2019/03/13 - AWS Config - 5 new api methods
Changes Config released Remediation APIs allowing Remediation of Config Rules
Provides a detailed view of a Remediation Execution for a set of resources including state, timestamps for when steps for the remediation execution happen, and any error messages for steps that have failed. When you specify the limit and the next token, you receive a paginated response.
See also: AWS API Documentation
Request Syntax
client.describe_remediation_execution_status(
ConfigRuleName='string',
ResourceKeys=[
{
'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm'|'AWS::CloudFormation::Stack'|'AWS::DynamoDB::Table'|'AWS::AutoScaling::AutoScalingGroup'|'AWS::AutoScaling::LaunchConfiguration'|'AWS::AutoScaling::ScalingPolicy'|'AWS::AutoScaling::ScheduledAction'|'AWS::CodeBuild::Project'|'AWS::WAF::RateBasedRule'|'AWS::WAF::Rule'|'AWS::WAF::WebACL'|'AWS::WAFRegional::RateBasedRule'|'AWS::WAFRegional::Rule'|'AWS::WAFRegional::WebACL'|'AWS::CloudFront::Distribution'|'AWS::CloudFront::StreamingDistribution'|'AWS::WAF::RuleGroup'|'AWS::WAFRegional::RuleGroup'|'AWS::Lambda::Function'|'AWS::ElasticBeanstalk::Application'|'AWS::ElasticBeanstalk::ApplicationVersion'|'AWS::ElasticBeanstalk::Environment'|'AWS::ElasticLoadBalancing::LoadBalancer'|'AWS::XRay::EncryptionConfig'|'AWS::SSM::AssociationCompliance'|'AWS::SSM::PatchCompliance'|'AWS::Shield::Protection'|'AWS::ShieldRegional::Protection'|'AWS::Config::ResourceCompliance'|'AWS::CodePipeline::Pipeline',
'resourceId': 'string'
},
],
Limit=123,
NextToken='string'
)
string
[REQUIRED]
A list of config rule names.
list
A list of resource keys object.
(dict) --
The details that identify a resource within AWS Config, including the resource type and resource ID.
resourceType (string) -- [REQUIRED]
The resource type.
resourceId (string) -- [REQUIRED]
The ID of the resource (for example., sg-xxxxxx).
integer
The maximum number of RemediationExecutionStatuses returned on each page. The default is maximum. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{
'RemediationExecutionStatuses': [
{
'ResourceKey': {
'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm'|'AWS::CloudFormation::Stack'|'AWS::DynamoDB::Table'|'AWS::AutoScaling::AutoScalingGroup'|'AWS::AutoScaling::LaunchConfiguration'|'AWS::AutoScaling::ScalingPolicy'|'AWS::AutoScaling::ScheduledAction'|'AWS::CodeBuild::Project'|'AWS::WAF::RateBasedRule'|'AWS::WAF::Rule'|'AWS::WAF::WebACL'|'AWS::WAFRegional::RateBasedRule'|'AWS::WAFRegional::Rule'|'AWS::WAFRegional::WebACL'|'AWS::CloudFront::Distribution'|'AWS::CloudFront::StreamingDistribution'|'AWS::WAF::RuleGroup'|'AWS::WAFRegional::RuleGroup'|'AWS::Lambda::Function'|'AWS::ElasticBeanstalk::Application'|'AWS::ElasticBeanstalk::ApplicationVersion'|'AWS::ElasticBeanstalk::Environment'|'AWS::ElasticLoadBalancing::LoadBalancer'|'AWS::XRay::EncryptionConfig'|'AWS::SSM::AssociationCompliance'|'AWS::SSM::PatchCompliance'|'AWS::Shield::Protection'|'AWS::ShieldRegional::Protection'|'AWS::Config::ResourceCompliance'|'AWS::CodePipeline::Pipeline',
'resourceId': 'string'
},
'State': 'QUEUED'|'IN_PROGRESS'|'SUCCEEDED'|'FAILED',
'StepDetails': [
{
'Name': 'string',
'State': 'SUCCEEDED'|'PENDING'|'FAILED',
'ErrorMessage': 'string',
'StartTime': datetime(2015, 1, 1),
'StopTime': datetime(2015, 1, 1)
},
],
'InvocationTime': datetime(2015, 1, 1),
'LastUpdatedTime': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
RemediationExecutionStatuses (list) --
Returns a list of remediation execution statuses object.
(dict) --
Provides details of the current status of the invoked remediation action for that resource.
ResourceKey (dict) --
The details that identify a resource within AWS Config, including the resource type and resource ID.
resourceType (string) --
The resource type.
resourceId (string) --
The ID of the resource (for example., sg-xxxxxx).
State (string) --
ENUM of the values.
StepDetails (list) --
Details of every step.
(dict) --
Name of the step from the SSM document.
Name (string) --
The details of the step.
State (string) --
The valid status of the step.
ErrorMessage (string) --
An error message if the step was interupted during execution.
StartTime (datetime) --
The time when the step started.
StopTime (datetime) --
The time when the step stopped.
InvocationTime (datetime) --
Start time when the remediation was executed.
LastUpdatedTime (datetime) --
The time when the remediation execution was last updated.
NextToken (string) --
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
Runs an on-demand remediation for the specified AWS Config rules against the last known remediation configuration. It runs an execution against the current state of your resources. Remediation execution is asynchronous.
You can specify up to 100 resource keys per request. An existing StartRemediationExecution call for the specified resource keys must complete before you can call the API again.
See also: AWS API Documentation
Request Syntax
client.start_remediation_execution(
ConfigRuleName='string',
ResourceKeys=[
{
'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm'|'AWS::CloudFormation::Stack'|'AWS::DynamoDB::Table'|'AWS::AutoScaling::AutoScalingGroup'|'AWS::AutoScaling::LaunchConfiguration'|'AWS::AutoScaling::ScalingPolicy'|'AWS::AutoScaling::ScheduledAction'|'AWS::CodeBuild::Project'|'AWS::WAF::RateBasedRule'|'AWS::WAF::Rule'|'AWS::WAF::WebACL'|'AWS::WAFRegional::RateBasedRule'|'AWS::WAFRegional::Rule'|'AWS::WAFRegional::WebACL'|'AWS::CloudFront::Distribution'|'AWS::CloudFront::StreamingDistribution'|'AWS::WAF::RuleGroup'|'AWS::WAFRegional::RuleGroup'|'AWS::Lambda::Function'|'AWS::ElasticBeanstalk::Application'|'AWS::ElasticBeanstalk::ApplicationVersion'|'AWS::ElasticBeanstalk::Environment'|'AWS::ElasticLoadBalancing::LoadBalancer'|'AWS::XRay::EncryptionConfig'|'AWS::SSM::AssociationCompliance'|'AWS::SSM::PatchCompliance'|'AWS::Shield::Protection'|'AWS::ShieldRegional::Protection'|'AWS::Config::ResourceCompliance'|'AWS::CodePipeline::Pipeline',
'resourceId': 'string'
},
]
)
string
[REQUIRED]
The list of names of AWS Config rules that you want to run remediation execution for.
list
[REQUIRED]
A list of resource key object.
(dict) --
The details that identify a resource within AWS Config, including the resource type and resource ID.
resourceType (string) -- [REQUIRED]
The resource type.
resourceId (string) -- [REQUIRED]
The ID of the resource (for example., sg-xxxxxx).
dict
Response Syntax
{
'FailureMessage': 'string',
'FailedItems': [
{
'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm'|'AWS::CloudFormation::Stack'|'AWS::DynamoDB::Table'|'AWS::AutoScaling::AutoScalingGroup'|'AWS::AutoScaling::LaunchConfiguration'|'AWS::AutoScaling::ScalingPolicy'|'AWS::AutoScaling::ScheduledAction'|'AWS::CodeBuild::Project'|'AWS::WAF::RateBasedRule'|'AWS::WAF::Rule'|'AWS::WAF::WebACL'|'AWS::WAFRegional::RateBasedRule'|'AWS::WAFRegional::Rule'|'AWS::WAFRegional::WebACL'|'AWS::CloudFront::Distribution'|'AWS::CloudFront::StreamingDistribution'|'AWS::WAF::RuleGroup'|'AWS::WAFRegional::RuleGroup'|'AWS::Lambda::Function'|'AWS::ElasticBeanstalk::Application'|'AWS::ElasticBeanstalk::ApplicationVersion'|'AWS::ElasticBeanstalk::Environment'|'AWS::ElasticLoadBalancing::LoadBalancer'|'AWS::XRay::EncryptionConfig'|'AWS::SSM::AssociationCompliance'|'AWS::SSM::PatchCompliance'|'AWS::Shield::Protection'|'AWS::ShieldRegional::Protection'|'AWS::Config::ResourceCompliance'|'AWS::CodePipeline::Pipeline',
'resourceId': 'string'
},
]
}
Response Structure
(dict) --
FailureMessage (string) --
Returns a failure message. For example, the resource is compliant.
FailedItems (list) --
For resources that have failed to start execuition the API returns a resource key object.
(dict) --
The details that identify a resource within AWS Config, including the resource type and resource ID.
resourceType (string) --
The resource type.
resourceId (string) --
The ID of the resource (for example., sg-xxxxxx).
Returns the details of one or more remediation configuration.
See also: AWS API Documentation
Request Syntax
client.describe_remediation_configurations(
ConfigRuleNames=[
'string',
]
)
list
[REQUIRED]
A list of AWS Config rule names of remediation configurations for which you want details.
(string) --
dict
Response Syntax
{
'RemediationConfigurations': [
{
'ConfigRuleName': 'string',
'TargetType': 'SSM_DOCUMENT',
'TargetId': 'string',
'TargetVersion': 'string',
'Parameters': {
'string': {
'ResourceValue': {
'Value': 'RESOURCE_ID'
},
'StaticValue': {
'Values': [
'string',
]
}
}
},
'ResourceType': 'string'
},
]
}
Response Structure
(dict) --
RemediationConfigurations (list) --
Returns a remediation configuration object.
(dict) --
An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.
ConfigRuleName (string) --
The name of the AWS Config rule.
TargetType (string) --
The type of the target. Target executes remediation. For example, SSM document.
TargetId (string) --
Public ID is document.
TargetVersion (string) --
Version of the target. For example, version of the SSM document.
Parameters (dict) --
An object of the RemediationParameterValue.
(string) --
(dict) --
The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or a static value.
ResourceValue (dict) --
The value is dynamic and changes at run-time.
Value (string) --
The value is a resource ID.
StaticValue (dict) --
The value is static and does not change at run-time.
Values (list) --
A list of values. For example, the ARN of the assumed role.
(string) --
ResourceType (string) --
The type of a resource.
Deletes the remediation configuration.
See also: AWS API Documentation
Request Syntax
client.delete_remediation_configuration(
ConfigRuleName='string',
ResourceType='string'
)
string
[REQUIRED]
The name of the AWS Config rule for which you want to delete remediation configuration for.
string
The type of a resource.
dict
Response Syntax
{}
Response Structure
(dict) --
Adds or updates the remediation configuration with a specific AWS Config rule with the selected target or action. The API creates the RemediationConfiguration object for the AWS Config rule. AWS Config rule must already exist for you to add a remeduation configuration. The target (SSM document) must exist and have permissions to use the target.
See also: AWS API Documentation
Request Syntax
client.put_remediation_configurations(
RemediationConfigurations=[
{
'ConfigRuleName': 'string',
'TargetType': 'SSM_DOCUMENT',
'TargetId': 'string',
'TargetVersion': 'string',
'Parameters': {
'string': {
'ResourceValue': {
'Value': 'RESOURCE_ID'
},
'StaticValue': {
'Values': [
'string',
]
}
}
},
'ResourceType': 'string'
},
]
)
list
[REQUIRED]
A list of remediation configuration objects.
(dict) --
An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.
ConfigRuleName (string) -- [REQUIRED]
The name of the AWS Config rule.
TargetType (string) -- [REQUIRED]
The type of the target. Target executes remediation. For example, SSM document.
TargetId (string) -- [REQUIRED]
Public ID is document.
TargetVersion (string) --
Version of the target. For example, version of the SSM document.
Parameters (dict) --
An object of the RemediationParameterValue.
(string) --
(dict) --
The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or a static value.
ResourceValue (dict) --
The value is dynamic and changes at run-time.
Value (string) --
The value is a resource ID.
StaticValue (dict) --
The value is static and does not change at run-time.
Values (list) --
A list of values. For example, the ARN of the assumed role.
(string) --
ResourceType (string) --
The type of a resource.
dict
Response Syntax
{
'FailedBatches': [
{
'FailureMessage': 'string',
'FailedItems': [
{
'ConfigRuleName': 'string',
'TargetType': 'SSM_DOCUMENT',
'TargetId': 'string',
'TargetVersion': 'string',
'Parameters': {
'string': {
'ResourceValue': {
'Value': 'RESOURCE_ID'
},
'StaticValue': {
'Values': [
'string',
]
}
}
},
'ResourceType': 'string'
},
]
},
]
}
Response Structure
(dict) --
FailedBatches (list) --
Returns a list of failed remediation batch objects.
(dict) --
List of each of the failed remediation with specific reasons.
FailureMessage (string) --
Returns a failure message. For example, the resource is compliant.
FailedItems (list) --
Returns remediation configurations of the failed items.
(dict) --
An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.
ConfigRuleName (string) --
The name of the AWS Config rule.
TargetType (string) --
The type of the target. Target executes remediation. For example, SSM document.
TargetId (string) --
Public ID is document.
TargetVersion (string) --
Version of the target. For example, version of the SSM document.
Parameters (dict) --
An object of the RemediationParameterValue.
(string) --
(dict) --
The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or a static value.
ResourceValue (dict) --
The value is dynamic and changes at run-time.
Value (string) --
The value is a resource ID.
StaticValue (dict) --
The value is static and does not change at run-time.
Values (list) --
A list of values. For example, the ARN of the assumed role.
(string) --
ResourceType (string) --
The type of a resource.