-
Notifications
You must be signed in to change notification settings - Fork 57
5.2
Paul Duvall edited this page Oct 29, 2019
·
19 revisions
Review and ensure that you have setup your development environment before going through the steps below.
- Go to the AWS Config console.
- Click the Add Rule button.
- Type
eipin the textbox and select eip-attached from the managed Config Rules. - Click Save.
- Once saved, click the role and copy the Config rule ARN for later.
- Go to the Elastic IPs within the EC2 console.
- Click Allocate new address (and create a few of these).
- Choose from the Amazon pool and click Allocate.
- Go to AWS IAM.
- Click on Roles.
- Click Create role.
- Select EC2 and click Next: Permissions.
- Type
SSMand choose the checkbox next to AmazonSSMAutomationRole and click Next: Tags. - Click Next: Review.
- Type
ccoa-5-ssm-rolefor the Role name and click Create role.
- From the AWS IAM console, select Roles
- Select the ccoa-5-ssm-role IAM Role you just created.
- Click the Trust relationships tab.
- Click the Edit Trust Relationship button
- Paste the contents from below into the text area to add events and ssm as trusted entities.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ssm.amazonaws.com",
"ec2.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
- Click the Update Trust Policy button.
- Click on the Permissions tab.
- Click on the Add inline policy link.
- Click on the JSON tab and replace the text area with the contents below (replacing
ACCOUNTIDwith your AWS Account Id).
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::ACCOUNTID:role/ccoa-mon-role",
"Effect": "Allow"
}
]
}
- Click the Review Policy button.
- Enter the name
passAutomationRoleand click the Save changes* button. - Click on the Permissions tab again.
- Click on the Add inline policy link.
- Click on the JSON tab and replace the text area with the contents below (replacing
ACCOUNTIDwith your AWS Account Id).
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:ReleaseAddress",
"Resource": "*",
"Effect": "Allow",
"Sid": "ReleaseElasticIPPermissions"
}
]
}
- Click the Review Policy* button.
- Enter the name
ReleaseElasticIPPermissionsand click the Save changes* button. - Select the role and copy the Role ARN to use later.
- Go to Amazon CloudWatch.
- Click on Rules.
- Click the Create Rule button.
- With the Event Pattern radio button selected, click on the Edit link.
- Paste the contents below replacing the value of configRuleARN with the Config Rule ARN you saved when creating your Config Rule. If you do not recall the name, go back to AWS Config, select Rules, select the rule you created, and copy the value for Config rule ARN.
{
"detail-type": [
"Config Rules Compliance Change"
],
"source": [
"aws.config"
],
"detail": {
"configRuleARN": [
"arn:aws:config:us-east-1:ACCOUNTID:config-rule/config-rule-abcdef"
],
"newEvaluationResult": {
"complianceType": [
"NON_COMPLIANT"
]
}
}
}
- In the Targets area, choose SSM Automation.
- For the Document, choose AWS-ReleaseElasticIP.
- Choose Input Transformer and paste the following in the first text field:
{"eipalloc":"$.detail.resourceId"}
- Then, paste the following in the next text field (replacing with your
ACCOUNTID):
{"AllocationId":[<eipalloc>],"AutomationAssumeRole":["arn:aws:iam::ACCOUNTID:role/ccoa-5-ssm-role"]}
- Enter
ccoa-6-cwe-eip-rulefor your CloudWatch Event Rule and click Save
aws ssm describe-document --name "AWS-ReleaseElasticIP"
Go to Cleanup to remove any resources you created in this sublesson.