AWS Config can create issue entries in the Jira Service Management platform when it determines an AWS resource is noncompliant. In this blog post, I show you how to configure an AWS Config rule to create a Jira issue after the rule detects a noncompliant AWS resource. I also share Jira Service Desk configuration changes you might need to make for your Jira Service Desk project to receive Jira issues sent by an AWS Config rule remediation action.

Example remediation action scenario

Suppose an IT governance team wants to receive alerts when Amazon Elastic Container Service (Amazon ECS) task definitions specify images not registered in the governance team’s Amazon Elastic Container Registry (Amazon ECR) private registry. The container images they store in their ECR private registry have completed company-mandated security scans and contain company-mandated packages and agents. A custom AWS Config rule named ECS_ECRIMAGE_CHECK, available in the AWS Config rules repository, assesses Amazon ECS task definitions and determines if task definition images are sourced from an Amazon ECR private registry. This custom rule verifies the image location based on its path prefix. Amazon ECR private registry images start with a name prefix using this format:

<AWS_account_number>.dkr.ecs.<AWS_region>.amazonaws.com

Here is an example task definition that uses a container image stored in an Amazon ECR private registry. The image key:value pair in the JSON output shows this compliant format.

c:\>aws ecs describe-task-definition --task-definition demo-apache
{ "taskDefinition": { "taskDefinitionArn": "arn:aws:ecs:us-west-2:123456789012:task-definition/demo-apache:1", "containerDefinitions": [ { "name": "demo-apache-image", "image": "123456789012.dkr.ecr.us-west-2.amazonaws.com/demo-repository:latest",
...

Jira issue JiraURL field

The AWS Config rule remediation action named AWS-CreateJiraIssue uses an AWS Systems Manager document also named AWS-CreateJiraIssue. This document uses Jira’s RESTful API version 2, which uses this API path to create the Jira issue: /rest/api/2/issue

The AWS Lambda function included in the AWS-CreateJiraIssue Systems Manager document appends this API path to the JiraURL parameter that was used to configure the AWS-CreateJiraIssue remediation action for the AWS Config rule. The JiraURL parameter must include the protocol, subdomain, and domain name portions of the Jira URL.

Here is an example JiraURL parameter: https://aws-mg-demos.atlassian.net

Do not place a forward slash (/) at the end of the JiraURL parameter when you enter it into the remediation action parameter field.

Jira issue DueDate field

AWS Config passes the value you enter for DueDate to Jira without modification or offset. This due date does not change when AWS Config invokes a remediation action. Because this due date is fixed, you can enter the Jira issue due date in your Jira Service Management Cloud account or Jira Service Management Server instead of entering it in the AWS-CreateJiraIssue remediation action’s parameter.

Jira does not include the due date by default in the Configure Screen. It includes the fields the Jira issue will accept and display. To successfully pass an issue due date to Jira, edit the page for your Jira Service Management project. From the Select Field dropdown, add Due date, as shown in Figure 1:

On Configure Screen, the fields and their order are displayed. They include Summary, Priority, Issue Type, Due date, Description, and more.

Figure 1: Configure Screen

Set up the AWS-CreateJiraIssue remediation action

Follow these steps to assign the AWS-CreateJiraIssue remediation action to the ECS_ECRIMAGE_CHECK custom AWS Config rule.

Step 1: Configure automatic remediation

In the AWS Config console, on the Edit: Remediation action page, choose Automatic remediation. In case of failure, configure this automatic remediation action to retry. For Retries in, enter 1. For Seconds, enter 120, as shown in Figure 2.

In Select remediation method, the Automatic remediation option is selected. The Retries in and Seconds fields are completed as described in the post.

Figure 2: Select remediation method and configure retries

Step 2: Select the AWS-CreateJiraIssue remediation action

In Remediation action details, for Choose remediation action, choose AWS-CreateJiraIssue, as shown in Figure 3.

In Remediation action details, AWS-CreateJiraIssue is selected from the Choose remediation action dropdown.

Figure 3: Remediation action details

Step 3: Set concurrent action rate limits (optional)

Limit the number of simultaneous remediation action invocations for this AWS Config rule. In Rate Limits, specify a concurrent executions rate to use when this AWS Config rule detects multiple noncompliant resources. Enter a maximum failure percentage to limit failed Systems Manager document executions. In Figure 4, Concurrent Execution Rate is set to 2. Error Rate is set to 50.

In Rate Limits, the Concurrent Execution Rate and Error Rate fields are set as described in the post.

Figure 4: Rate Limits

Step 4: Pass the noncompliant resource ID to the Jira issue

Pass the noncompliant resource ID as a value to the Jira issue. In Resource ID parameter, choose IssueDescription, as shown in Figure 5:

In Resource ID parameter, IssueDescription is selected from the dropdown.

Figure 5: Resource ID parameter

Step 5: Enter the remediation action parameters

The following table lists the AWS Config rule remediation action parameter names, examples, and descriptions that correspond to the parameters in the AWS-CreateJiraIssue Systems Manager document.

Parameter keyExample valueDescription
JiraUsername[email protected]Email address of registered Jira user with create issue Jira permissions.
SSMParameterName/config-rule-jira-demo/jira-user-api-keyAWS Systems Manager Parameter Store location of your Jira API token.*
IssueSummary“Noncompliant unregistered container image”The title for your Jira issue.
IssueDescriptionRESOURCE_IDAWS Config inserts the resource ID of the noncompliant AWS resource.
IssueTypeNameTaskThe issue category recognized by Jira.
ProjectKeyDEMOITPROJThe name of your Jira project key to update. This key prefixes all Jira tasks (for example, DEMOITPROJ-1).
JiraURLhttps://aws-mg-demos.atlassian.netThe URL of your Jira instance, including the protocol, subdomain, and domain portions.
DueDate2021-05-25Required issue completion date in YYYY-MM-DD format.
AutomationAssumeRolearn:aws:iam::123456789012:role/SSM_Remediation_RoleIAM role used by this Systems Manager Automation document.**

* This Atlassian Support article explains how to create API tokens for your Atlassian Jira Cloud platform account. If you are using the Atlassian Jira Server platform instead, this article explains how to use your password instead of an API token for basic authentication.

** The AutomationAssumeRole is an AWS Identity and Access Management (IAM) role that enables AWS Systems Manager to invoke the document steps configured in the AWS-CreateJiraIssue AWS Systems Manager document.

To create a Jira issue when this AWS Config rule detects a noncompliant resource, enter the Jira Service Desk Project parameters used by the AWS Systems Manager AWS-CreateJiraIssue document. Figure 6 displays the parameter values listed in the table.

Parameters displays parameters and example values for JiraUsername, SSMParameterName, JiraURL, ProjectKey, IssueSummary, IssueTypeName, and more.

Figure 6: Parameters

Step 6: Save changes

To save this remediation action, choose Save changes.

Example noncompliant resource detection and Jira issue creation

The AWS Config rule, ECS_ECRIMAGE_CHECK, detected an Amazon ECS task definition configured to use a image located outside the Amazon ECR private registry. AWS Config marked this resource as Noncompliant, as shown in Figure 7. The AWS-CreateJiraIssue remediation action was invoked successfully. Under Resources in scope, a status of Action executed successfully is displayed.

The details page for ECS_ECRIMAGE_CHECK includes fields for description, rule ARN, target type, and last successful evaluation. Under Resources in scope, first-run-task-definition has a status of Action executed successfully and a compliance of Noncompliant.

Figure 7: ECS_ECRIMAGE_CHECK

Figure 8 shows the Jira issue created by the AWS-CreateJiraIssue remediation action for the noncompliant Amazon ECS task definition as shown in the Jira Service Desk console:

Jira Service Desk console shows the newly created Jira issue. It has a description of first-run-task-definition and a due date of 2021/05/25.

Figure 8: Noncompliant unregistered container image

The resource ID of the noncompliant AWS resource, first-run-task-definition, appears in the Description field of this Jira issue. AWS Config passed this resource ID to the AWS Systems Manager document, AWS-CreateJiraIssue, through the IssueDescription field.

Cleanup

To avoid charges to your AWS account, after you test the AWS-CreateJiraIssue rule remediation action, issue these AWS CLI commands to delete the ECS_ECRIMAGE_CHECK rule and its remediation action:

c:\>aws configservice delete-remediation-configuration --config-rule-name ECS_ECRIMAGE_CHECK c:\>aws configservice delete-config-rule --config-rule-name ECS_ECRIMAGE_CHECK

Conclusion

In this blog post, I showed you how to assign and configure the AWS-CreateJiraIssue remediation action to a custom AWS Config rule from the AWS Config rules repository. This remediation action creates a Jira issue in a Jira Service Management project using the configured remediation action parameters. It passes the noncompliant resource ID to the Jira issue using the IssueDescription remediation action parameter. Use this procedure to assign and configure the AWS-CreateJiraIssue remediation action to your AWS Config rules. You might also consider using Change Manager, an AWS Systems Manager capability, to automate the change request, request approval, and automation action to remediate a noncompliant resource.

About the author

Photo of the author -- Bill Dry

Bill Dry

Bill Dry is a Senior Technical Account Manager for AWS Enterprise Support. Over the past 11 years, he has developed software applications ranging from digital signage to video banking. Outside of work, Bill enjoys coaching youth basketball and firing up the grill for backyard barbecues.