-
Notifications
You must be signed in to change notification settings - Fork 57
5.2
Paul Duvall edited this page Oct 26, 2019
·
19 revisions
@todo: FIX THIS
Review and ensure that you have setup your development environment before going through the steps below.
- Go to the AWS Config console.
- Click the Add Rule button.
- Type
eipin the textbox and select eip-attached from the managed Config Rules. - Click Save.
- Once saved, click the role and copy the Config rule ARN for later.
- Go to the Elastic IPs within the EC2 console.
- Click Allocate new address (and create a few of theses).
- Choose from the Amazon pool and click Allocate.
- Go to AWS IAM.
- Click on Roles.
- Click Create role.
- Select EC2 and click Next: Permissions.
- Type
SSMand choose the checkbox next to AmazonSSMAutomationRole and click Next: Tags. - Click Next: Review.
- Type
ccoa-ssm-rolefor the Role name and click Create role. - Select the role and copy the Role ARN to use later.
- Add two inline policies:
ReleaseElasticIPPermissions
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:ReleaseAddress",
"Resource": "*",
"Effect": "Allow",
"Sid": "ReleaseElasticIPPermissions"
}
]
}
passRole
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::ACCOUNTID:role/ccoa-ssm-role",
"Effect": "Allow"
}
]
}
- Go to Amazon CloudWatch.
- Click on Rules.
- Click on Add Rule.
{
"detail-type": [
"Config Rules Compliance Change"
],
"source": [
"aws.config"
],
"detail": {
"configRuleARN": [
"arn:aws:config:us-east-1:ACCOUNTID:config-rule/config-rule-abcdef"
],
"newEvaluationResult": {
"complianceType": [
"NON_COMPLIANT"
]
}
}
}
- SSM Automation
- AWS-ReleaseElasticIP
- Input Transformer
{"eip_allocid":"$.detail.resourceId"}
{"AllocationId":[<eip_allocid>],"AutomationAssumeRole":["arn:aws:iam::ACCOUNTID:role/ccoa-ssm-role"]}
- Use existing role (and use the role you created).
ccoa-cwe-eip-rule
Go to Cleanup to remove any resources you created in this sublesson.