AWSTemplateFormatVersion: '2010-09-09' Description: Create EIP Auto Remediation using SSM Automation Resources: ConfigRule: Type: 'AWS::Config::ConfigRule' Properties: ConfigRuleName: eip-attached Description: >- Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation. Based on https://asecure.cloud/l/auto_remediation/ Scope: ComplianceResourceTypes: - 'AWS::EC2::EIP' Source: Owner: AWS SourceIdentifier: EIP_ATTACHED AutoRemediationEventRule: Type: 'AWS::Events::Rule' Properties: Name: auto-remediate-eip-attached Description: 'auto remediation rule for config rule: eip-attached' State: ENABLED EventPattern: detail-type: - Config Rules Compliance Change source: - aws.config detail: newEvaluationResult: complianceType: - NON_COMPLIANT configRuleARN: - 'Fn::GetAtt': - ConfigRule - Arn Targets: - Id: RemediationAction RoleArn: 'Fn::GetAtt': - AutoRemediationIamRole - Arn Arn: 'Fn::Sub': >- arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/AWS-ReleaseElasticIP InputTransformer: InputPathsMap: eip_allocid: $.detail.resourceId InputTemplate: 'Fn::Sub': >- {"AllocationId":[],"AutomationAssumeRole":["${AutoRemediationIamRole.Arn}"]} AutoRemediationIamRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com - events.amazonaws.com - ssm.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole' Policies: - PolicyName: ReleaseElasticIPPermissions PolicyDocument: Statement: - Action: - events:DescribeRule - ec2:ReleaseAddress Effect: Allow Resource: "*" Version: '2012-10-17' AutomationPassRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: passAutomationRole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'iam:PassRole' Resource: 'Fn::GetAtt': - AutoRemediationIamRole - Arn Roles: - Ref: AutoRemediationIamRole