AWS Systems Manager Automation runbook reference User Guide

(1)

AWS Systems Manager

Automation runbook reference

User Guide

(2)

AWS Systems Manager Automation runbook reference: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

Systems Manager Automation runbook reference

To help you get started quickly, AWS Systems Manager provides predefined runbooks. These runbooks are maintained by Amazon Web Services, AWS Support, and AWS Config. The runbook reference describes each of the predefined runbooks provided by Systems Manager, AWS Support, and AWS Config.

Important

If you run an automation workﬂow that invokes other services by using an AWS Identity and Access Management (IAM) service role, be aware that the service role must be conﬁgured with permission to invoke those services. This requirement applies to all AWS Automation runbooks (AWS-* runbooks) such as the AWS-ConfigureS3BucketLogging, AWS- CreateDynamoDBBackup, and AWS-RestartEC2Instance runbooks, to name a few.

This requirement also applies to any custom Automation runbooks you create that invoke other AWS services by using actions that call other services. For example, if you use the aws:executeAwsApi, aws:createStack, or aws:copyImage actions, then you must conﬁgure the service role with permission to invoke those services. You can enable permissions to other AWS services by adding an IAM inline policy to the role. For more information, see Add an Automation inline policy to invoke other AWS services.

This reference includes topics that describe each of the Systems Manager runbooks that are owned by AWS, AWS Support, and AWS Conﬁg. Runbooks are organized by the relevant AWS service. Each page provides an explanation of the required and optional parameters you can specify when using the runbook. Each page also lists the steps in the runbook and the output of the automation, if any.

This section does not include a separate page for runbooks that require approval such as the AWS- CreateManagedLinuxInstanceWithApproval or AWS-StopEC2InstanceWithApproval runbook.

Any runbook name that includes WithApproval, means the runbook includes the aws:approve action.

This action temporarily pauses an automation until designated principals either approve or reject the action. After the required number of approvals is reached, the automation resumes.

For information about running automations, see Running a simple automation. For information about running automations on multiple targets, see Running automations that use targets and rate controls.

Topics

• View runbook content (p. 2)

• API Gateway (p. 2)

• AWS CloudFormation (p. 6)

• CloudFront (p. 9)

• CloudTrail (p. 15)

• CloudWatch (p. 19)

• CodeBuild (p. 20)

• AWS CodeDeploy (p. 23)

• AWS Conﬁg (p. 24)

• AWS Directory Service (p. 26)

• DynamoDB (p. 32)

• Amazon EBS (p. 38)

• Amazon EC2 (p. 49)

(9)

View runbook content

• Amazon ECS (p. 126)

• Amazon EFS (p. 129)

• Amazon EKS (p. 131)

• Elastic Beanstalk (p. 139)

• Elastic Load Balancing (p. 143)

• Amazon EMR (p. 149)

• OpenSearch Service (p. 153)

• EventBridge (p. 156)

• GuardDuty (p. 158)

• IAM (p. 159)

• AWS KMS (p. 177)

• Lambda (p. 179)

• Amazon RDS (p. 189)

• Amazon Redshift (p. 215)

• Amazon S3 (p. 226)

• Secrets Manager (p. 239)

• Security Hub (p. 241)

• Amazon SNS (p. 242)

• Systems Manager (p. 244)

• Third-party (p. 262)

• Amazon VPC (p. 266)

• AWS WAF (p. 298)

• Amazon WorkSpaces (p. 302)

• X-Ray (p. 304)

View runbook content

You can view the content for runbooks in the Systems Manager console.

To view runbook content

1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

2. In the navigation pane, choose Documents.

-or-

If the AWS Systems Manager home page opens ﬁrst, choose the menu icon () to open the navigation pane, and then choose Documents in the navigation pane.

3. Choose a runbook, and then choose View details.

4. Choose the Content tab.

API Gateway

AWS Systems Manager Automation provides predeﬁned runbooks for Amazon API Gateway. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

(10)

AWSConfigRemediation-DeleteAPIGatewayStage Topics

• AWSConﬁgRemediation-DeleteAPIGatewayStage (p. 3)

• AWSConﬁgRemediation-EnableAPIGatewayTracing (p. 4)

• AWSConﬁgRemediation-UpdateAPIGatewayMethodCaching (p. 5)

AWSConfigRemediation- DeleteAPIGatewayStage

Description

The AWSConfigRemediation-DeleteAPIGatewayStage runbook deletes an Amazon API Gateway (API Gateway) stage. AWS Conﬁg must be enabled in the AWS Region where you run this automation.

Run this Automation (console) Document type

Automation Owner Amazon Platforms

Linux, macOS, Windows Parameters

• AutomationAssumeRole Type: String

Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

• StageArn Type: String

Description: (Required) The Amazon Resource Name (ARN) of the API Gateway stage you want to delete.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.

• ssm:StartAutomationExecution

• ssm:GetAutomationExecution

• config:GetResourceConfigHistory

• apigateway:GET

• apigateway:DELETE

Document Steps

(11)

AWSConfigRemediation-EnableAPIGatewayTracing

• aws:executeScript - Deletes the API Gateway stage speciﬁed in the StageArn parameter.

AWSConfigRemediation- EnableAPIGatewayTracing

Description

The AWSConfigRemediation-EnableAPIGatewayTracing runbook enables tracing on an Amazon API Gateway (API Gateway) stage. AWS Conﬁg must be enabled in the AWS Region where you run this automation.

Description: (Required) The Amazon Resource Name (ARN) of the API Gateway stage you want to enable tracing on.

• apigateway:GET

• apigateway:PATCH

Document Steps

• aws:executeScript - Enables tracing on the API Gateway stage speciﬁed in the StageArn parameter.

(12)

AWSConfigRemediation- UpdateAPIGatewayMethodCaching

AWSConfigRemediation-

UpdateAPIGatewayMethodCaching

Description

The AWSConfigRemediation-UpdateAPIGatewayMethodCaching runbook updates the cache method setting for an Amazon API Gateway stage resource.

Run this Automation (console)

Document type Automation Owner Amazon Platforms

• CachingAuthorizedMethods Type: StringList

Description: (Required) The methods authorized to have caching enabled. The list must be some combination of DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT. Caching is enabled for selected methods and disabled for non-selected methods. Caching is enabled for all methods if ANY is selected and is disabled for all methods if NONE is selected.

Description: (Required) The API Gateway stage ARN for the REST API.

• apigateway:PATCH

• apigateway:GET

(13)

AWS CloudFormation

• aws:executeScript - Accepts the stage resource ID as input, updates the cache method setting for an API Gateway stage using the UpdateStage API action, and veriﬁes the update.

AWS CloudFormation

AWS Systems Manager Automation provides predeﬁned runbooks for AWS CloudFormation. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

Topics

• AWS-DeleteCloudFormationStack (p. 6)

• AWS-RunCfnLint (p. 6)

• AWS-UpdateCloudFormationStack (p. 8)

AWS-DeleteCloudFormationStack

Description

Delete an AWS CloudFormation stack.

Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is speciﬁed, Systems Manager Automation uses the permissions of the user that starts this runbook.

• StackNameOrId Type: String

Description: (Required) Name or Unique ID of the CloudFormation stack to be deleted

AWS-RunCfnLint

Description

(14)

AWS-RunCfnLint

This runbook uses an AWS CloudFormation Linter (cfn-python-lint) to validate YAML and JSON templates against the AWS CloudFormation resource speciﬁcation. The AWS-RunCfnLint runbook performs additional checks, such as ensuring that valid values have been entered for resource properties.

If validation is not successful, the RunCfnLintAgainstTemplate step fails and the linter tool's output is provided in an error message. This runbook is using cfn-lint v0.24.4.

• ConﬁgureRuleFlag Type: String

Description: (Optional) Conﬁguration options for a rule to pass to the --configure-rule parameter.

Example: E2001:strict=false,E3012:strict=false.

• FormatFlag Type: String

Description: (Optional) Value to pass to the --format parameter to specify the output format.

Valid values: Default | quiet | parseable | json Default: Default

• IgnoreChecksFlag Type: String

Description: (Optional) IDs of rules to pass to the --ignore-checks parameter. These rules are not checked.

Example: E1001,E1003,W7001

• IncludeChecksFlag Type: String

Description: (Optional) IDs of rules to pass to the --include-checks parameter. These rules are

(15)

AWS-UpdateCloudFormationStack Example: E1001,E1003,W7001

• InfoFlag Type: String

Description: (Optional) Option for the --info parameter. Include the option to enable additional logging information about the template processing.

Default: False

• TemplateFileName Type: String

Description: The name, or key, of the template ﬁle in the S3 bucket.

• TemplateS3BucketName Type: String

Description: The name of the S3 bucket containing the packer template.

• RegionsFlag Type: String

Description: (Optional) Values to pass to the for --regions parameter to test the template against speciﬁed AWS Regions.

Example: us-east-1,us-west-1

Document Steps

RunCfnLintAgainstTemplate – Runs the cfn-python-lint tool against the speciﬁed AWS CloudFormation template.

Outputs

RunCfnLintAgainstTemplate.output – The stdout from the cfn-python-lint tool.

AWS-UpdateCloudFormationStack

Description

Update an AWS CloudFormation stack by using an AWS CloudFormation template stored in an Amazon S3 bucket.

(16)

CloudFront

• LambdaAssumeRole Type: String

Description: (Required) The ARN of the role assumed by Lambda

• StackNameOrId Type: String

Description: (Required) Name or Unique ID of the AWS CloudFormation stack to be updated

• TemplateUrl Type: String

Description: (Required) S3 bucket location that contains the updated CloudFormation template (e.g.

https://s3.amazonaws.com/doc-example-bucket/updated.template)

CloudFront

AWS Systems Manager Automation provides predeﬁned runbooks for Amazon CloudFront. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

Topics

• AWSConﬁgRemediation-EnableCloudFrontDefaultRootObject (p. 9)

• AWSConﬁgRemediation-EnableCloudFrontAccessLogs (p. 10)

• AWSConﬁgRemediation-EnableCloudFrontOriginAccessIdentity (p. 12)

• AWSConﬁgRemediation-EnableCloudFrontOriginFailover (p. 13)

• AWSConﬁgRemediation-EnableCloudFrontViewerPolicyHTTPS (p. 14)

AWSConfigRemediation-

EnableCloudFrontDefaultRootObject

Description

The AWSConfigRemediation-EnableCloudFrontDefaultRootObject runbook conﬁgures the default root object for the Amazon CloudFront (CloudFront) distribution that you specify.

Automation Owner

(17)

AWSConfigRemediation- EnableCloudFrontAccessLogs Amazon

Platforms

• CloudFrontDistributionId Type: String

Description: (Required) The ID of the CloudFront distribution that you want to conﬁgure the default root object for.

• DefaultRootObject Type: String

Description: (Required) The object that you want CloudFront to return when a viewer request points to your root URL.

• cloudfront:GetDistributionConfig

• cloudfront:UpdateDistribution

Document Steps

• aws:executeScript - Conﬁgures the default root object for the CloudFront distribution that you specify in the CloudFrontDistributionId parameter.

AWSConfigRemediation-

EnableCloudFrontAccessLogs

Description

The AWSConfigRemediation-EnableCloudFrontAccessLogs runbook enables access logging for the Amazon CloudFront (CloudFront) distribution you specify.

Automation

(18)

AWSConfigRemediation- EnableCloudFrontAccessLogs Owner

Amazon Platforms

• BucketName Type: String

Description: (Required) The name of the Amazon Simple Storage Service (Amazon S3) bucket you want to store access logs in. Buckets in the af-south-1, ap-east-1, eu-south-1, and me-south-1 AWS Region are not supported.

• CloudFrontId Type: String

Description: (Required) The ID of the CloudFront distribution you want to enable access logging on.

• IncludeCookies Type: Boolean

Valid values: True | False

Description: (Optional) Set this parameter to True, if you want cookies to be included in the access logs.

• Preﬁx Type: String

Description: (Optional) An optional string that you want CloudFront to preﬁx to the access log filenames for your distribution, for example, myprefix/.

Document Steps

• aws:executeScript - Enables access logging for the CloudFront distribution you specify in the

(19)

AWSConfigRemediation-

EnableCloudFrontOriginAccessIdentity

AWSConfigRemediation-

EnableCloudFrontOriginAccessIdentity

Description

The AWSConfigRemediation-EnableCloudFrontOriginAccessIdentity runbook enables origin access identity for the Amazon CloudFront (CloudFront) distribution you specify. This automation assigns the same CloudFront Origin Access Identity for all Origins of the Amazon Simple Storage Service (Amazon S3) Origin type without origin access identity for the CloudFront distribution you specify. This automation does not grant read permission to the origin access identity for CloudFront to access objects in your Amazon S3 bucket. You must update your Amazon S3 bucket permissions to allow access.

Description: (Required) The ID of the CloudFront distribution you want to enable origin failover on.

• OriginAccessIdentityId Type: String

Description: (Required) The ID of the CloudFront origin access identity to associate with the origin.

Document Steps

(20)

AWSConfigRemediation- EnableCloudFrontOriginFailover

• aws:executeScript - Enables origin access identity for the CloudFront distribution you specify in the CloudFrontDistributionId parameter, and veriﬁes the origin access identity was assigned.

AWSConfigRemediation-

EnableCloudFrontOriginFailover

Description

The AWSConfigRemediation-EnableCloudFrontOriginFailover runbook enables origin failover for the Amazon CloudFront (CloudFront) distribution you specify.

Description: (Required) The ID of the CloudFront distribution you want to enable origin failover on.

• OriginGroupId Type: String

Description: (Required) The ID of the origin group.

• PrimaryOriginId Type: String

Description: (Required) The ID of the primary origin in the origin group.

• SecondaryOriginId Type: String

Description: (Required) The ID of the secondary origin in the origin group.

(21)

EnableCloudFrontViewerPolicyHTTPS

Document Steps

• aws:executeScript - Enables origin failover for the CloudFront distribution you specify in the CloudFrontDistributionId parameter, and veriﬁes that failover has been enabled.

AWSConfigRemediation-

EnableCloudFrontViewerPolicyHTTPS

Description

The AWSConfigRemediation-EnableCloudFrontViewerPolicyHTTPS runbook enables the viewer protocol policy for the Amazon CloudFront (CloudFront) distribution you specify.

Description: (Required) The ID of the CloudFront distribution you want to enable the viewer protocol policy on.

• ViewerProtocolPolicy Type: String

Valid values: https-only, redirect-to-https

Description: (Required) The protocol that viewers can use to access the ﬁles in the origin.

(22)

CloudTrail Required IAM permissions

Document Steps

• aws:executeScript - Enables the viewer protocol policy for the CloudFront distribution you specify in the CloudFrontDistributionId parameter, and veriﬁes the policy was assigned.

CloudTrail

AWS Systems Manager Automation provides predeﬁned runbooks for AWS CloudTrail. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

Topics

• AWSConﬁgRemediation-CreateCloudTrailMultiRegionTrail (p. 15)

• AWS-EnableCloudTrail (p. 16)

• AWSConﬁgRemediation-EnableCloudTrailEncryptionWithKMS (p. 17)

• AWSConﬁgRemediation-EnableCloudTrailLogFileValidation (p. 18)

AWSConfigRemediation-

CreateCloudTrailMultiRegionTrail

Description

The AWSConfigRemediation-CreateCloudTrailMultiRegionTrail runbook creates an AWS CloudTrail (CloudTrail) trail that delivers log ﬁles from multiple AWS Regions to the Amazon Simple Storage Service (Amazon S3) bucket of your choice.

• AutomationAssumeRole

(23)

AWS-EnableCloudTrail Type: String

• BucketName Type: String

Description: (Required) The name of the Amazon S3 bucket you want to upload logs to.

• KeyPreﬁx Type: String

Description: (Optional) The Amazon S3 key preﬁx that comes after the name of the bucket you designated for log ﬁle delivery.

• TrailName Type: String

Description: (Required) The name of the CloudTrail trail to be created.

• cloudtrail:CreateTrail

• cloudtrail:StartLogging

• cloudtrail:GetTrail

• s3:PutObject

• s3:GetBucketAcl

• s3:PutBucketLogging

• s3:ListBucket

Document Steps

• aws:executeAwsApi - Accepts the trail name and the Amazon S3 bucket name as input and creates a CloudTrail trail.

• aws:executeAwsApi - Enables logging on the created trail and starts log delivery to the Amazon S3 bucket you speciﬁed.

• aws:assertAwsResourceProperty - Veriﬁes that the CloudTrail trail has been created.

AWS-EnableCloudTrail

Description

Create an AWS CloudTrail trail and conﬁgure logging to an S3 bucket.

(24)

EnableCloudTrailEncryptionWithKMS Automation

Owner Amazon Platforms

• S3BucketName Type: String

Description: (Required) Name of the S3 bucket designated for publishing log ﬁles.

NoteThe S3 bucket must exist and the bucket policy must grant CloudTrail permission to write to it. For information, see Amazon S3 Bucket Policy for CloudTrail.

Description: (Required) The name of the new trail.

AWSConfigRemediation-

EnableCloudTrailEncryptionWithKMS

Description

The AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS runbook encrypts an AWS CloudTrail (CloudTrail) trail using the AWS Key Management Service (AWS KMS) customer managed key you specify. This runbook should only be used as a baseline to ensure that your CloudTrail trails are encrypted according to minimum recommended security best practices. We recommend encrypting multiple trails with diﬀerent KMS keys. CloudTrail digest ﬁles are not encrypted. If you have previously set the EnableLogFileValidation parameter to true for the trail, see the "Use server-side

encryption with AWS KMS managed keys" section of the CloudTrail Preventative Security Best Practices topic in the AWS CloudTrail User Guide for more information.

Automation Owner Amazon

(25)

EnableCloudTrailLogFileValidation Platforms

• KMSKeyId Type: String

Description: (Required) The ARN, key ID, or the key alias of the of the customer managed key you want to use to encrypt the trail you specify in the TrailName parameter.

Description: (Required) The ARN or name of the trail you want to update to be encrypted.

• cloudtrail:GetTrail

• cloudtrail:UpdateTrail

Document Steps

• aws:executeAwsApi - Enables encryption on the trail you specify in the TrailName parameter.

• aws:executeAwsApi - Gathers the ARN for the customer managed key you specify in the KMSKeyId parameter.

• aws:assertAwsResourceProperty - Veriﬁes that encryption has been enabled on the CloudTrail trail.

AWSConfigRemediation-

EnableCloudTrailLogFileValidation

Description

The AWSConfigRemediation-EnableCloudTrailLogFileValidation runbook enables log ﬁle validation for your AWS CloudTrail trail.

Automation

(26)

CloudWatch Owner

Description: (Required) The name or Amazon Resource Name (ARN) of the trail you want to enable log validation for.

• cloudtrail:DescribeTrails

• cloudtrail:UpdateTrail

Document Steps

• aws:executeAwsApi - Enables log validation for the AWS CloudTrail trail you specify in the TrailName parameter.

• aws:assertAwsResourceProperty - Veriﬁes log validation is enabled for your trail.

CloudWatch

AWS Systems Manager Automation provides predeﬁned runbooks for Amazon CloudWatch. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

Topics

• AWS-ConﬁgureCloudWatchOnEC2Instance (p. 19)

AWS-ConfigureCloudWatchOnEC2Instance

Description

Enable or disable Amazon CloudWatch detailed monitoring on managed instances.

(27)

CodeBuild Run this Automation (console)

Document type Automation Owner Amazon Platforms

• InstanceId Type: String

Description: (Required) The ID of the Amazon EC2 instance on which you want to enable CloudWatch monitoring.

• properties Type: String

Description: (Optional) This parameter is not supported. It is listed here for backwards compatibility.

• status

Valid values: Enabled | Disabled

Description: (Optional) Speciﬁes whether to enable or disable CloudWatch.

Default: Enabled

Document Steps

conﬁgureCloudWatch - Conﬁgures CloudWatch on the Amazon EC2 instance with the given status.

Outputs

This automation has no output.

CodeBuild

AWS Systems Manager Automation provides predeﬁned runbooks for AWS CodeBuild. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

Topics

(28)

ConfigureCodeBuildProjectWithKMSCMK

• AWSConﬁgRemediation-ConﬁgureCodeBuildProjectWithKMSCMK (p. 21)

• AWSConﬁgRemediation-DeleteAccessKeysFromCodeBuildProject (p. 22)

AWSConfigRemediation-

ConfigureCodeBuildProjectWithKMSCMK

Description

The AWSConfigRemediation-ConfigureCodeBuildProjectWithKMSCMK runbook encrypts an AWS CodeBuild (CodeBuild) project's build artifacts using the AWS Key Management Service (AWS KMS) customer managed key you specify. AWS Conﬁg must be enabled in the AWS Region where you run this automation.

• KMSKeyId Type: String

Description: (Required) The Amazon Resource Name (ARN) of the AWS KMS customer managed key you want to use to encrypt the CodeBuild project you specify in the ProjectId parameter.

• ProjectId Type: String

Description: (Required) The ID of the CodeBuild project whose build artifacts you want to encrypt.

• codebuild:BatchGetProjects

• codebuild:UpdateProject

(29)

DeleteAccessKeysFromCodeBuildProject

Document Steps

• aws:executeAwsApi - Gathers the CodeBuild project name from the project ID.

• aws:executeAwsApi - Enables encryption on the CodeBuild project you specify in the ProjectId parameter.

• aws:assertAwsResourceProperty - Veriﬁes that encryption has been enabled on the CodeBuild project.

Outputs

UpdateLambdaConﬁg.UpdateFunctionConﬁgurationResponse - Response from the UpdateFunctionConfiguration API call.

AWSConfigRemediation-

DeleteAccessKeysFromCodeBuildProject

Description

The AWSConfigRemediation-DeleteAccessKeysFromCodeBuildProject runbook deletes the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables from the AWS CodeBuild (CodeBuild) project you specify. AWS Conﬁg must be enabled in the AWS Region where you run this automation.

• ResourceId Type: String

Description: (Required) The ID of the CodeBuild project whose access key environment variables you want to delete.

(30)

AWS CodeDeploy

• codebuild:BatchGetProjects

• codebuild:UpdateProject

Document Steps

• aws:executeScript - Deletes the access key environment variables for the CodeBuild project speciﬁed in the ResourceId parameter.

AWS CodeDeploy

AWS Systems Manager Automation provides predeﬁned runbooks for AWS CodeDeploy. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

Topics

• AWSSupport-TroubleshootCodeDeploy (p. 23)

AWSSupport-TroubleshootCodeDeploy

Description

The AWSSupport-TroubleshootCodeDeploy runbook helps diagnose why an AWS CodeDeploy deployment failed on an Amazon Elastic Compute Cloud (Amazon EC2) instance. The runbook outputs steps to help you resolve the issue or troubleshoot further. Best practices for CodeDeploy are also provided to help you avoid similar issues in the future.

This runbook can help you to resolve the following issues:

• The CodeDeploy agent is not installed or not running on the Amazon EC2 instance

• The Amazon EC2 instance does not have an AWS Identity and Access Management (IAM) instance proﬁle attached

• The IAM instance proﬁle attached to the Amazon EC2 instance does not have the required Amazon Simple Storage Service (Amazon S3) permissions

• A revision stored in Amazon S3 is missing, or the Amazon S3 bucket used is in an AWS Region that is diﬀerent than the Amazon EC2 instance

• Application speciﬁcation (AppSpec) ﬁle issues

• "File already exists at location" errors

• Failed CodeDeploy managed lifecycle event hooks

• Failed customer managed lifecycle event hooks

• Scale-in events during the deployment

Automation

(31)

AWS Conﬁg Owner

• DeploymentId Type: String

Description: (Required) The ID of the deployment which failed.

• InstanceId Type: String

Description: (Required) The ID of the Amazon EC2 instance where the deployment failed.

• codedeploy:GetDeployment

• codedeploy:GetDeploymentTarget

• ec2:DescribeInstances

Document Steps

• aws:executeAwsApi - Veriﬁes the values provided for the DeploymentId and InstanceId parameters.

• aws:executeScript - Collects information from the Amazon EC2 instance such as the state of the instance and IAM instance proﬁle details.

• aws:executeScript - Reviews the speciﬁed deployment, and returns an analysis regarding why the deployment failed.

AWS Conﬁg

AWS Systems Manager Automation provides predeﬁned runbooks for AWS Conﬁg. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

Topics

• AWSSupport-SetupConﬁg (p. 25)

(32)

AWSSupport-SetupConfig

Description

The AWSSupport-SetupConfig runbook creates an AWS Identity and Access Management (IAM) service-linked role, a configuration recorder powered by AWS Config, and a delivery channel with an Amazon Simple Storage Service (Amazon S3) bucket where AWS Config sends configuration snapshots and configuration history files. If you specify values for the AggregatorAccountId and AggregatorAccountRegion parameters, the runbook also creates authorizations for data aggregation to collect AWS Config configuration and compliance data from multiple AWS accounts and multiple AWS Regions. To learn more about aggregating data from multiple accounts and Regions, see Multi-Account Multi-Region Data Aggregation in the AWS Config Developer Guide.

• AggregatorAccountId Type: String

Description: (Optional) The ID of the AWS account where an aggregator will be added to aggregate AWS Conﬁg conﬁguration and compliance data from multiple accounts and AWS Regions. This account is also used by the aggregator to authorize the source accounts.

• AggregatorAccountRegion Type: String

Description: (Optional) The Region where an aggregator will be added to aggregate AWS Conﬁg conﬁguration and compliance data from multiple accounts and Regions.

• IncludeGlobalResourcesRegion Type: String

Default: us-east-1

Description: (Required) To avoid recording global resource data in each Region, specify one Region to record global resource data from.

• Partition

(33)

AWS Directory Service Type: String

Default: aws

Description: (Required) The partition you want to collect AWS Conﬁg conﬁguration and compliance data from.

• S3BucketName Type: String

Default: aws-config-delivery-channel

Description: (Optional) The name you want to apply to the Amazon S3 bucket created for the delivery channel. The account ID is appended to the end of the name.

• config:DescribeConfigurationRecorders

• config:DescribeDeliveryChannels

• config:PutAggregationAuthorization

• config:PutConfigurationRecorder

• config:PutDeliveryChannel

• config:StartConfigurationRecorder

• iam:CreateServiceLinkedRole

• iam:PassRole

• s3:CreateBucket

• s3:ListAllMyBuckets

• s3:PutBucketPolicy

Document Steps

• aws:executeScript - Creates a service-linked IAM role for AWS Conﬁg if one does not already exist.

• aws:executeScript - Creates a conﬁguration recorder if one does not already exist.

• aws:executeScript - Creates an Amazon S3 bucket to be used by the delivery channel if one does not already exist.

• aws:executeScript - Creates a delivery channel using the resources created by the runbook.

• aws:executeAwsApi - Starts the conﬁguration recorder.

• aws:executeScript - If you speciﬁed values for the AggregatorAccountId and

AggregatorAccountRegion parameters, authorizations for multi-account and multi-Region data aggregation are conﬁgured.

AWS Directory Service

AWS Systems Manager Automation provides predeﬁned runbooks for AWS Directory Service. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

(34)

AWS-CreateDSManagementInstance Topics

• AWS-CreateDSManagementInstance (p. 27)

• AWSSupport-TroubleshootDirectoryTrust (p. 30)

AWS-CreateDSManagementInstance

Description

The AWS-CreateDSManagementInstance runbook creates an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance that you can use to manage your AWS Directory Service directory. The management instance can't be used to manage AD Connector directories.

Run this Automation (console)

Document type Automation Owner Amazon Platforms Windows Parameters

• AmiID Type: String

Default: {{ ssm:/aws/service/ami-windows-latest/Windows_Server-2019-English- Full-Base }}

Description: (Required) The ID of the Amazon Machine Image (AMI) you want to use to launch the management instance.

• DirectoryId Type: String

Description: (Required) The ID of the AWS Directory Service directory you want to manage. The instance is joined to the directory you specify.

• IamInstanceProﬁleName Type: String

Description: (Required) The name you specify is applied to the IAM instance proﬁle that is created by

(35)

AWS-CreateDSManagementInstance

• InstanceType Type: String Default: t3.medium Allowed values:

• t2.nano

• t2.micro

• t2.small

• t2.medium

• t2.large

• t2.xlarge

• t2.2xlarge

• t3.nano

• t3.micro

• t3.small

• t3.medium

• t3.large

• t3.xlarge

• t3.2xlarge

Description: (Required) The type of instance you want to launch.

• KeyPairName Type: String

Description: (Optional) The key pair to use when creating the instance. If you do not specify a value, no key pair is associated with the instance.

• RemoteAccessCidr Type: String

Description: (Required) The CIDR block you want to allow RDP traﬃc (port 3389) from. The CIDR block you specify is applied to an inbound rule that's added to the security group created by the automation.

• SecurityGroupName Type: String

Description: (Required) The name you specify is applied to the security group that is created by the automation and associated with the management instance.

• Tags

Type: MapList

Description: (Optional) A key-value pair you want to apply to the resources created by the automation.

• ds:DescribeDirectories

• ec2:AuthorizeSecurityGroupIngress

• ec2:CreateSecurityGroup

(36)

AWS-CreateDSManagementInstance

• ec2:CreateTags

• ec2:DeleteSecurityGroup

• ec2:DescribeInstances

• ec2:DescribeInstanceStatus

• ec2:DescribeKeyPairs

• ec2:DescribeSecurityGroups

• ec2:DescribeVpcs

• ec2:RunInstances

• ec2:TerminateInstances

• iam:AddRoleToInstanceProfile

• iam:AttachRolePolicy

• iam:CreateInstanceProfile

• iam:CreateRole

• iam:DeleteInstanceProfile

• iam:DeleteRole

• iam:DetachRolePolicy

• iam:GetInstanceProfile

• iam:GetRole

• iam:ListAttachedRolePolicies

• iam:ListInstanceProfiles

• iam:ListInstanceProfilesForRole

• iam:PassRole

• iam:RemoveRoleFromInstanceProfile

• iam:TagInstanceProfile

• iam:TagRole

• ssm:CreateDocument

• ssm:DeleteDocument

• ssm:DescribeInstanceInformation

• ssm:GetParameters

• ssm:ListCommandInvocations

• ssm:ListCommands

• ssm:ListDocuments

• ssm:SendCommand

Document Steps

• aws:executeAwsApi - Gathers details about the directory you specify in the DirectoryId parameter.

• aws:executeAwsApi - Gets the CIDR block of the virtual private cloud (VPC) where the directory was launched.

• aws:executeAwsApi - Creates a security group using the value you specify in the SecurityGroupName parameter.

(37)

AWSSupport-TroubleshootDirectoryTrust

• aws:executeAwsApi - Creates an inbound rule for the newly created security group that allows RDP traﬃc from the CIDR you specify in the RemoteAccessCidr parameter.

• aws:executeAwsApi - Creates an IAM role and instance proﬁle using the value you specify in the IamInstanceProfileName parameter.

• aws:executeAwsApi - Launches an Amazon EC2 instance based on the values you specify in the runbook parameters.

• aws:executeAwsApi - Creates an AWS Systems Manager document to join the newly launched instance to your directory.

• aws:runCommand - Joins the new instance to your directory.

• aws:runCommand - Installs remote server administration tools on the new instance.

AWSSupport-TroubleshootDirectoryTrust

Description

The AWSSupport-TroubleshootDirectoryTrust runbook diagnoses trust creation issues between an AWS Managed Microsoft AD and a Microsoft Active Directory. The automation ensures the directory type supports trusts, and then checks the associated security group rules, network access control lists (network ACLs), and route tables for potential connectivity issues.

• DirectoryId Type: String

Allowed pattern: ^d-[a-z0-9]{10}$

Description: (Required) The ID of the AWS Managed Microsoft AD to troubleshoot.

• RemoteDomainCidrs Type: StringList

Allowed pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|

2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[1-9]))$

(38)

AWSSupport-TroubleshootDirectoryTrust

Description: (Required) The CIDR(s) of the remote domain you are attempting to establish a trust relationship with. You can add multiple CIDRs using comma-separated values. For example, 172.31.48.0/20, 192.168.1.10/32.

• RemoteDomainName Type: String

Description: (Required) The fully qualiﬁed domain name of the remote domain you are establishing a trust relationship with.

• RequiredTraﬃcACL Type: String

Description: (Required) The default port requirements for AWS Managed Microsoft AD. In most cases, you should not modify the default value.

Default: {"inbound":{"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636], [1024,65535]],"udp":[[53,53],[88,88],[123.123],[138,138],[389,389],[445,445],[464,464]],"icmp":

[[-1,-1]]},"outbound":{"-1":[[0,65535]]}}

• RequiredTraﬃcSG Type: String

Description: (Required) The default port requirements for AWS Managed Microsoft AD. In most cases, you should not modify the default value.

Default: {"inbound":{"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636], [1024,65535]],"udp":[[53,53],[88,88],[123.123],[138,138],[389,389],[445,445],[464,464]],"icmp":

[[-1,-1]]},"outbound":{"-1":[[0,65535]]}}

• TrustId Type: String

Description: (Optional) The ID of the trust relationship to troubleshoot.

• ds:DescribeConditionalForwarders

• ds:DescribeDirectories

• ds:DescribeTrusts

• ds:ListIpRoutes

• ec2:DescribeNetworkAcls

• ec2:DescribeSecurityGroups

• ec2:DescribeSubnets

Document Steps

• aws:assertAwsResourceProperty - Conﬁrms the directory type is AWS Managed Microsoft AD.

• aws:executeAwsApi - Gets information about the AWS Managed Microsoft AD.

• aws:branch - Branches automation if a value is provided for the TrustId input parameter.

• aws:executeAwsApi - Gets information about the trust relationship.

• aws:executeAwsApi - Gets the conditional forwarder DNS IP addresses for the RemoteDomainName.

(39)

DynamoDB

• aws:executeAwsApi - Gets information about IP routes that have been added to the AWS Managed Microsoft AD.

• aws:executeAwsApi - Gets the CIDRs of the AWS Managed Microsoft AD subnets.

• aws:executeAwsApi - Gets information about the security groups associated with the AWS Managed Microsoft AD.

• aws:executeAwsApi - Gets information about the network ACLs associated with the AWS Managed Microsoft AD.

• aws:executeScript - Conﬁrms the RemoteDomainCidrs are valid values. Conﬁrms that the AWS Managed Microsoft AD has conditional forwarders for the RemoteDomainCidrs, and that the requisite IP routes have been added to the AWS Managed Microsoft AD if the RemoteDomainCidrs are non-RFC 1918 IP addresses.

• aws:executeScript - Evaluates security group rules.

• aws:executeScript - Evaluates network ACLs.

Outputs

evalDirectorySecurityGroup.output - Results from evaluating whether the security group rules associated with the AWS Managed Microsoft AD allow the requisite traﬃc for trust creation.

evalAclEntries.output - Results from evaluating whether the network ACLs associated with the AWS Managed Microsoft AD allow the requisite traﬃc for trust creation.

evaluateRemoteDomainCidr.output - Results from evaluating whether the RemoteDomainCidrs are valid values. Conﬁrms that the AWS Managed Microsoft AD has conditional forwarders for the RemoteDomainCidrs, and that the requisite IP routes have been added to the AWS Managed Microsoft AD if the RemoteDomainCidrs are non-RFC 1918 IP addresses.

DynamoDB

AWS Systems Manager Automation provides predeﬁned runbooks for Amazon DynamoDB. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2).

Topics

• AWS-CreateDynamoDBBackup (p. 32)

• AWS-DeleteDynamoDbBackup (p. 33)

• AWSConﬁgRemediation-DeleteDynamoDbTable (p. 34)

• AWS-DeleteDynamoDbTableBackups (p. 35)

• AWSConﬁgRemediation-EnableEncryptionOnDynamoDBTable (p. 36)

• AWSConﬁgRemediation-EnablePITRForDynamoDbTable (p. 37)

AWS-CreateDynamoDBBackup

Description

Create a backup of an Amazon DynamoDB table.

Automation

(40)

AWS-DeleteDynamoDbBackup Owner

Amazon Platforms Databases Parameters

• BackupName Type: String

Description: (Required) Name of the backup to create.

Description: (Optional) The ARN of the role that allows Lambda created by Automation to perform the actions on your behalf. If not speciﬁed a transient role will be created to run the Lambda function.

• TableName Type: String

Description: (Required) Name of the DynamoDB table.

AWS-DeleteDynamoDbBackup

Description

Delete the backup of an Amazon DynamoDB table.

Automation Owner Amazon Platforms Databases Parameters

(41)

AWSConfigRemediation-DeleteDynamoDbTable

• BackupArn Type: String

Description: (Required) ARN of the DynamoDB table backup to delete.

AWSConfigRemediation-DeleteDynamoDbTable

Description

The AWSConfigRemediation-DeleteDynamoDbTable runbook deletes the Amazon DynamoDB (DynamoDB) table you specify.

Description: (Required) The name of the DynamoDB table you want to delete.

• dynamodb:DeleteTable

• dynamodb:DescribeTable

Document Steps

(42)

AWS-DeleteDynamoDbTableBackups

• aws:executeScript - Deletes the DynamoDB table speciﬁed in the TableName parameter.

• aws:executeScript - Veriﬁes the DynamoDB table has been deleted.

AWS-DeleteDynamoDbTableBackups

Description

Delete DynamoDB table backups based on retention days or count.

Description: (Optional) The ARN of the role that allows Lambda created by Automation to perform the actions on your behalf. If not speciﬁed a transient role will be created to run the Lambda function.

• RetentionCount Type: String Default: 10

Description: (Optional) The number of backups to retain for the table. If more than the speciﬁed number of backup exist, the oldest backups beyond that number are deleted. Either RetentionCount or RetentionDays can be used, not both.

• RetentionDays Type: String

Description: (Optional) The number of days to retain backups for the table. Backups older than the speciﬁed number of days are deleted. Either RetentionCount or RetentionDays can be used, not both.

Description: (Required) Name of the DynamoDB table.

AWS Systems Manager Automation runbook reference User Guide

AWS Systems Manager

Automation runbook reference

User Guide

AWS Systems Manager Automation runbook reference: User Guide

Table of Contents

Systems Manager Automation runbook reference

View runbook content

API Gateway

AWSConfigRemediation- DeleteAPIGatewayStage

AWSConfigRemediation- EnableAPIGatewayTracing

AWSConfigRemediation-

UpdateAPIGatewayMethodCaching

AWS CloudFormation

AWS-DeleteCloudFormationStack

AWS-RunCfnLint

AWS-UpdateCloudFormationStack

CloudFront

AWSConfigRemediation-

EnableCloudFrontDefaultRootObject

AWSConfigRemediation-

EnableCloudFrontAccessLogs

AWSConfigRemediation-

EnableCloudFrontOriginAccessIdentity

AWSConfigRemediation-

EnableCloudFrontOriginFailover

AWSConfigRemediation-

EnableCloudFrontViewerPolicyHTTPS

CloudTrail

AWSConfigRemediation-

CreateCloudTrailMultiRegionTrail

AWS-EnableCloudTrail

AWSConfigRemediation-

EnableCloudTrailEncryptionWithKMS

AWSConfigRemediation-

EnableCloudTrailLogFileValidation

CloudWatch

AWS-ConfigureCloudWatchOnEC2Instance

CodeBuild

AWSConfigRemediation-

ConfigureCodeBuildProjectWithKMSCMK

AWSConfigRemediation-

DeleteAccessKeysFromCodeBuildProject

AWS CodeDeploy

AWSSupport-TroubleshootCodeDeploy

AWS Conﬁg

AWSSupport-SetupConfig

AWS Directory Service

AWS-CreateDSManagementInstance

AWSSupport-TroubleshootDirectoryTrust

DynamoDB

AWS-CreateDynamoDBBackup

AWS-DeleteDynamoDbBackup

AWSConfigRemediation-DeleteDynamoDbTable

AWS-DeleteDynamoDbTableBackups