation attempts.
    • Standardize with multi-account rollout via AWS Config Aggregators + Organizations.
    • Integrate with Security Hub + EventBridge for enterprise-scale response.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...