Put Remediation Configurations
configservice_put_remediation_configurations | R Documentation |
Adds or updates the remediation configuration with a specific Config rule with the selected target or action¶
Description¶
Adds or updates the remediation configuration with a specific Config
rule with the selected target or action. The API creates the
RemediationConfiguration
object for the Config rule. The Config rule
must already exist for you to add a remediation configuration. The
target (SSM document) must exist and have permissions to use the target.
Be aware of backward incompatible changes
If you make backward incompatible changes to the SSM document, you must call this again to ensure the remediations can run.
This API does not support adding remediation configurations for service-linked Config Rules such as Organization Config rules, the rules deployed by conformance packs, and rules deployed by Amazon Web Services Security Hub.
Required fields
For manual remediation configuration, you need to provide a value for
automationAssumeRole
or use a value in the assumeRole
field to
remediate your resources. The SSM automation document can use either as
long as it maps to a valid parameter.
However, for automatic remediation configuration, the only valid
assumeRole
field value is AutomationAssumeRole
and you need to
provide a value for AutomationAssumeRole
to remediate your resources.
Auto remediation can be initiated even for compliant resources
If you enable auto remediation for a specific Config rule using the
put_remediation_configurations
API or the Config console, it initiates
the remediation process for all non-compliant resources for that
specific rule. The auto remediation process relies on the compliance
data snapshot which is captured on a periodic basis. Any non-compliant
resource that is updated between the snapshot schedule will continue to
be remediated based on the last known compliance data snapshot.
This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.
Usage¶
Arguments¶
RemediationConfigurations
[required] A list of remediation configuration objects.
Value¶
A list with the following syntax:
list(
FailedBatches = list(
list(
FailureMessage = "string",
FailedItems = list(
list(
ConfigRuleName = "string",
TargetType = "SSM_DOCUMENT",
TargetId = "string",
TargetVersion = "string",
Parameters = list(
list(
ResourceValue = list(
Value = "RESOURCE_ID"
),
StaticValue = list(
Values = list(
"string"
)
)
)
),
ResourceType = "string",
Automatic = TRUE|FALSE,
ExecutionControls = list(
SsmControls = list(
ConcurrentExecutionRatePercentage = 123,
ErrorPercentage = 123
)
),
MaximumAutomaticAttempts = 123,
RetryAttemptSeconds = 123,
Arn = "string",
CreatedByService = "string"
)
)
)
)
)
Request syntax¶
svc$put_remediation_configurations(
RemediationConfigurations = list(
list(
ConfigRuleName = "string",
TargetType = "SSM_DOCUMENT",
TargetId = "string",
TargetVersion = "string",
Parameters = list(
list(
ResourceValue = list(
Value = "RESOURCE_ID"
),
StaticValue = list(
Values = list(
"string"
)
)
)
),
ResourceType = "string",
Automatic = TRUE|FALSE,
ExecutionControls = list(
SsmControls = list(
ConcurrentExecutionRatePercentage = 123,
ErrorPercentage = 123
)
),
MaximumAutomaticAttempts = 123,
RetryAttemptSeconds = 123,
Arn = "string",
CreatedByService = "string"
)
)
)