← All projects
07 ADVANCED

AWS Config + AI remediator

Config detects violations, Claude API generates intelligent fixes, Lambda executes them autonomously.

Overview

Intelligent autonomous remediation. AWS Config violations trigger a Lambda that calls the Claude API with full resource context, receives a generated remediation action, applies it via the AWS SDK, and re-evaluates the rule — closing the loop without human intervention.

Implementation

Example: non-encrypted S3 bucket → Config FAIL → Lambda invoked with resource ARN and violation context → Claude generates least-privilege encryption policy JSON → Lambda applies BucketEncryption → Config re-evaluates → finding closed. Full audit trail in DynamoDB. Human-in-the-loop mode available for critical resources.

Terminal output
aws-config-ai-remediator.py
[Config] NON_COMPLIANT: s3-prod-data Rule: s3-bucket-server-side-encryption Control: SC-28 [Lambda] Invoking Claude API... Context: S3 bucket, SSE missing, prod env Generating remediation action... [Claude] → Apply SSE with aws:kms (KMS CMK) → Key: arn:aws:kms:us-east-1:... → Estimated impact: none [Lambda] Applying patch... ✓ BucketEncryption set [Config] Re-evaluating... COMPLIANT ✓ Finding closed · elapsed: 4.2s
Stack
AWS ConfigClaude APILambdaPythonSNS
Source code

Full implementation, tests, and documentation available on GitHub.

View on GitHub ↗