Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• access-analyzer:CreateAnalyzer
• access-analyzer:GetAnalyzer
Document Steps
• aws:executeAwsApi - Creates an access analyzer for your account.
• aws:waitForAwsResourceProperty - Waits for the status of the access analyzer to be ACTIVE.
• aws:assertAwsResourceProperty - Confirms the status of the access analyzer is ACTIVE.
AWSSupport-GrantPermissionsToIAMUser
Description
This runbook grants the specified permissions to an IAM group (new or existing), and adds the existing IAM user to it. Policies you can choose from: Billing or Support. To enable billing access for IAM, remember to also activate IAM user and federated user access to the Billing and Cost Management pages.
Important
If you provide an existing IAM group, all current IAM users in the group receive the new permissions.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your
AWSSupport-GrantPermissionsToIAMUser
behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
• IAMGroupName Type: String
Default: ExampleSupportAndBillingGroup
Description: (Required) Can be a new or existing group. Must comply with IAM Entity Name Limits.
• IAMUserName Type: String
Default: ExampleUser
Description: (Required) Must be an existing user.
• LambdaAssumeRole Type: String
Description: (Optional) The ARN of the role assumed by lambda.
• Permissions Type: String
Valid values: SupportFullAccess | BillingFullAccess | SupportAndBillingFullAccess Default: SupportAndBillingFullAccess
Description: (Required) Choose one of: SupportFullAccess grants full access to the Support center.
BillingFullAccess grants full access to the Billing dashboard. SupportAndBillingFullAccess grants full access to both Support center and the Billing dashboard. More info on policies under Document details.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
The permissions required depend on how AWSSupport-GrantPermissionsToIAMUser is run.
Running as the currently logged in user or role
It is recommended you have the AmazonSSMAutomationRole Amazon managed policy attached, and the following additional permissions to be able to create the Lambda function and the IAM role to pass to Lambda:
{ "Version": "2012-10-17", "Statement": [
{
"Action": [
"lambda:InvokeFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction"
],
"Resource": "arn:aws:lambda:*:ACCOUNTID:function:AWSSupport-*",
AWSSupport-GrantPermissionsToIAMUser
Using AutomationAssumeRole and LambdaAssumeRole
The user must have the ssm:StartAutomationExecution permissions on the runbook, and iam:PassRole on the IAM roles passed as AutomationAssumeRole and LambdaAssumeRole. Here are the permissions each IAM role needs:
AutomationAssumeRole
AWSConfigRemediation-RemoveUserPolicies
1. aws:createStack - Run AWS CloudFormation Template to create a Lambda function.
2. aws:invokeLambdaFunction - Run Lambda to set IAM permissions.
3. aws:deleteStack - Delete CloudFormation Template.
Outputs
configureIAM.Payload
AWSConfigRemediation-RemoveUserPolicies
Description
AWSConfigRemediation-RemoveUserPolicies
The AWSConfigRemediation-RemoveUserPolicies runbook deletes the AWS Identity and Access Management (IAM) inline policies and detaches any managed policies attached to the IAM user you specify.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• IAMUserID Type: String
Description: (Required) The ID of the IAM user you want to remove policies from.
• PolicyType Type: String
Valid values: All | Inline | Managed Default: All
Description: (Required) The type of IAM policies you want to remove from the IAM user.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• iam:DeleteUserPolicy
• iam:DetachUserPolicy
• iam:ListAttachedUserPolicies
• iam:ListUserPolicies
• iam:ListUsers
Document Steps
• aws:executeScript - Deletes and detaches IAM policies from the IAM user you specify in the IAMUserID parameter.
AWSConfigRemediation-ReplaceIAMInlinePolicy
AWSConfigRemediation-ReplaceIAMInlinePolicy
Description
The AWSConfigRemediation-ReplaceIAMInlinePolicy runbook replaces an inline AWS Identity and Access Management (IAM) policy with a replicated managed IAM policy. For an inline policy attached to an IAM user, group, or role, the inline policy permissions are cloned into a managed IAM policy. The managed IAM policy is added to the resource, and the inline policy is removed. AWS Config must be enabled in the AWS Region where you run this automation.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• InlinePolicyName Type: StringList
Description: (Required) The inline IAM policy you want to replace.
• ResourceId Type: String
Description: (Required) The ID of the IAM user, group, or role whose inline policy you want to replace.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• iam:AttachGroupPolicy
• iam:AttachRolePolicy
• iam:AttachUserPolicy
• iam:CreatePolicy
• iam:CreatePolicyVersion
AWSConfigRemediation-RevokeUnusedIAMUserCredentials
• iam:DeleteGroupPolicy
• iam:DeleteRolePolicy
• iam:DeleteUserPolicy
• iam:GetGroupPolicy
• iam:GetRolePolicy
• iam:GetUserPolicy
• iam:ListGroupPolicies
• iam:ListRolePolicies
• iam:ListUserPolicies
Document Steps
• aws:executeScript - Replace the inline IAM policy with an AWS replicated policy on the resource that you specify.
AWSConfigRemediation-RevokeUnusedIAMUserCredentials
Description
The AWSConfigRemediation-RevokeUnusedIAMUserCredentials runbook revokes unused AWS Identity and Access Management (IAM) passwords and active access keys. This runbook also deactivates expired access keys, and deletes expired login profiles. AWS Config must be enabled in the AWS Region where you run this automation.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• IAMResourceId Type: String
Description: (Required) The ID of the IAM resource you want to revoke unused credentials from.
• MaxCredentialUsageAge
AWSConfigRemediation-SetIAMPasswordPolicy Type: String
Default: 90
Description: (Required) The number of days within which the credential must have been used.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• config:ListDiscoveredResources
• iam:DeleteAccessKey
• iam:DeleteLoginProfile
• iam:GetAccessKeyLastUsed
• iam:GetLoginProfile
• iam:GetUser
• iam:ListAccessKeys
• iam:UpdateAccessKey
Document Steps
• aws:executeScript - Revokes IAM credentials for the user specified in the IAMResourceId parameter. Expired access keys are deactivated, and expired login profiles are deleted.
AWSConfigRemediation-SetIAMPasswordPolicy
Description
The AWSConfigRemediation-SetIAMPasswordPolicy runbook sets the AWS Identity and Access Management (IAM) user password policy for your AWS account.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
AWSConfigRemediation-SetIAMPasswordPolicy
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• AllowUsersToChangePassword Type: Boolean
Default: False
Description: (Optional) If set to True, all IAM users in your AWS account can use the AWS Management Console to change their passwords.
• HardExpiry Type: Boolean Default: False
Description: (Optional) If set to True, IAM users are prevented from resetting their passwords after their password expires.
• MaxPasswordAge Type: Integer Default: 0
Description: (Optional) The number of days an IAM user's password is valid.
• MinimumPasswordLength Type: Integer
Default: 6
Description: (Optional) The minimum number of characters an IAM user's password can be.
• PasswordReusePrevention Type: Integer
Default: 0
Description: (Optional) The number of previous passwords that an IAM user is prevented from reusing.
• RequireLowercaseCharacters Type: Boolean
Default: False
Description: (Optional) If set to True, an IAM user's password must contain a lowercase character from the ISO basic Latin alphabet (a to z).
• RequireNumbers Type: Boolean Default: False
Description: (Optional) If set to True, an IAM user's password must contain a numeric character (0-9).
• RequireSymbols Type: Boolean
AWS KMS Default: False
Description: (Optional) If set to True, an IAM user's password must contain a non-alphanumeric character (! @ # $ % ^ * ( ) _ + - = [ ] { } | ').
• RequireUppercaseCharacters Type: Boolean
Default: False
Description: (Optional) If set to True, an IAM user's password must contain an uppercase character from the ISO basic Latin alphabet (A to Z).
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• iam:GetAccountPasswordPolicy
• iam:UpdateAccountPasswordPolicy
Document Steps
• aws:executeScript - Sets the IAM user password policy based on the values you specify for the runbook parameters for your AWS account.
AWS KMS
AWS Systems Manager Automation provides predefined runbooks for AWS Key Management Service.
For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).
Topics
• AWSConfigRemediation-CancelKeyDeletion (p. 177)
• AWSConfigRemediation-EnableKeyRotation (p. 178)
AWSConfigRemediation-CancelKeyDeletion
Description
The AWSConfigRemediation-CancelKeyDeletion runbook cancels deletion of the AWS Key Management Service (AWS KMS) customer managed key that you specify.
Run this Automation (console) Document type
Automation Owner Amazon
AWSConfigRemediation-EnableKeyRotation Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• KeyId Type: String
Description: (Required) The ID of the customer managed key that you want to cancel deletion for.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• kms:CancelKeyDeletion
• kms:DescribeKey
Document Steps
• aws:executeAwsApi - Cancels deletion for the customer managed key you specify in the KeyId parameter.
• aws:assertAwsResourceProperty - Confirms key deletion is disabled on your customer managed key.
AWSConfigRemediation-EnableKeyRotation
Description
The AWSConfigRemediation-EnableKeyRotation runbook enables automatic key rotation for the symmetric AWS Key Management Service (AWS KMS) customer managed key.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
Lambda
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• KeyId Type: String
Description: (Required) The ID of the customer managed key you want to enable automatic key rotation on.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• kms:EnableKeyRotation
• kms:GetKeyRotationStatus
Document Steps
• aws:executeAwsApi - Enables automatic key rotation on the customer managed key you specify in the KeyId parameter.
• aws:assertAwsResourceProperty - Confirms that automatic key rotation is enabled on your customer managed key.
Lambda
AWS Systems Manager Automation provides predefined runbooks for AWS Lambda. For more
information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).
Topics
• AWSConfigRemediation-ConfigureLambdaFunctionXRayTracing (p. 179)
• AWSConfigRemediation-DeleteLambdaFunction (p. 180)
• AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK (p. 181)
• AWSConfigRemediation-MoveLambdaToVPC (p. 183)
• AWSSupport-RemediateLambdaS3Event (p. 184)
• AWSSupport-TroubleshootLambdaInternetAccess (p. 186)
• AWSSupport-TroubleshootLambdaS3Event (p. 188)
AWSConfigRemediation-ConfigureLambdaFunctionXRayTracing
AWSConfigRemediation-DeleteLambdaFunction
The AWSConfigRemediation-ConfigureLambdaFunctionXRayTracing runbook enables AWS X-Ray live tracing on the AWS Lambda function you specify in the FunctionName parameter.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• FunctionName Type: String
Description: (Required) The name or ARN of the Lambda function to enable tracing on.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• lambda:UpdateFunctionConfiguration
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
Document Steps
• aws:executeAwsApi - Enables X-Ray tracing on the Lambda function you specify in the FunctionName parameter.
• aws:assertAwsResourceProperty - Verifies that X-Ray tracing has been enabled on the Lambda function.
Outputs
UpdateLambdaConfig.UpdateFunctionConfigurationResponse - Response from the UpdateFunctionConfiguration API call.
AWSConfigRemediation-DeleteLambdaFunction
Description
AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK
The AWSConfigRemediation-DeleteLambdaFunction runbook deletes the AWS Lambda function you specify.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• LambdaFunctionName Type: String
Description: (Required) The name of the Lambda function that you want to delete.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• lambda:DeleteFunction
• lambda:GetFunction
Document Steps
• aws:executeAwsApi - Deletes the Lambda function specified in the LambdaFunctionName parameter.
• aws:executeScript - Verifies the Lambda function has been deleted.
AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK
Description
The AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK runbook encrypts,
AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK
Management Service (AWS KMS) customer managed key. This runbook should only be used as a baseline to ensure that your Lambda function's environment variables are encrypted according to minimum recommended security best practices. We recommend encrypting multiple functions with different customer managed keys.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• FunctionName Type: String
Description: (Required) The name or ARN of the Lambda function whose environment variables you want to encrypt.
• KMSKeyArn Type: String
Description: (Required) The ARN of the AWS KMS customer managed key you want to use to encrypt your Lambda function's environment variables.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• lambda:GetFunctionConfiguration
• lambda:UpdateFunctionConfiguration
Document Steps
• aws:waitForAwsResourceProperty - Waits for the LastUpdateStatus property to be Successful.
• aws:executeAwsApi - Encrypts the environment variables for the Lambda function you specify in the FunctionName parameter using the AWS KMS customer managed key you specify in the KMSKeyArn parameter.
AWSConfigRemediation-MoveLambdaToVPC
• aws:assertAwsResourceProperty - Confirms encryption is enabled on the environment variables for your Lambda function.
AWSConfigRemediation-MoveLambdaToVPC
Description
The AWSConfigRemediation-MoveLambdaToVPC runbook moves an AWS Lambda (Lambda) function to an Amazon Virtual Private Cloud (Amazon VPC).
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• FunctionName Type: String
Description: (Required) The name of the Lambda function to move to an Amazon VPC.
• SecurityGroupIds Type: String
Description: (Required) The security group IDs you want to assign to the elastic network interfaces (ENIs) associated with your Lambda function.
• SubnetIds Type: String
Description: (Required) The subnet IDs you want to create the elastic network interfaces (ENIs) associated with your Lambda function.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution