Description
The AWSSupport-ModifyEBSSnapshotPermission runbook helps you to modify permissions for multiple Amazon Elastic Block Store (Amazon EBS) snapshots. Using this runbook, you can make snapshots Public or Private and share them with other AWS accounts. Snapshots encrypted with a default KMS key can't be shared with other accounts using this runbook.
AWSSupport-ModifyEBSSnapshotPermission Run this Automation (console)
Document type Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
• AccountIds Type: StringList Default: none
Description: (Optional) The IDs of the accounts you want to share snapshots with. This parameter is required if you enter No for the value of the Private parameter.
• AccountPermissionOperation Type: String
Valid values: add | remove Default: none
Description: (Optional) The type of operation to perform.
• Private Type: String
Valid values: Yes | No
Description: (Required) Enter No for the value if you want to share snapshots with specific accounts.
• SnapshotIds Type: StringList
Description: (Required) The IDs of Amazon EBS snapshots whose permission you want to modify.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
AWSConfigRemediation-ModifyEBSVolumeType
• ec2:DescribeSnapshots
• ec2:ModifySnapshotAttribute
Document Steps
1. aws:executeScript - Verifies the IDs of the snapshots provided in the SnapshotIds parameter.
After verifying the IDs, the script checks for encrypted snapshots and outputs a list if any are found.
2. aws:branch - Branches the automation based on the value you enter for the Private parameter.
3. aws:executeScript - Modifies permissions of the snapshots specified to share it with the accounts specified.
4. aws:executeScript - Modifies permissions of the snapshots to change them from Public to Private.
Outputs
ValidateSnapshots.EncryptedSnapshots SharewithOtherAccounts.Result MakePrivate.Result
MakePrivate.Commands
AWSConfigRemediation-ModifyEBSVolumeType
Description
The AWSConfigRemediation-ModifyEBSVolumeType runbook modifies the volume type of an Amazon Elastic Block Store (Amazon EBS) volume. After the volume type is modified, the volume enters an optimizing state. For information about monitoring the progress of volume modifications, see Monitor the progress of volume modifications in the Amazon EC2 User Guide for Linux Instances.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
• EbsVolumeId Type: String
Amazon EC2
Description: (Required) The ID of the Amazon EBS volume that you want to modify.
• EbsVolumeType Type: String
Valid values: standard | io1 | io2 | gp2 | sc1 | st1
Description: The volume type you want to change the Amazon EBS volume to. For information about Amazon EBS volume types, see Amazon EBS volume types in the Amazon EC2 User Guide for Linux Instances.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetAutomationExecution
• ec2:DescribeVolumes
• ec2:ModifyVolume
Document Steps
• aws:waitForAwsResourceProperty - Verifies the state of the volume is available or in-use.
• aws:executeAwsApi - Modifies the Amazon EBS volume you specify in the EbsVolumeId parameter.
• aws:waitForAwsResourceProperty - Verifies the type of the volume has been changed to the value you specified in the EbsVolumeType parameter.
Amazon EC2
AWS Systems Manager Automation provides predefined runbooks for Amazon Elastic Compute Cloud.
Runbooks for Amazon Elastic Block Store are located in the Amazon EBS (p. 38) section of the
runbook reference. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).
Topics
• AWSSupport-ActivateWindowsWithAmazonLicense (p. 50)
• AWS-ASGEnterStandby (p. 52)
• AWS-ASGExitStandby (p. 53)
• AWSSupport-CheckXenToNitroMigrationRequirements (p. 53)
• AWSEC2-CloneInstanceAndUpgradeWindows (p. 55)
• AWSEC2-CloneInstanceAndUpgradeSQLServer (p. 58)
• AWSSupport-ConfigureEC2Metadata (p. 60)
• AWSEC2-ConfigureSTIG (p. 63)
• AWSSupport-CopyEC2Instance (p. 70)
• AWS-CreateImage (p. 74)
• AWS-DeleteImage (p. 75)
• AWSConfigRemediation-EnableAutoScalingGroupELBHealthCheck (p. 76)
• AWSConfigRemediation-EnforceEC2InstanceIMDSv2 (p. 77)
• AWSSupport-ExecuteEC2Rescue (p. 78)
AWSSupport-ActivateWindowsWithAmazonLicense
• AWSSupport-ListEC2Resources (p. 79)
• AWSSupport-ManageRDPSettings (p. 81)
• AWSSupport-ManageWindowsService (p. 83)
• AWSSupport-MigrateEC2ClassicToVPC (p. 84)
• AWS-PatchAsgInstance (p. 88)
• AWS-PatchInstanceWithRollback (p. 89)
• AWSSupport-ResetAccess (p. 91)
• AWS-ResizeInstance (p. 93)
• AWS-RestartEC2Instance (p. 93)
• AWSSupport-RestoreEC2InstanceFromSnapshot (p. 94)
• AWSSupport-SendLogBundleToS3Bucket (p. 97)
• AWSEC2-SQLServerDBRestore (p. 98)
• AWS-StartEC2Instance (p. 102)
• AWSSupport-StartEC2RescueWorkflow (p. 102)
• AWS-TerminateEC2Instance (p. 109)
• AWSPremiumSupport-TroubleshootEC2DiskUsage (p. 109)
• AWSSupport-TroubleshootRDP (p. 113)
• AWSSupport-TroubleshootSSH (p. 116)
• AWSSupport-TroubleshootSUSERegistration (p. 119)
• AWS-UpdateLinuxAmi (p. 120)
• AWS-UpdateWindowsAmi (p. 122)
• AWSSupport-UpgradeWindowsAWSDrivers (p. 124)
AWSSupport-ActivateWindowsWithAmazonLicense
Description
The AWSSupport-ActivateWindowsWithAmazonLicense runbook activates an Amazon Elastic Compute Cloud (Amazon EC2) instance for Windows Server with a license provided by Amazon. The automation verifies and configures required key management service operating system settings and attempts activation. This includes operating system routes to Amazon's key management servers and key management service operating system settings. Setting the AllowOffline parameter to True allows the automation to successfully target instances that are not managed by AWS Systems Manager, but requires a stop and start of the instance.
Note
This runbook cannot be used on Bring Your Own License (BYOL) model Windows Server instances. For information about using your own license, see Microsoft Licensing on AWS.
Run this Automation (console) Document type
Automation Owner Amazon Platforms Windows
AWSSupport-ActivateWindowsWithAmazonLicense Parameters
• AllowOffline Type: String
Valid values: True | False Default: False
Description: (Optional) Set it to True if you allow an offline Windows activation remediation in case the online troubleshooting fails, or if the provided instance is not a managed instance.
Important
The offline method requires that the provided EC2 instance be stopped and then started. Data stored in instance store volumes will be lost. The public IP address will change if you are not using an Elastic IP.
• AutomationAssumeRole Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
• ForceActivation Type: String
Valid values: True | False Default: False
Description: (Optional) Set it to True if you want to proceed even if Windows is already activated.
• InstanceId Type: String
Description: (Required) ID of your managed EC2 instance for Windows Server.
• SubnetId Type: String
Default: CreateNewVPC
Description: (Optional) Offline only - The subnet ID for the EC2Rescue instance used to perform the offline troubleshooting. Use SelectedInstanceSubnet to use the same subnet as your instance, or use CreateNewVPC to create a new VPC. IMPORTANT: The subnet must be in the same Availability Zone as InstanceId, and it must allow access to the SSM endpoints.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
We recommend that the EC2 instance receiving the command has an IAM role with the AmazonSSMManagedInstanceCore Amazon managed policy attached. You must have at least
ssm:StartAutomationExecution and ssm:SendCommand to run the automation and send the command to the instance, plus ssm:GetAutomationExecution to be able to read the automation output. For the