How do I troubleshoot the error "Action execution failed" with auto remediation for the AWS Config rule s3-bucket-logging-enabled?

2 minute read
0

I want to use the AWS-ConfigureS3BucketLogging runbook to remediate noncompliant resources. However, auto remediation fails with the "Action execution failed" error.

Short description

The AWS Config rule s3-bucket-logging-enabled checks if logging is turned on for a target Amazon Simple Storage Service (Amazon S3) bucket. The AWS-ConfigureS3BucketLogging AWS Systems Manager automation runbook then remediates the noncompliant resources.

The AWS-ConfigureS3BucketLogging runbook must have the following permissions:

  • A trust policy that's configured in AWS Identity and Access Management (IAM) for an Automation service role. This information is passed as the AutomationAssumeRole parameter.
  • PutBucketLogging permissions with an S3 bucket that's configured to store logs.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To resolve the Action execution failed error, you must run describe-remediation-execution-status AWS CLI command to review the detailed error message.

For more information, see How can I troubleshoot failed remediation executions in AWS Config?

Access denied

You receive the following error message:

"Step fails when it is Execute/Cancelling action. An error occurred (AccessDenied) when calling the PutBucketLogging operation: Access Denied. Please refer to Automation Service Troubleshooting Guide for more diagnosis details."

This error occurs because the AutomationAssumeRole role doesn't have permissions to call the PutBucketLogging API on the noncompliant S3 buckets. Use the following example policy to allow the role to call the PutBucketLogging API:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutBucketLogging",
      "Resource": [
        "arn:aws:s3:::<BUCKET_NAME_1>",
        "arn:aws:s3:::<BUCKET_NAME_2>",
        "arn:aws:s3:::<BUCKET_NAME_3>"
      ]
    }auto
  ]
}

Note: If you must remediate all the S3 buckets in an AWS Region, then use the aws:RequestedRegion condition key to limit the role's permission.

Invalid execution parameters

You receive the following error message:

"Invalid execution parameters sent to Systems Automation. The defined assume role is unable to be assumed."

This error occurs because Systems Manager Automation can't assume the AutomationAssumeRole role. Use the following example policy to allow Systems Manager to assume the IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
         "Service": "ssm.amazonaws.com"
       },
       "Action": "sts:AssumeRole"
     }
  ]
}

Related information

Remediating noncompliant resources with AWS Config rules

Amazon S3 bucket compliance using AWS Config auto remediation feature

AWS OFFICIAL
AWS OFFICIALUpdated a day ago