Configuring Remediation
Scenarios
You can create and attach remediation actions to your Config rules to quickly remediate non-compliant resources.
Remediation actions are based on RFS private templates or FunctionGraph functions. You need to create RFS private templates or FunctionGraph functions first.
Creating an RFS Private Template
- Log in to the management console.
- Click
in the upper left corner of the page. In the displayed service list, under Management & Governance, select Resource Formation Service.
- In the navigation pane, choose Templates > Private Templates.
- In the upper right corner, click Create Template.
Figure 1 Creating a private template
- Select a creation mode and template source as required, and enter the content of the remediation action as prompted to complete the template file.
For example templates, see Example RFS Private Template.
- Click Create Now.
Creating a Function with FunctionGraph
- Log in to the management console.
- Click
in the upper left corner of the page. In the service list that is displayed, under Compute, select FunctionGraph.
- In the navigation pane on the left, choose Functions > Function List.
- In the upper right corner, click Create Function. The Create from scratch tab is displayed by default.
- Set Function Type to Event Function and configure other parameters, including the function name and IAM agency.
The required IAM agency permissions depend on the remediation action. For details, see Configuring Agency Permissions.
- Click Create Function.
- In the code box, enter the function code and click Deploy.
For example code, see Sample Function.
- Click Configurations, modify Execution Timeout (s) and Memory (MB) in the Basic Settings area as required. Configure Concurrency.
- Click Save.
For more details, see Creating an Event Function.
Configuring Remediation

Currently, you can only add remediation actions to rules created based on built-in and custom policies. Organization rules and rules in a conformance package are not supported.
- Log in to the management console.
- Click
in the upper left corner of the page. Under Management & Governance, select Config.
- In the navigation pane on the left, choose Resource Conformance.
- On the Rules tab, click the name of a rule to go to its details page.
Figure 2 Entering the details page
- Click the Remediation tab.
- Click Configure Remediation in the middle or upper right corner of the page.
Figure 3 Configuring remediation
- Select a remediation method.
- Automatic: The system automatically remediates non-compliant resources.
- Manual: You need to select which resources you want to remediate. For details, see Manual Remediation.
- The automatic method modifies the configurations of non-compliant resources based on your preset parameters, which may interrupt services. The manual method is recommended because it is more secure.
- You can select the automatic method only if you are sure that the remediation will not interrupt services. When a non-compliant resource is detected, the system automatically modifies the resource configuration.
- Configure the remediation retry time window and number of retries allowed.
If a resource remains non-compliant after remediation, the automatic method will retry remediation multiple times, or you can execute the remediation again. This may cause extra expenses and interrupt service continuity.
To limit retries within a period, set Retry Time Window and Retries. Config checks how many times a resource has been remediated within the time window and marks the resources that have been remediated too frequently as exceptions. Remediation will not work for these resources.
- The retry time window is 3,600 seconds by default. You can set it to a value between 60 and 43,200.
- The allowed retry times is 5 by default. You can set it to a value between 1 and 25.
- Select a template for remediation.
- RFS template: Select an RFS private template that defines the remediation action.
IAM Agency: When you select the automatic method and an RFS template, an IAM agency is required to grant the permissions for RFS to deploy resource stacks and modify resource configurations. The agency must have the permissions required by the RFS template to call other services. For details about how to create an agency, see Delegating Another Service for Resource Management. If the agency permissions are insufficient or incorrectly configured, remediation will fail. You can create a stack to verify the agency availability. For details, see Creating a Stack.
- FunctionGraph template: Select a FunctionGraph function as the template that defines the remediation action for non-compliant resources.
Figure 4 Configuring remediation information - RFS template: Select an RFS private template that defines the remediation action.
- Configure resource ID parameters.
- Resource ID Parameter: Specify the variable that indicates the ID of a non-compliant resource. The variable name must be the same as that defined in the remediation template. When the remediation action is executed, Config assigns the specific ID of the target non-compliant resource to the variable and passes the ID to the remediation template. For example, if you use the resource_id=event.get("noncompliant_resource_id", {}) statement in the FGS function to obtain the non-compliant resource ID, you need to set this parameter to noncompliant_resource_id. The resource ID of each non-compliant resource will be passed to the remediation template.
- Parameter: Specify the static parameters that you want Config to pass to the remediation template. You can add up to 50 parameters. These are remediation rule parameters. For example, you want to create a log trail for non-compliant VPC resources and use the log_group_id=event.get("log_group_id", {}) statement in the FGS function to obtain the log group ID. In this case, set log_group_id as the key and the real-life log group ID as the value. All created log trails will be in this log group.
Figure 5 Resource ID parameter - Click Save.
To trigger an automatic remediation, you must trigger an evaluation based on the rule to update the evaluation result.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot