• lambda:GetFunction
• lambda:GetFunctionConfiguration
• lambda:UpdateFunctionConfiguration
Document Steps
• aws:executeAwsApi - Updates the Amazon VPC configuration for the Lambda function you specify in the FunctionName parameter.
• aws:waitForAwsResourceProperty - Waits for the Lambda function LastUpdateStatus to be successful.
• aws:executeScript - Verifies the Lambda function Amazon VPC configuration has been successfully updated.
AWSSupport-RemediateLambdaS3Event
Description
The AWSSupport-TroubleshootLambdaS3Event runbook provides an automated solution for the procedures outlined in the AWS Knowledge Center articles Why doesn't my Amazon S3 event notification trigger my Lambda function? and Why do I get the error "Unable to validate the following destination configurations" when creating an Amazon S3 event notification to trigger my Lambda function? This runbook helps you identify and remediate why an Amazon Simple Storage Service (Amazon S3) event notification failed to trigger the AWS Lambda function you specified. If the runbook output suggests validating and configuring your Lambda function concurrency, see Asynchronous invocation and AWS Lambda Function scaling.
Note"Unable to validate the following destination configurations" errors can also occur due to incorrect Amazon Simple Notification Service (Amazon SNS) and Amazon Simple Queue Service (Amazon SQS) Amazon S3 event configurations. This runbook only checks Lambda function configurations. If after using the runbook, you are still receiving the "Unable to validate the following destination configurations" error, please review any existing Amazon SNS and Amazon SQS Amazon S3 event configurations.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your
AWSSupport-RemediateLambdaS3Event
behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
• LambdaFunctionArn Type: String
Description: (Required) The ARN of the Lambda function.
• S3BucketName Type: String
Description: (Required) The name of the Amazon S3 bucket whose event notifications triggers the Lambda function.
• Action Type: String
Valid values: Troubleshoot | Remediate
Description: (Required) The action you want the runbook to perform. The Troubleshoot option helps identify any issues, but does not perform any mutating actions to resolve the issue. The Remediate option helps identify and attempts to resolve issues for you.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:GetDocument
• ssm:ListDocuments
• ssm:DescribeAutomationExecutions
• ssm:DescribeAutomationStepExecutions
• ssm:GetAutomationExecution
• lambda:GetPolicy
• lambda:AddPermission
• s3:GetBucketNotification
Document Steps
• aws:branch - Branches based on the input specified for the Action parameter.
If the value specified is Troubleshoot:
• aws:executeAutomation - Runs the AWSSupport-TroubleshootLambdaS3Event runbook.
• aws:executeAwsApi - Checks the output of the AWSSupport-TroubleshootLambdaS3Event runbook that ran in the previous step.
If the value specified is Remediate:
• aws:executeScript - Runs a script to remediate the issues outlined in the Why doesn't my Amazon S3 event notification trigger my Lambda function? and Why do I get the error "Unable to validate the following destination configurations" when creating an Amazon S3 event notification to trigger my Lambda function? Knowledge Center articles.
AWSSupport-TroubleshootLambdaInternetAccess checkoutput.Output
remediatelambdas3event.Output
AWSSupport-TroubleshootLambdaInternetAccess
Description
The AWSSupport-TroubleshootLambdaInternetAccess runbook helps you troubleshoot internet access issues for a AWS Lambda function that was launched into Amazon Virtual Private Cloud (Amazon VPC). Resources such as subnet routes, security groups rules, and network access control list (ACL) rules are reviewed to confirm outbound internet access is allowed.
Run this Automation (console) Document type
Automation Owner Amazon Platforms
Linux, macOS, Windows Parameters
• AutomationAssumeRole Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
• FunctionName Type: String
Description: (Required) The name of the Lambda function you want to troubleshoot internet access for.
• destinationIp Type: String
Description: (Required) The destination IP address you want to establish an outbound connection to.
• destinationPort Type: String Default: 443
Description: (Optional) The destination port you want to establish an outbound connection on.
Required IAM permissions
AWSSupport-TroubleshootLambdaInternetAccess
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• lambda:GetFunction
• aws:executeScript - Verifies the configuration of various resources in your VPC where the Lambda function was launched.
• aws:branch - Branches based on whether the Lambda function specified is in a VPC or not.
• aws:executeScript - Reviews the route table routes for the subnet where the Lambda function was launched, and verifies that routes to a network address translation (NAT) gateway, and internet gateway are present. Confirms the Lambda function is not in a public subnet.
• aws:executeScript - Verifies the security group associated with the Lambda function allows outbound internet access based on the values specified for the destinationIp and destinationPort parameters.
• aws:executeScript - Verifies the ACL rules associated with the subnets of the Lambda function and the NAT gateway allow outbound internet access based on the values specified for the destinationIp and destinationPort parameters.
Outputs
checkVpc.vpc - The ID of the VPC where your Lambda function was launched.
checkVpc.subnet - The IDs of the subnets where your Lambda function was launched.
checkVpc.securityGroups - Security groups associated with the Lambda function.
checkNACL.NACL - Analysis message with resource names. LambdaIp refers to the private IP address of the elastic network interface for your Lambda function. The LambdaIpRules object is only generated for subnets that have a route to a NAT gateway. The following content is an example of the output.
{
"subnet-1234567890":{
"NACL":"acl-1234567890",
"destinationIp_Egress":"Allowed", "destinationIp_Ingress":"notAllowed",
"Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule",
"LambdaIpRules":{
"{LambdaIp}":{
"Egress":"notAllowed", "Ingress":"notAllowed",
"Analysis":"This is a NAT subnet NACL. It does not have ingress or egress rule allowed in it for Lambda's corresponding private ip {LambdaIp} Please allow this IP in your egress and ingress NACL rules"
} } },
"subnet-0987654321":{
"NACL":"acl-0987654321",
"destinationIp_Egress":"Allowed", "destinationIp_Ingress":"notAllowed",
"Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress