ConfigService / Client / put_remediation_configurations

put_remediation_configurations#

ConfigService.Client.put_remediation_configurations(**kwargs)#

Adds or updates the remediation configuration with a specific Config rule with the selected target or action. The API creates the RemediationConfiguration object for the Config rule. The Config rule must already exist for you to add a remediation configuration. The target (SSM document) must exist and have permissions to use the target.

Note

Be aware of backward incompatible changes

If you make backward incompatible changes to the SSM document, you must call this again to ensure the remediations can run.

This API does not support adding remediation configurations for service-linked Config Rules such as Organization Config rules, the rules deployed by conformance packs, and rules deployed by Amazon Web Services Security Hub.

Note

Required fields

For manual remediation configuration, you need to provide a value for automationAssumeRole or use a value in the ``assumeRole``field to remediate your resources. The SSM automation document can use either as long as it maps to a valid parameter.

However, for automatic remediation configuration, the only valid assumeRole field value is AutomationAssumeRole and you need to provide a value for AutomationAssumeRole to remediate your resources.

Note

Auto remediation can be initiated even for compliant resources

If you enable auto remediation for a specific Config rule using the PutRemediationConfigurations API or the Config console, it initiates the remediation process for all non-compliant resources for that specific rule. The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis. Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.

This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.

See also: AWS API Documentation

Request Syntax

response = client.put_remediation_configurations(
    RemediationConfigurations=[
        {
            'ConfigRuleName': 'string',
            'TargetType': 'SSM_DOCUMENT',
            'TargetId': 'string',
            'TargetVersion': 'string',
            'Parameters': {
                'string': {
                    'ResourceValue': {
                        'Value': 'RESOURCE_ID'
                    },
                    'StaticValue': {
                        'Values': [
                            'string',
                        ]
                    }
                }
            },
            'ResourceType': 'string',
            'Automatic': True|False,
            'ExecutionControls': {
                'SsmControls': {
                    'ConcurrentExecutionRatePercentage': 123,
                    'ErrorPercentage': 123
                }
            },
            'MaximumAutomaticAttempts': 123,
            'RetryAttemptSeconds': 123,
            'Arn': 'string',
            'CreatedByService': 'string'
        },
    ]
)
Parameters:

RemediationConfigurations (list) –

[REQUIRED]

A list of remediation configuration objects.

  • (dict) –

    An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.

    • ConfigRuleName (string) – [REQUIRED]

      The name of the Config rule.

    • TargetType (string) – [REQUIRED]

      The type of the target. Target executes remediation. For example, SSM document.

    • TargetId (string) – [REQUIRED]

      Target ID is the name of the SSM document.

    • TargetVersion (string) –

      Version of the target. For example, version of the SSM document.

      Note

      If you make backward incompatible changes to the SSM document, you must call PutRemediationConfiguration API again to ensure the remediations can run.

    • Parameters (dict) –

      An object of the RemediationParameterValue.

      • (string) –

        • (dict) –

          The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or a static value.

          • ResourceValue (dict) –

            The value is dynamic and changes at run-time.

            • Value (string) – [REQUIRED]

              The value is a resource ID.

          • StaticValue (dict) –

            The value is static and does not change at run-time.

            • Values (list) – [REQUIRED]

              A list of values. For example, the ARN of the assumed role.

              • (string) –

    • ResourceType (string) –

      The type of a resource.

    • Automatic (boolean) –

      The remediation is triggered automatically.

    • ExecutionControls (dict) –

      An ExecutionControls object.

      • SsmControls (dict) –

        A SsmControls object.

        • ConcurrentExecutionRatePercentage (integer) –

          The maximum percentage of remediation actions allowed to run in parallel on the non-compliant resources for that specific rule. You can specify a percentage, such as 10%. The default value is 10.

        • ErrorPercentage (integer) –

          The percentage of errors that are allowed before SSM stops running automations on non-compliant resources for that specific rule. You can specify a percentage of errors, for example 10%. If you do not specifiy a percentage, the default is 50%. For example, if you set the ErrorPercentage to 40% for 10 non-compliant resources, then SSM stops running the automations when the fifth error is received.

    • MaximumAutomaticAttempts (integer) –

      The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.

      For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds.

    • RetryAttemptSeconds (integer) –

      Time window to determine whether or not to add a remediation exception to prevent infinite remediation attempts. If MaximumAutomaticAttempts remediation attempts have been made under RetryAttemptSeconds, a remediation exception will be added to the resource. If you do not select a number, the default is 60 seconds.

      For example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, Config will run auto-remediations 5 times within 50 seconds before adding a remediation exception to the resource.

    • Arn (string) –

      Amazon Resource Name (ARN) of remediation configuration.

    • CreatedByService (string) –

      Name of the service that owns the service-linked rule, if applicable.

Return type:

dict

Returns:

Response Syntax

{
    'FailedBatches': [
        {
            'FailureMessage': 'string',
            'FailedItems': [
                {
                    'ConfigRuleName': 'string',
                    'TargetType': 'SSM_DOCUMENT',
                    'TargetId': 'string',
                    'TargetVersion': 'string',
                    'Parameters': {
                        'string': {
                            'ResourceValue': {
                                'Value': 'RESOURCE_ID'
                            },
                            'StaticValue': {
                                'Values': [
                                    'string',
                                ]
                            }
                        }
                    },
                    'ResourceType': 'string',
                    'Automatic': True|False,
                    'ExecutionControls': {
                        'SsmControls': {
                            'ConcurrentExecutionRatePercentage': 123,
                            'ErrorPercentage': 123
                        }
                    },
                    'MaximumAutomaticAttempts': 123,
                    'RetryAttemptSeconds': 123,
                    'Arn': 'string',
                    'CreatedByService': 'string'
                },
            ]
        },
    ]
}

Response Structure

  • (dict) –

    • FailedBatches (list) –

      Returns a list of failed remediation batch objects.

      • (dict) –

        List of each of the failed remediations with specific reasons.

        • FailureMessage (string) –

          Returns a failure message. For example, the resource is already compliant.

        • FailedItems (list) –

          Returns remediation configurations of the failed items.

          • (dict) –

            An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.

            • ConfigRuleName (string) –

              The name of the Config rule.

            • TargetType (string) –

              The type of the target. Target executes remediation. For example, SSM document.

            • TargetId (string) –

              Target ID is the name of the SSM document.

            • TargetVersion (string) –

              Version of the target. For example, version of the SSM document.

              Note

              If you make backward incompatible changes to the SSM document, you must call PutRemediationConfiguration API again to ensure the remediations can run.

            • Parameters (dict) –

              An object of the RemediationParameterValue.

              • (string) –

                • (dict) –

                  The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or a static value.

                  • ResourceValue (dict) –

                    The value is dynamic and changes at run-time.

                    • Value (string) –

                      The value is a resource ID.

                  • StaticValue (dict) –

                    The value is static and does not change at run-time.

                    • Values (list) –

                      A list of values. For example, the ARN of the assumed role.

                      • (string) –

            • ResourceType (string) –

              The type of a resource.

            • Automatic (boolean) –

              The remediation is triggered automatically.

            • ExecutionControls (dict) –

              An ExecutionControls object.

              • SsmControls (dict) –

                A SsmControls object.

                • ConcurrentExecutionRatePercentage (integer) –

                  The maximum percentage of remediation actions allowed to run in parallel on the non-compliant resources for that specific rule. You can specify a percentage, such as 10%. The default value is 10.

                • ErrorPercentage (integer) –

                  The percentage of errors that are allowed before SSM stops running automations on non-compliant resources for that specific rule. You can specify a percentage of errors, for example 10%. If you do not specifiy a percentage, the default is 50%. For example, if you set the ErrorPercentage to 40% for 10 non-compliant resources, then SSM stops running the automations when the fifth error is received.

            • MaximumAutomaticAttempts (integer) –

              The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.

              For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds.

            • RetryAttemptSeconds (integer) –

              Time window to determine whether or not to add a remediation exception to prevent infinite remediation attempts. If MaximumAutomaticAttempts remediation attempts have been made under RetryAttemptSeconds, a remediation exception will be added to the resource. If you do not select a number, the default is 60 seconds.

              For example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, Config will run auto-remediations 5 times within 50 seconds before adding a remediation exception to the resource.

            • Arn (string) –

              Amazon Resource Name (ARN) of remediation configuration.

            • CreatedByService (string) –

              Name of the service that owns the service-linked rule, if applicable.

Exceptions