Remediating compliance issues using EventBridge
You can quickly remediate patch and association compliance issues by using Run Command, a
capability of AWS Systems Manager. You can target instance or AWS IoT Greengrass core device IDs or tags and
run the AWS-RunPatchBaseline
document or the
AWS-RefreshAssociation
document. If refreshing the association or
re-running the patch baseline fails to resolve the compliance issue, then you need to
investigate your associations, patch baselines, or instance configurations to understand
why the Run Command operations didn't resolve the problem.
For more information about patching, see AWS Systems Manager Patch Manager and SSM Command document for patching: AWS-RunPatchBaseline.
For more information about associations, see Working with associations in Systems Manager.
For more information about running a command, see AWS Systems Manager Run Command.
Specify Compliance as the target of an EventBridge event
You can also configure Amazon EventBridge to perform an action in response to Systems Manager
Compliance events. For example, if one or more managed nodes fail to install
Critical patch updates or run an association that installs anti-virus software, then
you can configure EventBridge to run the AWS-RunPatchBaseline
document or the
AWS-RefreshAssocation
document when the Compliance event occurs.
Use the following procedure to configure Compliance as the target of an EventBridge event.
To configure Compliance as the target of a EventBridge event (console)
Open the Amazon EventBridge console at https://console.aws.amazon.com/events/
. -
In the navigation pane, choose Rules.
-
Choose Create rule.
-
Enter a name and description for the rule.
A rule can't have the same name as another rule in the same AWS Region and on the same event bus.
-
For Event bus, choose the event bus that you want to associate with this rule. If you want this rule to respond to matching events that come from your own AWS account, select default. When an AWS service in your account emits an event, it always goes to your account’s default event bus.
-
For Rule type, choose Rule with an event pattern.
-
Choose Next.
-
For Event source, choose AWS events or EventBridge partner events.
-
In the Event pattern section, choose Event pattern form.
-
For Event source, choose AWS services.
-
For AWS service, choose Systems Manager.
-
For Event type, choose Configuration Compliance.
-
For Specific detail type(s), choose Configuration Compliance State Change.
-
Choose Next.
-
For Target types, choose AWS service.
-
For Select a target, choose Systems Manager Run Command.
-
In the Document list, choose a Systems Manager document (SSM document) to run when your target is invoked. For example, choose
AWS-RunPatchBaseline
for a non-compliant patch event, or chooseAWS-RefreshAssociation
for a non-compliant association event. -
Specify information for the remaining fields and parameters.
Note
Required fields and parameters have an asterisk (*) next to the name. To create a target, you must specify a value for each required parameter or field. If you don't, the system creates the rule, but the rule won't be run.
-
Choose Next.
-
(Optional) Enter one or more tags for the rule. For more information, see Tagging Your Amazon EventBridge Resources in the Amazon EventBridge User Guide.
-
Choose Next.
-
Review the details of the rule and choose Create rule.