How to Auto Remediate AWS resources By Using AWS Config
Table of Contents
- Introduction
- Create S3 Bucket
- Create AWS Config for S3 Bucket
- Configure the AWS Config Rule
- Setup S3 Bucket Remediation by AWS Config
- Conclusion
Introduction
AWS Config is a service that will record and evaluate all the changes to your AWS services. It will also provide remediation for those changes. This blog will demonstrate how to use AWS Config to auto-remediate an S3 bucket to enable versioning.
Imagine your role is managing the AWS account for your company and you would like to make sure all services are in compliance with the company policy rules. One of the rules is that S3 needs to have versioning enabled, and server-side encryption should also be enabled. If you just need to manage a few S3 buckets, that might be fine, but if you need to manage dozens of buckets created by many different developers, it can be hard to keep track of them all. One service we can use for this scenario is AWS Config.
Create S3 Bucket
In this tutorial, we create an S3 bucket for our demo. If you already have an S3 bucket and want to use it, you can skip this step and go directly to the AWS Config setup.
Create AWS Config for S3 Bucket
Navigate to AWS Config in the AWS Console. Set up a new configuration recorder if you haven't already. Then add a new rule for S3 bucket versioning.
Configure the AWS Config Rule
Select the managed rule for S3 bucket versioning and configure the scope to target S3 resources.
Review the rule settings and confirm the configuration.
Setup S3 Bucket Remediation by AWS Config
Now set up the automatic remediation action. Choose the remediation action that enables S3 bucket versioning. When AWS Config detects that a bucket is non-compliant, it will automatically trigger the remediation to enable versioning on that bucket.
Conclusion
AWS Config is a powerful service for ensuring your AWS resources stay compliant with your organization's policies. By setting up auto-remediation rules, you can automatically enforce standards like S3 bucket versioning without manually checking each resource. This saves time and reduces the risk of non-compliant resources going unnoticed.