Config rule with remediation

Create the lab environment

Before proceeding, you must create a CloudFormation stack that includes the resources required for this lab.

File name Purpose Template download
ConfigSSMLab.yml Creates the resources used in this lab Download the lab CloudFormation template

The stack will create these resources for you:

Lab Architecture Diagram

To create this stack, open the CloudFormation Console and then click on Create Stack, and then With new resources (standard).

Create stack

When prompted for the template, click on Upload a template file, and then provide the path to the file you just downloaded.

Specify template location

On the next pages, give the stack a unique name (such as ConfigLab), and enter the same S3 bucket as the one you created in the Setup section.

This lab requires the S3 bucket name be consistent.

Enter your email address when prompted, otherwise you can accept the default in the following pages and then create the stack.

Creating a Config rule to alert on Systems Manager agent non-compliance

In this step we will create a Config rule that will evaluate if EC2 instances have a working Systems Manager agent.

  1. Go to the AWS Config console, and then click on Rules on the left side of the console.
  2. Click on Add Rule
  3. In the Add Rule screen in the Filter section type ec2-instance-managed-by-systems-manager, click on the ec2-instance-managed-by-systems-manager rule.
  4. Under the Trigger Section take notice of the trigger type. Leave the remaining settings as-is.
    Configure Rule Part 1 Configure Rules Part 2
  5. Click Save

You can create config Rules to monitor a number of items within your infrastructure. Beside utilizing AWS managed Config rules you can also create custom rules using AWS Lambda functions. Located here in Github are same sample config rules you can create and implement in Lambda.

Deploy an EC2 instance

Next, let’s deploy and EC2 instance to test our Config rule. Note that we are not assigning an IAM role to the instance - that comes later!

There are two ways to do this:

  • You can do this easily from the EC2 console. Create a t3.small instance in the same region, with no keypair or IAM instance profile. The instance should use Amazon Linux 2 as the base image, and all default options should be sufficient for creating our lab instance.


  • Or you can run the following command from the AWS CLI using this command:
aws ec2 run-instances --image-id $(aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --query 'Parameters[0].[Value]' --output text) --count 1 --instance-type t3.small --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=configruletest}]' 

The instance should be up and running in approximately one minute.

Now return to the Config rule you created, click into the rule, and click Re-evaluate after the instance is up and running. You will have wait a minute or two for the result, and then refresh the web page. After a few moments the instance we deployed should be flagged as non-compliant.

Re-evaluate SSM Rule Part 1

Will then look like this:

Re-evaluate SSM Rule Part 2

Next you will fix this non-compliant resource by adding a remediation action to the Config rule.

  1. Go back to the Config console, and edit the ec2-instance-managed-by-systems-manager rule. We will set a remediation action to attach a required IAM Role. Select Actions and then under Choose remediation action do the following:

    • Remediation method: Manual remediation
    • Remediation action: AWS-AttachIAMToInstance
    • Resource ID parameter: InstanceId
      • This passes the non-compliant instance ID to the remediation action
    • Get the IAM Role name from the output of the CloudFormation stack. The parameter is named EC2RoleName. Enter this into the RoleName field.
  2. Click Save Remediation Part 1 Remediation Part 2

  3. Go back into the Config rule and look at non-compliant resources. Select the instance we deployed and then click on Remediate. Remediate Button

  4. Visit the Systems Manager console, and then click on Automation on the left side. You should see an automation task begin, and this will attach the IAM role to the instance. Systems Manager Automation

  5. Once completed, reboot the instance to hasten the remediation process. This will force the Systems Manager agent on the instance to acquire the new IAM role immediately upon reboot.

  6. Return to the Systems Manager console, and then check under Managed instances. When the instance shows up as a managed instance, re-evaluate the rule once more. You will see that the instance is now compliant.

What did we learn?

  • How to create an AWS Config Rule to evaluate if instances are managed by SSM
  • How to use AWS Systems Manager Automation Documents to remediate non-compliant instances

For our next lab we will use an alternative approach to remediating a non-compliant resource. Go to the next lab to explore a more customizable and extensible method of using Config.