PutRemediationConfigurations - AWS Config

PutRemediationConfigurations

Adds or updates the remediation configuration with a specific AWS Config rule with the selected target or action. The API creates the RemediationConfiguration object for the AWS Config rule. The AWS Config rule must already exist for you to add a remediation configuration. The target (SSM document) must exist and have permissions to use the target.

Note

Be aware of backward incompatible changes

If you make backward incompatible changes to the SSM document, you must call this again to ensure the remediations can run.

This API does not support adding remediation configurations for service-linked AWS Config Rules such as Organization AWS Config rules, the rules deployed by conformance packs, and rules deployed by AWS Security Hub.

Note

Required fields

For manual remediation configuration, you need to provide a value for automationAssumeRole or use a value in the assumeRolefield to remediate your resources. The SSM automation document can use either as long as it maps to a valid parameter.

However, for automatic remediation configuration, the only valid assumeRole field value is AutomationAssumeRole and you need to provide a value for AutomationAssumeRole to remediate your resources.

Note

Auto remediation can be initiated even for compliant resources

If you enable auto remediation for a specific AWS Config rule using the PutRemediationConfigurations API or the AWS Config console, it initiates the remediation process for all non-compliant resources for that specific rule. The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis. Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.

This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.

Request Syntax

{ "RemediationConfigurations": [ { "Arn": "string", "Automatic": boolean, "ConfigRuleName": "string", "CreatedByService": "string", "ExecutionControls": { "SsmControls": { "ConcurrentExecutionRatePercentage": number, "ErrorPercentage": number } }, "MaximumAutomaticAttempts": number, "Parameters": { "string" : { "ResourceValue": { "Value": "string" }, "StaticValue": { "Values": [ "string" ] } } }, "ResourceType": "string", "RetryAttemptSeconds": number, "TargetId": "string", "TargetType": "string", "TargetVersion": "string" } ] }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

RemediationConfigurations

A list of remediation configuration objects.

Type: Array of RemediationConfiguration objects

Array Members: Minimum number of 0 items. Maximum number of 25 items.

Required: Yes

Response Syntax

{ "FailedBatches": [ { "FailedItems": [ { "Arn": "string", "Automatic": boolean, "ConfigRuleName": "string", "CreatedByService": "string", "ExecutionControls": { "SsmControls": { "ConcurrentExecutionRatePercentage": number, "ErrorPercentage": number } }, "MaximumAutomaticAttempts": number, "Parameters": { "string" : { "ResourceValue": { "Value": "string" }, "StaticValue": { "Values": [ "string" ] } } }, "ResourceType": "string", "RetryAttemptSeconds": number, "TargetId": "string", "TargetType": "string", "TargetVersion": "string" } ], "FailureMessage": "string" } ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FailedBatches

Returns a list of failed remediation batch objects.

Type: Array of FailedRemediationBatch objects

Errors

For information about the errors that are common to all actions, see Common Errors.

InsufficientPermissionsException

Indicates one of the following errors:

  • For PutConfigRule, the rule cannot be created because the IAM role assigned to AWS Config lacks permissions to perform the config:Put* action.

  • For PutConfigRule, the AWS Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.

  • For PutOrganizationConfigRule, organization AWS Config rule cannot be created because you do not have permissions to call IAM GetRole action or create a service-linked role.

  • For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have the following permissions:

    • You do not have permission to call IAM GetRole action or create a service-linked role.

    • You do not have permission to read Amazon S3 bucket or call SSM:GetDocument.

  • For PutServiceLinkedConfigurationRecorder, a service-linked configuration recorder cannot be created because you do not have the following permissions: IAM CreateServiceLinkedRole.

HTTP Status Code: 400

InvalidParameterValueException

One or more of the specified parameters are not valid. Verify that your parameters are valid and try again.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: