aws:executeAutomation - Calls AWSSupport-ManageWindowsService to start the RDP service.
aws:executeAutomation - Calls AWSSupport-ManageRDPSettings to enable remote connections and disable NLA.
d. (Online management) If the Action = Custom, then:
aws:runPowerShellScript - Runs the PowerShell script to manage the Windows Firewall profiles.
aws:executeAutomation - Calls AWSSupport-ManageWindowsService to manage the RDP service.
aws:executeAutomation - Calls AWSSupport-ManageRDPSettings to manage the RDP settings.
4. (Offline remediation) If the instance is not a managed instance then:
a. aws:assertAwsResourceProperty - Assert AllowOffline = True b. aws:assertAwsResourceProperty - Assert Action = FixAll c. aws:assertAwsResourceProperty - Assert the value of SubnetId
(Use the provided instance's subnet) If SubnetId is SELECTED_INSTANCE_SUBNET aws:executeAwsApi - Retrieve the current instance's subnet.
aws:executeAutomation - Run AWSSupport-ExecuteEC2Rescue with provided instance's subnet.
d. (Use the provided custom subnet) If SubnetId is not SELECTED_INSTANCE_SUBNET
aws:executeAutomation - Run AWSSupport-ExecuteEC2Rescue with provided SubnetId value.
Outputs
manageFirewallProfiles.Output manageRDPServiceSettings.Output manageRDPSettings.Output checkFirewallProfiles.Output checkRDPServiceSettings.Output checkRDPSettings.Output disableFirewallProfiles.Output
restoreDefaultRDPServiceSettings.Output restoreDefaultRDPSettings.Output troubleshootRDPOffline.Output
troubleshootRDPOfflineWithSubnetId.Output
AWSSupport-TroubleshootSSH
Description
AWSSupport-TroubleshootSSH
The AWSSupport-TroubleshootSSH runbook installs the Amazon EC2Rescue tool for Linux, and then uses the EC2Rescue tool to check or attempt to fix common issues that prevent a remote connection to the Linux machine via SSH. Optionally, changes can be applied offline by stopping and starting the instance, if the user explicitly allows for offline remediation. By default, the runbook operates in read-only mode.
Run this Automation (console)
For information about working with the AWSSupport-TroubleshootSSH runbook, see this AWSSupport-TroubleshootSSH troubleshooting topic from AWS Premium Support.
Document type Automation Owner Amazon Platforms Linux Parameters
• Action Type: String
Valid values: CheckAll | FixAll Default: CheckAll
Description: (Required) Specify whether to check for issues without fixing them or to check and automatically fix any discovered issues.
• AllowOffline Type: String
Valid values: True | False Default: False
Description: (Optional) Fix only - Set it to true if you allow an offline SSH remediation in case the online troubleshooting fails, or the provided instance is not a managed instance. Note: For the offline remediation, SSM Automation stops the instance, and creates an AMI before attempting any operations.
• AutomationAssumeRole Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
• InstanceId Type: String
AWSSupport-TroubleshootSSH
• S3BucketName Type: String
Description: (Optional) Offline only - S3 bucket name in your account where you want to upload the troubleshooting logs. Make sure the bucket policy does not grant unnecessary read/write permissions to parties that do not need access to the collected logs.
• SubnetId Type: String
Default: SelectedInstanceSubnet
Description: (Optional) Offline only - The subnet ID for the EC2Rescue instance used to perform the offline troubleshooting. If no subnet ID is specified, AWS Systems Manager Automation will create a new VPC.
Important
The subnet must be in the same Availability Zone as InstanceId, and it must allow access to the SSM endpoints.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
It is recommended that the EC2 instance receiving the command has an IAM role with the
AmazonSSMManagedInstanceCore Amazon managed policy attached. For the online remediation, the user must have at least ssm:DescribeInstanceInformation, ssm:StartAutomationExecution and ssm:SendCommand to run the automation and send the command to the instance, plus
ssm:GetAutomationExecution to be able to read the automation output. For the offline remediation, the user must have at least ssm:DescribeInstanceInformation, ssm:StartAutomationExecution, ec2:DescribeInstances, plus ssm:GetAutomationExecution to be able to read the automation output.
AWSSupport-TroubleshootSSH calls AWSSupport-ExecuteEC2Rescue to perform the offline remediation - please review the permissions for AWSSupport-ExecuteEC2Rescue to ensure you can run the automation successfully.
Document Steps
1. aws:assertAwsResourceProperty - Check if the instance is a managed instance a. (Online remediation) If the instance is a managed instance, then:
i. aws:configurePackage - Install EC2Rescue for Linux via AWS-ConfigureAWSPackage.
ii. aws:runCommand - Run the bash script to run EC2Rescue for Linux.
b. (Offline remediation) If the instance is not a managed instance then:
i. aws:assertAwsResourceProperty - Assert AllowOffline = True ii. aws:assertAwsResourceProperty - Assert Action = FixAll iii. aws:assertAwsResourceProperty - Assert the value of SubnetId
iv. (Use the provided instance's subnet) If SubnetId is SelectedInstanceSubnet us
aws:executeAutomation to run AWSSupport-ExecuteEC2Rescue with provided instance's subnet.
v. (Use the provided custom subnet) If SubnetId is not SelectedInstanceSubnet use
aws:executeAutomation to run AWSSupport-ExecuteEC2Rescue with provided SubnetId value.
Outputs
troubleshootSSH.Output
AWSSupport-TroubleshootSUSERegistration troubleshootSSHOffline.Output
troubleshootSSHOfflineWithSubnetId.Output
AWSSupport-TroubleshootSUSERegistration
Description
The AWSSupport-TroubleshootSUSERegistration runbook helps you to identify why registering an Amazon Elastic Compute Cloud (Amazon EC2) SUSE Linux Enterprise Server instance with SUSE Update Infrastructure failed. The automation output provides steps to resolve, or helps you troubleshoot, the issue. If the instance passes all checks during the automation, the instance is registered with SUSE Update Infrastructure.
Run this Automation (console) Document type
Automation Owner Amazon Platforms Linux Parameters
• AutomationAssumeRole Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
• InstanceId Type: String
Description: (Required) The ID of the Amazon EC2 instance you want to troubleshoot.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.
• ssm:StartAutomationExecution
• ssm:DescribeInstanceProperties
• ssm:DescribeInstanceInformation
• ssm:ListCommandInvocations
• ssm:SendCommand
• ssm:ListCommands