Task 2. Create an AWS Config rule with automated remediation

In this task you will create a new Config rule that will check whether your EC2 instances are of the specified instance types and apply a remediation action in case of rule non compliant status.

  1. In your left panel, click on Rules

    drawing

  2. Click on drawing

  3. In the AWS Manager Rules search box, type: desired-instance-type

  4. Select the managed rule and click drawing

    drawing

  5. Under the Trigger section -> Scope of changes, select Tags. In Resources by tag, type Compliance as the Tag key, and in Value tag type Prod

    drawing

  6. In the Parameters section, type t3.small as the value for the Key instanceType

    drawing

  7. Click on drawing

  8. Click on drawing

  9. Your rule will start evaluating resources compliance

  10. Previous to enable an automated remediation action, you need to create an IAM role and assign it to the Config rule to be able to execute the instance resize remediation action. Go to Services search box > IAM

  11. On the left pane, click on Roles

  12. Click on drawing

  13. Under Use case, and Use cases for other AWS services:, select Systems Manager (Do not select Systems Manager - Inventory and Maintenance Windows)

  14. Click on Next

  15. In the Permissions policies search box type AmazonEC2FullAccess, hit and click the checkbox next to the policy

    drawing

  16. Click Next

  17. In Role name* type: config-resize-instance-role

  18. Click drawing

  19. You will see Role config-resize-instance-role has been created. at the top of the screen. Click on View role button, right to that message.

  20. Copy the Role ARN (i.e. arn:aws:iam::xxxxxxxxxxx:role/config-resize-instance-role) and paste it in a note pad, you will use it in a later step.

  21. Now return to Config service. Services search box > Config

  22. On the left pane, click on Rules

  23. Look for the instance resize rule, and click on the rule

    drawing

  24. Click drawing and select Manage remediation

  25. In Select remediation method section, select Automatic remediation

  26. Under Retries in type 5 and under Seconds typoe 60.

  27. In Remediation action details, section, expand the drop-down menu and select AWS-ResizeInstance

    drawing

  28. In the Rate Limits section, under Concurrent Execution Rate type 2, and under Error Rate type 5.

  29. In Resource ID parameter select InstanceId

    drawing

  30. In the Parameters section, fill the InstanceType and AutomationAssumeRole ** parameters. In InstanceType, type t3.small and paste the role ARN you copied in step 22 in AutomationAssumeRole.

    drawing

  31. Click drawing

  32. This automatic remediation action will start to evaluate EC2 resources configurations.

  33. Now you will change the instance type so you could test the remediation action you just configured. Go to the EC2 service. Services search box > EC2

  34. On the left pane, click on Instances

    drawing

  35. Look for the instance with the prefix “sc-web-” and select the checkbox next to it

    drawing

  36. Click on drawing and select Stop instance and confirm your action.

    drawing

  37. Wait a few seconds until the instance state changes to Stopped

  38. Change the instance type:

    1. Actions
    2. Instance settings
    3. Change instance type
    drawing

  39. In the Change instance type window, below Instance type, select t3.xlarge

    drawing

  40. Click drawing

  41. Now start the EC2 instance, click Instance state -> Start instance

    drawing

  42. Copy the instance ID, we will use it in a later step

    drawing

  43. This change will trigger the Config rule remediation action, it will take a couple of minutes for the rule to start changing the instance status automatically, from shutting down, to resize back to t3.small and finally start the instance again, so it can enter in a compliant state according to the rule we created. You could wait a couple of minutes in the EC2 console and refresh the page to see this automatic remediation actions.

  44. Now we will use another Config feature, the capacity to keep track of changes in AWS resource.

    AWS Config records details of changes to your AWS resources to provide you with a configuration history. You can use the AWS Management Console, API, or CLI to obtain details of what a resource’s configuration looked like at any point in the past. AWS Config will also automatically deliver a configuration history file to the Amazon S3 bucket you specify.

  45. Return to Config console. Go to Services search box > Config

  46. From the left pane, click on Resources

    drawing

  47. In the Resources section paste the EC2 instance ID into the search box, it will display the instance ID below the Resource identifier section. Click on the instance ID.

    drawing

  48. Click drawing

  49. You will see a list of events, feel free to explore the events displayed, you could expand each one of them but we recommend you to look into the Rule compliance and Configuration change events. You will find interesting information regarding the instance configuration changes, and compliance status updates.

LAB END