StartRemediationExecution - AWS Config

StartRemediationExecution

Runs an on-demand remediation for the specified AWS Config rules against the last known remediation configuration. It runs an execution against the current state of your resources. Remediation execution is asynchronous.

You can specify up to 100 resource keys per request. An existing StartRemediationExecution call for the specified resource keys must complete before you can call the API again.

Request Syntax

{ "ConfigRuleName": "string", "ResourceKeys": [ { "resourceId": "string", "resourceType": "string" } ] }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

ConfigRuleName

The list of names of AWS Config rules that you want to run remediation execution for.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: .*\S.*

Required: Yes

ResourceKeys

A list of resource keys to be processed with the current request. Each element in the list consists of the resource type and resource ID.

Type: Array of ResourceKey objects

Array Members: Minimum number of 1 item. Maximum number of 100 items.

Required: Yes

Response Syntax

{ "FailedItems": [ { "resourceId": "string", "resourceType": "string" } ], "FailureMessage": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FailedItems

For resources that have failed to start execution, the API returns a resource key object.

Type: Array of ResourceKey objects

Array Members: Minimum number of 1 item. Maximum number of 100 items.

FailureMessage

Returns a failure message. For example, the resource is already compliant.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

InsufficientPermissionsException

Indicates one of the following errors:

  • For PutConfigRule, the rule cannot be created because the IAM role assigned to AWS Config lacks permissions to perform the config:Put* action.

  • For PutConfigRule, the AWS Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.

  • For PutOrganizationConfigRule, organization AWS Config rule cannot be created because you do not have permissions to call IAM GetRole action or create a service-linked role.

  • For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have the following permissions:

    • You do not have permission to call IAM GetRole action or create a service-linked role.

    • You do not have permission to read Amazon S3 bucket or call SSM:GetDocument.

  • For PutServiceLinkedConfigurationRecorder, a service-linked configuration recorder cannot be created because you do not have the following permissions: IAM CreateServiceLinkedRole.

HTTP Status Code: 400

InvalidParameterValueException

One or more of the specified parameters are not valid. Verify that your parameters are valid and try again.

HTTP Status Code: 400

NoSuchRemediationConfigurationException

You specified an AWS Config rule without a remediation configuration.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: