AWS Config – Remediations

• Enables automatic remediation of non-compliant resources using AWS Systems Manager (SSM) Automation Documents.

Options:

• AWS-managed automation documents – ready-to-use for common remediation tasks.

• Custom automation documents – invoke custom scripts or Lambda functions to meet specific requirements.

Key Features:

• Remediation retries – configurable to reattempt the action if the resource remains non-compliant.

• Automates corrective actions to maintain compliance without manual intervention.

Example:

• Detects an expired IAM access key.

• Executes the AWSConfigRemediation-RevokeUnusedIAMUserCredentials document to deactivate the key.

• Retries remediation up to a configured limit until the resource is compliant.