Topics
Track remediations in Trusted Remediator
To track OpsItems remediations, complete the following steps:
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. Choose Operations Management, OpsCenter.
(Optional) Filter the list by Source=Trusted Remediator to include only Trusted Remediator OpsItems in the list.
The following is an example of the OpsCenter screen filtered by Source=Trusted Remediator:
Note
In addition to viewing OpsItems from the OpsCenter, you can view remediation logs in the AMS S3 bucket. For more information, see Remediation logs in Trusted Remediator.
Run manual remediations in Trusted Remediator
Trusted Remediator creates OpsItems for checks configured for manual remediation. You must review these checks and begin the remediation process manually.
To manually remediate the OpsItem, complete the following steps:
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. Choose Operations Management, OpsCenter.
(Optional) Filter the list by Source=Trusted Remediator to include only Trusted Remediator OpsItems in the list.
Choose the OpsItem that you want to review.
Review the operational data of the OpsItem. The operational data includes the following items:
trustedAdvisorCheckCategory: The category of the Trusted Advisor check ID. For example, Fault tolerance
trustedAdvisorCheckId: The unique Trusted Advisor check ID.
trustedAdvisorCheckMetadata: The resource metadata, including the resource ID.
trustedAdvisorCheckName: The name of the Trusted Advisor check.
trustedAdvisorCheckStatus: The status of the Trusted Advisor check detected for the resource.
trustedAdvisorCheckManualRemediation: The custom data that provides reference details for manual remediation.
ManualExecutionInput: An object that defines parameters that you can modify values for when executing manual remediation.
DocumentName: The name of the runbook (SSM document).
CustomizableParameters: Parameter names that you can modify.
DefaultInput: An object that defines parameter names and values to be used for manual remediation. The values populate based on preconfigured-parameters.
To manually remediate the OpsItem, complete the following steps:
Use Trusted Remediator | Finding | Remediate ct-1c7ch8z5phrjp change type
Enter values for the following parameters:
DocumentName: Must be
AWSManagedServices-RemediateTrustedRemediatorFinding.Region: The AWS Region, in the form us-east-1.
Parameters: Enter the manual remediation parameters:
OpsItemId: The ID of the Ops Item.
RemediationDocumentName: The name of the SSM automation document to use. The document must be associated with the Ops Item. If multiple documents are associated with the Ops Item, then the DocumentName must be specified.
RemediationParameters: A key/value map of parameters for the automation execution, in the form:
{\". You can only use parameters that are present in the Ops Item trustedAdvisorCheckManualRemediation CustomizableParameters. If not specified, parameters and values are retrieved from the Ops Item.ParameterName1\":[\"ParameterValue1\"],\"ParameterName2\":[\"ParameterValue2\"]}
Choose Run. If there are no errors, then the RFC successfully created page displays with the submitted RFC details, and the initial Run output.
Monitor the RFC execution's progress.
After the execution completes, the OpsItem is resolved. If the RFC failed, then follow the steps in Troubleshoot remediations in Trusted Remediator. For additional troubleshooting support, contact AMS.
Troubleshoot remediations in Trusted Remediator
For assistance with manual remediations and remediation failures, contact AMS.
To view remediation status and results, complete the following steps:
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. Choose Operations Management, OpsCenter.
(Optional) Filter the list by Source=Trusted Remediator to include only Trusted Remediator OpsItems in the list.
Choose the OpsItem that you want to review.
In the Automation Executions section review the Document Name and Status and results.
Review the following common automation failures. If your issues isn't listed here, then contact your CSDM for assistance.
Common remediation errors
No executions associated with the OpsItem might indicate that the execution failed to start due to incorrect parameter values.
Troubleshooting steps
In the Operational data, review the
trustedAdvisorCheckAutoRemediationproperty value.Verify that the DocumentName and Parameters values are correct. For the correct values, review Configure Trusted Advisor check remediation in Trusted Remediator for details on how to configure SSM parameters. To review supported check parameters, see Trusted Advisor checks supported by Trusted Remediator
Verify that values in the SSM document match allowed patterns. To view parameters details in the document content, select the document name in the Runbooks section.
-
After you review and correct the parameters, manually remediate the OpsItem. For the remediation steps, see Run manual remediations in Trusted Remediator.
To prevent this error from reoccurring, make sure that you configure the remediation with the correct parameter values in your configuration. For more information, see Configure Trusted Advisor check remediation in Trusted Remediator
Remediation documents contain multiple steps that interact with AWS services performing various actions through APIs. To identify a specific cause for the failure, complete the following steps:
Troubleshooting steps
To view the individual execution steps, choose the Execution ID, link in the Automation Executions section. The following is an example of the Systems Manager console showing the Exection steps for a selected automation:
Choose the step with the Failed status. The following are example error messages:
NoSuchBucket - An error occurred (NoSuchBucket) when calling the GetPublicAccessBlock operation: The specified bucket does not existThis error indicates that the incorrect bucket name was specified in the remediation configuration's preconfigured-parameters.
To resolve this error, manually run the automation using the correct bucket name. To prevent this issue from reoccurring, update the remediation configuration with the correct bucket name.
DB instance my-db-instance-1 is not in available status for modification.This error indicates that the automation couldn't make the expected changes because the DB instance was in an invalid state.
To resolve this error, manually run the automation.
Remediation documents contain multiple steps that interact with AWS services performing various actions through APIs. To identify a specific cause for the failure, complete the following steps:
Troubleshooting steps
To view the individual execution steps, choose the Execution ID, link in the Automation Executions section. The following is an example of the Systems Manager console showing the Exection steps for a selected automation:
Choose the step with the Failed status. The following are example error messages:
NoSuchBucket - An error occurred (NoSuchBucket) when calling the GetPublicAccessBlock operation: The specified bucket does not existThis error indicates that the incorrect bucket name was specified in the remediation configuration's preconfigured-parameters.
To resolve this error, manually run the automation using the correct bucket name. To prevent this issue from reoccurring, update the remediation configuration with the correct bucket name.
DB instance my-db-instance-1 is not in available status for modification.This error indicates that the automation couldn't make the expected changes because the DB instance was in an invalid state.
To resolve this error, manually run the automation.
