Automating Remediation Actions on AI Resources.
PythonAutomating remediation actions on cloud resources is a vital process for maintaining compliance and enforcing security best practices. In this guide, I'll show you how to automate remediation actions on AWS resources using Pulumi's AWS provider. We will imagine a scenario where certain remediation actions need to be performed when AWS Config rules evaluate resources as non-compliant.
Pulumi and AWS Config
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
One of the key features of AWS Config is the ability to create, manage, and execute remediation actions when a resource is found to be non-compliant. For example, if an S3 bucket is found to be publicly accessible and this violates your compliance rules, AWS Config can trigger a remediation action to modify the bucket's policy and block public access.
To achieve this with Pulumi, we will use two main resources:
aws.config.Rule: This defines an AWS Config rule that specifies the desired configuration settings for a resource.aws.config.RemediationConfiguration: This defines the remediation action that should be taken when a resource is found to be non-compliant with the associated AWS Config rule.
Let's create a Pulumi program that sets up a simple AWS Config rule to check for publicly accessible S3 buckets and a remediation action that will make the bucket private if it's found to be public.
import pulumi import pulumi_aws as aws # Define an AWS Config rule that checks for publicly accessible S3 buckets public_read_prohibited = aws.cfg.Rule("publicReadProhibited", source=aws.cfg.RuleSourceArgs( owner="AWS", source_identifier="S3_BUCKET_PUBLIC_READ_PROHIBITED", ) ) # Define a remediation action for the AWS Config rule remediation_configuration = aws.cfg.RemediationConfiguration("s3PublicReadRemediation", config_rule_name=public_read_prohibited.name, resource_type="AWS::S3::Bucket", target_id="AWS-S3-SetBucketAcl", target_type="SSM_DOCUMENT", target_version="1", parameters={ "BucketName": aws.cfg.RemediationConfigurationParameterArgs( resource_value=aws.cfg.RemediationConfigurationResourceValueArgs( value="RESOURCE_ID", ) ), "Acl": aws.cfg.RemediationConfigurationParameterArgs( static_value=aws.cfg.RemediationConfigurationStaticValueArgs( values=["private"], ) ) }, automatic=True, # Set this to 'True' to automatically execute the remediation action when a non-compliant resource is detected ) # Export the names of the AWS Config rule and remediation action pulumi.export('config_rule_name', public_read_prohibited.name) pulumi.export('remediation_configuration_name', remediation_configuration.name)Explanation
In the program above, we start by importing Pulumi's AWS package. We then define an AWS Config rule that uses a predefined identifier
S3_BUCKET_PUBLIC_READ_PROHIBITEDwhich represents the AWS-managed rule that checks for S3 buckets with public read access.Next, we define a remediation configuration that ties to the previously defined Config rule. We specify the S3 bucket as the resource type and use the
AWS-S3-SetBucketAclas the target ID, which is an SSM document provided by AWS to set bucket ACLs. We instruct the remediation action to set the ACL toprivate, making the bucket inaccessible to the public.We also use the
automaticparameter and set it toTrue, ensuring that the remediation action is executed automatically without manual intervention whenever AWS Config detects a non-compliant S3 bucket.Finally, we export the names of the AWS Config rule and remediation configuration for easy access and reference.
This simple Pulumi program sets the groundwork for your compliance and remediation process, enforcing best practices and maintaining security across your AWS resources.