Simplifying remediation using AWS Systems Manager with Amazon Q Developer

In this blog post, we will build a custom automation document for resolving the non-compliant resource status through  AWS Systems Manager Automation. Building an AWS Systems Manager (SSM) document using Amazon Q Developer involves creating a JSON or YAML document that defines the desired state of your managed instances in AWS. SSM documents are used to automate common administrative tasks, such as software installations, configuration management, and system maintenance.

Overview of Solution

To better help customers meet the compliance requirements on the AWS Cloud, in this solution, we will show you how to build the following security controls or workflows:

First, deploy an AWS Config custom rule to evaluate EBS volumes (Blog to implement the Config rule). Amazon Q Developer will help you generate the code needed to create the AWS Config custom rule and use the code suggestions for the custom rule function logic.

Second, after non-compliant findings are identified by AWS Config rule, leverage the Systems Manager Automation Runbook to resolve your noncompliant AWS Config rules. AWS provides a library of Automation documents that you can choose for a variety of operational tasks. You can build, run, and share automation runbooks with others on your team or inside your organization.

Lastly, implement the workflow to take remediation actions manually against the identified security or compliance findings, and bring the resources back to compliant status.

Below is a high-level architecture diagram for the solution

Figure 1: Remediate non-compliant resources using SSM document with Amazon Q Developer

Pre-requisites

1. Set up an AWS Identity and Access Management (IAM) role for Automation to access Systems Manager Automation workflows to remediate your noncompliant AWS Config rules.
2. Configure Automation runbooks to remediate and resolve noncompliant AWS Config rules.
3. You can use Amazon Q Developer with Cloud9 or install the Amazon Q Developer extension or plugin in your IDE by following the documentation here

Walkthrough

AWS Config shows how AWS resources in your AWS account are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

You can use a set of AWS Config managed rules for common compliance scenarios or you can create your own rules for custom scenarios. When an AWS resource is found to be noncompliant, you can specify a remediation action through an AWS Systems Manager Automation document.

1. Go to Systems Manager Documents and create Automation document.

2. Change the runbook name to modifyToGp3, add in a description, and select an IAM role with appropriate permissions to modify ec2 volumes.

3. Select “Parameters” and “Add a parameter”. Enter “volumeId” for Parameter name and ensure rest of the fields are the same.

4. Drag in aws:executeScript action onto the canvas.

5. Add in a description for the step “Calls the EC2 modify_volume api to change volume type to GP3”.

6. Change to inputs tab and scroll all the way to down to “Additional inputs” and choose “Add input”. Enter “ parameter: ‘{{volumeId}}’ ”.

7. Open visual studio code and open up a new file. Import boto3 and type the script function name.

8. On line 4 type “#modify ebs volume to gp3 based on events parameter”. Amazon Q Developer will give you multiple code suggestions so you might have to scroll through to find the appropriate code. Alternatively, you can start typing the code manually to help Amazon Q Developer generate the appropriate code. The code might not be exactly the same but choose the one most appropriate.

9. Copy the code from the code editor and paste it into the Script text box in the runbook executeScript step.

10. Select “Create runbook” and then go to the Config rule created from the “Blog to implement the Config rule” and select Actions and Manage remediation.  Next, select the runbook we just created “modifyToGp3”.

11. Scroll down and select volumeId under Resource ID parameter. Select it again even if it was already populated.

12. Select Save changes.

13. Select the non-compliant EBS volume from you AWS Config rule and select “Remediate”.

14. You should see the EBS volume updated to GP3 and the status changed to “Compliant”.

Cleaning up

If you have built this in a sandbox environment and want to continue the work in other environments, to avoid incurring future charges in the sandbox environment, you will want to delete the resources created in this demonstration, including the IAM policies, IAM Roles, SSM Automation Runbook, Config rule.

Conclusion

In this blog post you were able to setup up a remediation action for the desired volume type Config rule, this has enabled us to create a faster way to remediate EBS resources. Integrating Amazon Q Developer for AWS Systems Manager (SSM) documents offers a powerful way to streamline and automate your infrastructure management tasks. By leveraging Amazon Q Developer, you were able to create a SSM document with minimal knowledge of Python. Amazon Q Developer can generate code recommendations that can help you efficiently develop code no matter your coding experience.

Please refer to these links for more information:

https://catalog.workshops.aws/getting-started-with-com/en-US/automation-runbooks

https://aws.amazon.com/blogs/aws/amazon-q-developer-now-generally-available-includes-new-capabilities-to-reimagine-developer-experience/

About the authors