You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* The Config rule must already exist for you to add a remediation configuration.
40
40
* The target (SSM document) must exist and have permissions to use the target. </p>
41
41
* <note>
42
+
* <p>
43
+
* <b>Be aware of backward incompatible changes</b>
44
+
* </p>
42
45
* <p>If you make backward incompatible changes to the SSM document,
43
46
* you must call this again to ensure the remediations can run.</p>
44
47
* <p>This API does not support adding remediation configurations for service-linked Config Rules such as Organization Config rules,
45
48
* the rules deployed by conformance packs, and rules deployed by Amazon Web Services Security Hub.</p>
46
49
* </note>
47
50
* <note>
51
+
* <p>
52
+
* <b>Required fields</b>
53
+
* </p>
48
54
* <p>For manual remediation configuration, you need to provide a value for <code>automationAssumeRole</code> or use a value in the <code>assumeRole</code>field to remediate your resources. The SSM automation document can use either as long as it maps to a valid parameter.</p>
49
55
* <p>However, for automatic remediation configuration, the only valid <code>assumeRole</code> field value is <code>AutomationAssumeRole</code> and you need to provide a value for <code>AutomationAssumeRole</code> to remediate your resources.</p>
50
56
* </note>
57
+
* <note>
58
+
* <p>
59
+
* <b>Auto remediation can be initiated even for compliant resources</b>
60
+
* </p>
61
+
* <p>If you enable auto remediation for a specific Config rule using the <a href="https://docs.aws.amazon.com/config/latest/APIReference/emAPI_PutRemediationConfigurations.html">PutRemediationConfigurations</a> API or the Config console,
62
+
* it initiates the remediation process for all non-compliant resources for that specific rule.
63
+
* The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis.
64
+
* Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.</p>
65
+
* <p>This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.</p>
66
+
* </note>
51
67
* @example
52
68
* Use a bare-bones client and the command you need to make an API call.
* <p>A remediation exception is when a specified resource is no longer considered for auto-remediation.
32
32
* This API adds a new exception or updates an existing exception for a specified resource with a specified Config rule. </p>
33
33
* <note>
34
+
* <p>
35
+
* <b>Exceptions block auto remediation</b>
36
+
* </p>
34
37
* <p>Config generates a remediation exception when a problem occurs running a remediation action for a specified resource.
35
38
* Remediation exceptions blocks auto-remediation until the exception is cleared.</p>
36
39
* </note>
37
40
* <note>
41
+
* <p>
42
+
* <b>Manual remediation is recommended when placing an exception</b>
43
+
* </p>
38
44
* <p>When placing an exception on an Amazon Web Services resource, it is recommended that remediation is set as manual remediation until
39
45
* the given Config rule for the specified resource evaluates the resource as <code>NON_COMPLIANT</code>.
40
46
* Once the resource has been evaluated as <code>NON_COMPLIANT</code>, you can add remediation exceptions and change the remediation type back from Manual to Auto if you want to use auto-remediation.
41
47
* Otherwise, using auto-remediation before a <code>NON_COMPLIANT</code> evaluation result can delete resources before the exception is applied.</p>
42
48
* </note>
43
49
* <note>
50
+
* <p>
51
+
* <b>Exceptions can only be performed on non-compliant resources</b>
52
+
* </p>
44
53
* <p>Placing an exception can only be performed on resources that are <code>NON_COMPLIANT</code>.
45
54
* If you use this API for <code>COMPLIANT</code> resources or resources that are <code>NOT_APPLICABLE</code>, a remediation exception will not be generated.
46
55
* For more information on the conditions that initiate the possible Config evaluation results,
47
56
* see <a href="https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#aws-config-rules">Concepts | Config Rules</a> in the <i>Config Developer Guide</i>.</p>
48
57
* </note>
58
+
* <note>
59
+
* <p>
60
+
* <b>Auto remediation can be initiated even for compliant resources</b>
61
+
* </p>
62
+
* <p>If you enable auto remediation for a specific Config rule using the <a href="https://docs.aws.amazon.com/config/latest/APIReference/emAPI_PutRemediationConfigurations.html">PutRemediationConfigurations</a> API or the Config console,
63
+
* it initiates the remediation process for all non-compliant resources for that specific rule.
64
+
* The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis.
65
+
* Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.</p>
66
+
* <p>This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.</p>
67
+
* </note>
49
68
* @example
50
69
* Use a bare-bones client and the command you need to make an API call.
* <b>Aurora global clusters are recorded in all enabled Regions</b>
2762
2771
* </p>
2763
-
* <p>The <code>AWS::RDS::GlobalCluster</code> resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if <code>includeGlobalResourceTypes</code> is not set to <code>true</code>.
2772
+
* <p>The <code>AWS::RDS::GlobalCluster</code> resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if <code>includeGlobalResourceTypes</code> is set<code>false</code>.
2764
2773
* The <code>includeGlobalResourceTypes</code> option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.
2765
2774
* </p>
2766
2775
* <p>If you do not want to record <code>AWS::RDS::GlobalCluster</code> in all enabled Regions, use one of the following recording strategies:</p>
* <p>For more information, see <a href="https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all">Selecting Which Resources are Recorded</a> in the <i>Config developer guide</i>.</p>
2778
2787
* </important>
2788
+
* <important>
2789
+
* <p>
2790
+
* <b>includeGlobalResourceTypes and the exclusion recording strategy</b>
2791
+
* </p>
2792
+
* <p>The <code>includeGlobalResourceTypes</code> field has no impact on the <code>EXCLUSION_BY_RESOURCE_TYPES</code> recording strategy.
2793
+
* This means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will
2794
+
* not be automatically added as exclusions for <code>exclusionByResourceTypes</code> when <code>includeGlobalResourceTypes</code> is set to <code>false</code>.</p>
2795
+
* <p>The <code>includeGlobalResourceTypes</code> field should only be used to modify the <code>AllSupported</code> field, as the default for
2796
+
* the <code>AllSupported</code> field is to record configuration changes for all supported resource types excluding the global
2797
+
* IAM resource types. To include the global IAM resource types when <code>AllSupported</code> is set to <code>true</code>, make sure to set <code>includeGlobalResourceTypes</code> to <code>true</code>.</p>
2798
+
* <p>To exclude the global IAM resource types for the <code>EXCLUSION_BY_RESOURCE_TYPES</code> recording strategy, you need to manually add them to the <code>resourceTypes</code> field of <code>exclusionByResourceTypes</code>.</p>
2799
+
* </important>
2779
2800
* <note>
2801
+
* <p>
2802
+
* <b>Required and optional fields</b>
2803
+
* </p>
2780
2804
* <p>Before you set this field to <code>true</code>,
2781
2805
* set the <code>allSupported</code> field of <a href="https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html">RecordingGroup</a> to
2782
2806
* <code>true</code>. Optionally, you can set the <code>useOnly</code> field of <a href="https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html">RecordingStrategy</a> to <code>ALL_SUPPORTED_RESOURCE_TYPES</code>.</p>
* <p>The name or Amazon Resource Name (ARN) of the SSM document to use to create a conformance pack.
3292
-
* If you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document. If you want to use an SSM document from another Region or account, you must provide the ARN.</p>
3319
+
* If you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document.</p>
0 commit comments