Concepts
Automation runbooks in AWS Systems Manager define a sequence of steps that perform various actions on your AWS resources. These runbooks can be triggered manually or automatically and can include tasks such as patching instances, updating AMIs, or applying configuration changes.
AWS Config Rules
AWS Config rules are created to evaluate the configuration of AWS resources in your account. These rules can be custom or managed (pre-built rules provided by AWS) and whenever a resource changes, AWS Config evaluates it against these rules to check for compliance.
Integrating AWS Config with AWS Systems Manager Automation
When you combine AWS Config with AWS Systems Manager Automation, you get a powerful tool for compliance enforcement. AWS Config can monitor configurations and, upon detecting changes, trigger an automation runbook to rectify any deviations from the defined rules.
Steps to Integrate AWS Config with AWS Systems Manager Automation
- Create an AWS Systems Manager Automation Runbook:
- Begin by defining an Automation runbook in AWS Systems Manager. This runbook outlines the steps that need to be taken when a certain AWS Config rule is violated.
- Set up an AWS Config Rule:
- Determine the configurations that you want to enforce and set up an AWS Config rule. You can use AWS managed rules or create custom rules using AWS Lambda.
- Create an SSM Automation Document:
- Define an Automation document that specifies the actions Systems Manager should perform when the AWS Config rule is violated.
- Configure AWS Config to Trigger the Automation Runbook:
- Use an SNS topic to send notifications when AWS Config detects a non-compliant resource.
- Use EventBridge (formerly known as CloudWatch Events) to detect these SNS notifications and trigger the corresponding Systems Manager Automation runbook.
Example Automation Runbook Scenario
Suppose you want to ensure that all EC2 instances are using a specific type of EBS volume, and if not, they should be automatically updated to use the desired type.
- Define an AWS Config Rule:
- A custom AWS Config rule checks whether EC2 instances are using the specified EBS volume type.
- Create an AWS Systems Manager Automation Runbook (
UpdateVolumeType):- The Automation runbook contains a script that updates the non-compliant EBS volumes attached to EC2 instances to the desired type.
- Configure the Trigger:
- Create an SNS topic and configure AWS Config to send notifications to this topic when a non-compliant resource is detected.
- Set EventBridge to listen for this SNS topic and execute the
UpdateVolumeTyperunbook on the non-compliant resource.
Conclusion
By leveraging AWS Systems Manager Automation runbooks with AWS Config rules, organizations can automate the enforcement of compliance norms and maintain their resource configurations in the desired state. This automation reduces manual intervention, saves time, enhances security, and helps maintain a strong compliance posture continuously.
Each AWS environment is unique, so the specific configurations, rules, and runbooks will vary based on individual requirements and policies. Nevertheless, the integration of these services is flexible and powerful, enabling a proactive approach to infrastructure management and compliance.
Answer the Questions in Comment Section
True or False: AWS Systems Manager Automation runbooks can only be triggered manually and cannot be integrated with AWS Config rules.
False
AWS Systems Manager Automation runbooks can be integrated with AWS Config rules to automatically take action when specific conditions are met.
Which of the following actions can be automated using AWS Systems Manager Automation runbooks in response to AWS Config rule compliance changes? (Select TWO)
- A) Sending SNS notifications
- B) Deleting non-compliant EC2 instances
- C) Automatically updating IAM policies
- D) Starting or stopping RDS instances
- E) Launching a new EC2 Fleet
A, B
AWS Systems Manager Automation can send SNS notifications and perform various remediation actions like deleting non-compliant EC2 instances, but it does not automatically update IAM policies or control RDS instances through Config rules without additional custom scripting.
True or False: AWS Systems Manager requires an IAM role with specific permissions to execute Automation runbooks in response to AWS Config rules.
True
The Systems Manager requires an IAM role with the necessary permissions to execute Automation runbooks to ensure security as well as access to resources it needs to manage.
What is the first step to integrate AWS Systems Manager Automation with AWS Config?
- A) Create a new Systems Manager Automation runbook
- B) Create an AWS Config rule
- C) Enable AWS Config service
- D) Define an IAM role for Systems Manager
C
Before integrating Systems Manager Automation with AWS Config, you need to have AWS Config service enabled, which will then allow you to create rules and remediate them with Systems Manager Automation runbooks.
True or False: You can use AWS Systems Manager to automate the process of patching EC2 instances based on compliance status determined by AWS Config rules.
True
AWS Systems Manager can be used to automate the process of patching EC2 instances that are found to be non-compliant with specific AWS Config rules.
How does AWS Systems Manager execute automated actions in response to AWS Config rule evaluations?
- A) Through AWS Lambda functions
- B) Directly within the AWS Config service
- C) Using Systems Manager Automation runbooks
- D) Through Amazon CloudWatch Events
C
AWS Systems Manager executes automated actions by using Systems Manager Automation runbooks in response to AWS Config rule evaluations.
True or False: AWS Systems Manager Automation runbooks are limited to actions within the region they are created in.
True
AWS Systems Manager Automation runbooks and AWS Config rules are regional and can only act on resources within the region they are defined in.
Which service helps to aggregate and manage AWS Config rules and findings across multiple AWS accounts and regions?
- A) AWS Systems Manager
- B) AWS Config Aggregator
- C) AWS CloudTrail
- D) AWS Service Catalog
B
AWS Config Aggregator helps to aggregate and organize AWS Config rules and findings across multiple accounts and regions.
Can you use AWS Systems Manager Automation runbooks to automatically patch on-premises servers identified by AWS Config as non-compliant?
- A) True
- B) False
B
AWS Config does not evaluate the compliance of on-premises servers, and thus Automation runbooks cannot be used directly to patch on-premises servers based on AWS Config rules.
True or False: AWS Systems Manager Automation runbooks are designed to handle complex multistep remediation tasks across AWS services.
True
AWS Systems Manager Automation runbooks are flexible and powerful, enabling the automation of complex and multi-step tasks across a variety of AWS services.
Great article! I found it really helpful to integrate AWS Config rules with AWS Systems Manager Automation runbooks.
I tried following the steps but got stuck at the permissions part. Any advice?
Thanks for sharing this. It clarified a lot of doubts I had about automating compliance checks.
Can we use custom runbooks with AWS Config rules?
How scalable is this solution for a large enterprise?
Does this approach impact the performance of AWS resources?
This is a lifesaver for automating repetitive tasks. Kudos!
I’m concerned about the security implications. Any best practices?