WIXLIB

AWS Systems ManagerAutomation runbook referenceUser Guide

AWS Systems Manager Automationrunbook reference User GuideAWS Systems Manager Automation runbook reference: User GuideCopyright Amazon Web Services, Inc. and/or its affiliates. All rights reserved.Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.

AWS Systems Manager Automationrunbook reference User GuideTable of ContentsAutomation runbook reference . 1View runbook content . 2API Gateway . 2AWSConfigRemediation-DeleteAPIGatewayStage . 3AWSConfigRemediation-EnableAPIGatewayTracing . g . 5AWS CloudFormation . 6AWS-DeleteCloudFormationStack . 6AWS-RunCfnLint . 7AWS-UpdateCloudFormationStack . 8CloudFront . bject . 9AWSConfigRemediation-EnableCloudFrontAccessLogs . sIdentity . ver . yHTTPS . 14CloudTrail . Trail . 15AWS-EnableCloudTrail . ithKMS . dation . 19CloudWatch . 20AWS-ConfigureCloudWatchOnEC2Instance . 20CodeBuild . thKMSCMK . ldProject . 22AWS CodeDeploy . 23AWSSupport-TroubleshootCodeDeploy . 24AWS Config . 25AWSSupport-SetupConfig . 25AWS Directory Service . 27AWS-CreateDSManagementInstance . 27AWSSupport-TroubleshootDirectoryTrust . 30DynamoDB . 33AWS-CreateDynamoDBBackup . 33AWS-DeleteDynamoDbBackup . 34AWSConfigRemediation-DeleteDynamoDbTable . 34AWS-DeleteDynamoDbTableBackups . able . 36AWSConfigRemediation-EnablePITRForDynamoDbTable . 37Amazon EBS . 38AWS-AttachEBSVolume . 39AWSSupport-CalculateEBSPerformanceMetrics . 40AWS-CopySnapshot . 41AWS-CreateSnapshot . 42AWS-DeleteEbsVolumeSnapshots . 43AWS-DeleteSnapshot . 44AWSConfigRemediation-DeleteUnusedEBSVolume . 45AWS-DetachEBSVolume . t . 47AWSSupport-ModifyEBSSnapshotPermission . 48AWSConfigRemediation-ModifyEBSVolumeType . 49Amazon EC2 . 50AWS-ASGEnterStandby . 51iii

AWS Systems Manager Automationrunbook reference User GuideAWS-ASGExitStandby . 52AWS-CreateImage . 53AWS-DeleteImage . 54AWS-PatchAsgInstance . 55AWS-PatchInstanceWithRollback . 56AWS-ResizeInstance . 57AWS-RestartEC2Instance . 58AWS-StartEC2Instance . 59AWS-StopEC2Instance . 59AWS-TerminateEC2Instance . 60AWS-UpdateLinuxAmi . 61AWS-UpdateWindowsAmi . althCheck . 65AWSConfigRemediation-EnforceEC2InstanceIMDSv2 . 66AWSEC2-CloneInstanceAndUpgradeSQLServer . 67AWSEC2-CloneInstanceAndUpgradeWindows . 69AWSEC2-ConfigureSTIG . 72AWSEC2-PatchLoadBalancerInstance . 79AWSEC2-SQLServerDBRestore . 80AWSSupport-ActivateWindowsWithAmazonLicense . 83AWSSupport-CheckXenToNitroMigrationRequirements . 85AWSSupport-ConfigureEC2Metadata . 87AWSSupport-CopyEC2Instance . 89AWSSupport-ExecuteEC2Rescue . 93AWSSupport-ListEC2Resources . 95AWSSupport-ManageRDPSettings . 96AWSSupport-ManageWindowsService . 98AWSSupport-MigrateEC2ClassicToVPC . 99AWSSupport-ResetAccess . 104AWSSupport-RestoreEC2InstanceFromSnapshot . 105AWSSupport-SendLogBundleToS3Bucket . 108AWSSupport-StartEC2RescueWorkflow . 110AWSSupport-TroubleshootRDP . 116AWSSupport-TroubleshootSSH . 120AWSSupport-TroubleshootSUSERegistration . 122AWSSupport-UpgradeWindowsAWSDrivers . 124AWSPremiumSupport-TroubleshootEC2DiskUsage . 126AWSPremiumSupport-ChangeInstanceTypeIntelToAMD . 129Amazon ECS . 133AWSSupport-CollectECSInstanceLogs . 133AWS-InstallECSContainerAgent . 135AWSSupport-TroubleshootECSContainerInstance . 136AWS-UpdateECSContainerAgent . 137Amazon EFS . 139AWSSupport-CheckAndMountEFS . 139Amazon EKS . 141AWSSupport-CollectEKSInstanceLogs . 141AWS-DeleteEKSCluster . 143AWSPremiumSupport-TroubleshootEKSCluster . 144AWSSupport-TroubleshootEKSWorkerNode . 147AWS-UpdateEKSManagedNodegroupVersion . 149Elastic Beanstalk . 150AWSSupport-CollectElasticBeanstalkLogs . ronmentLogStreaming . Notifications . 153Elastic Load Balancing . 154AWSConfigRemediation-DropInvalidHeadersForALB . 155iv

AWS Systems Manager Automationrunbook reference User lancing .AWSConfigRemediation-EnableELBDeletionProtection .AWSConfigRemediation-EnableLoggingForALBAndCLB ing .Amazon EMR .AWSSupport-AnalyzeEMRLogs .Amazon OpenSearch Service .AWSConfigRemediation-DeleteOpenSearchDomain in tyGroups .EventBridge .AWS-AddOpsItemDedupStringToEventBridgeRule .AWS-DisableEventBridgeRule .GuardDuty .AWSConfigRemediation-CreateGuardDutyDetector .IAM .AWS-AttachIAMToInstance .AWSConfigRemediation-DeleteIAMRole .AWSConfigRemediation-DeleteIAMUser .AWSConfigRemediation-DeleteUnusedIAMGroup .AWSConfigRemediation-DeleteUnusedIAMPolicy .AWSConfigRemediation-DetachIAMPolicy .AWSConfigRemediation-EnableAccountAccessAnalyzer .AWSSupport-GrantPermissionsToIAMUser .AWSConfigRemediation-RemoveUserPolicies .AWSConfigRemediation-ReplaceIAMInlinePolicy ls .AWSConfigRemediation-SetIAMPasswordPolicy .AWS KMS .AWSConfigRemediation-CancelKeyDeletion .AWSConfigRemediation-EnableKeyRotation .Lambda racing .AWSConfigRemediation-DeleteLambdaFunction ablesWithCMK .AWSConfigRemediation-MoveLambdaToVPC .AWSSupport-RemediateLambdaS3Event .AWSSupport-TroubleshootLambdaInternetAccess .AWSSupport-TroubleshootLambdaS3Event .Amazon RDS .AWS-CreateRdsSnapshot .AWSConfigRemediation-DeleteRDSCluster .AWSConfigRemediation-DeleteRDSClusterSnapshot .AWSConfigRemediation-DeleteRDSInstance .AWSConfigRemediation-DeleteRDSInstanceSnapshot ance SCluster SDBInstance SInstance DS .AWSConfigRemediation-EnableMultiAZOnRDSInstance DSInstance ection .AWSConfigRemediation-EnableRDSInstanceBackup tection .AWSConfigRemediation-ModifyRDSInstancePortNumber .AWSSupport-ModifyRDSSnapshotPermission 12213215216217219220221

AWS Systems Manager Automationrunbook reference User GuideAWS-RebootRdsInstance .AWSSupport-ShareRDSSnapshot .AWS-StartRdsInstance .AWSSupport-TroubleshootConnectivityToRDS .Amazon Redshift .AWSConfigRemediation-DeleteRedshiftCluster tCluster gging edSnapshot ion dVPCRouting edshiftCluster anceSettings e .Amazon S3 .AWS-ConfigureS3BucketLogging .AWS-ConfigureS3BucketVersioning sBlock .AWSConfigRemediation-ConfigureS3PublicAccessBlock .AWS-DisableS3BucketPublicReadWrite .AWS-EnableS3BucketEncryption ketPolicy y .AWSSupport-TroubleshootS3PublicRead .Secrets Manager .AWSConfigRemediation-DeleteSecret .AWSConfigRemediation-RotateSecret .Security Hub .AWSConfigRemediation-EnableSecurityHub .Amazon SNS .AWSConfigRemediation-EncryptSNSTopic .AWS-PublishSNSNotification .Systems Manager .AWS-BulkEditOpsItems .AWS-BulkResolveOpsItems .AWS-CreateManagedLinuxInstance .AWS-CreateManagedWindowsInstance ager .AWS-ExportOpsDataToS3 .AWS-ExportPatchReportToS3 .AWS-SetupInventory .AWS-SetupManagedInstance .AWS-SetupManagedRoleOnEC2Instance .AWSSupport-TroubleshootManagedInstance .Third-party .AWS-CreateJiraIssue .AWS-CreateServiceNowIncident .AWS-RunPacker .Amazon VPC .AWSSupport-ConfigureDNSQueryLogging .AWSSupport-ConnectivityTroubleshooter way .AWSConfigRemediation-DeleteUnusedENI .AWSConfigRemediation-DeleteUnusedSecurityGroup .AWSConfigRemediation-DeleteUnusedVPCNetworkACL .AWSConfigRemediation-DeleteVPCFlowLog ay 280282284285286287288289

AWS Systems Manager Automationrunbook reference User ivateGateway .AWS-DisablePublicAccessForSecurityGroup cIP .AWSSupport-EnableVPCFlowLogs h .AWSConfigRemediation-EnableVPCFlowLogsToS3Bucket .AWS-ReleaseElasticIP essRules pRules .AWSSupport-SetupIPMonitoringFromVPC .AWSSupport-TerminateIPMonitoringFromVPC .AWS WAF .AWSConfigRemediation-EnableWAFClassicLogging ing .AWSConfigRemediation-EnableWAFV2Logging .Amazon WorkSpaces .AWSSupport-RecoverWorkSpace .X-Ray .AWSConfigRemediation-UpdateXRayKMSKey 15315318318

AWS Systems Manager Automationrunbook reference User GuideSystems Manager Automationrunbook referenceTo help you get started quickly, AWS Systems Manager provides predefined runbooks. These runbooksare maintained by Amazon Web Services, AWS Support, and AWS Config. The runbook referencedescribes each of the predefined runbooks provided by Systems Manager, AWS Support, and AWSConfig.ImportantIf you run an automation workflow that invokes other services by using an AWS Identity andAccess Management (IAM) service role, be aware that the service role must be configuredwith permission to invoke those services. This requirement applies to all AWS Automationrunbooks (AWS-* runbooks) such as the AWS-ConfigureS3BucketLogging, AWSCreateDynamoDBBackup, and AWS-RestartEC2Instance runbooks, to name a few.This requirement also applies to any custom Automation runbooks you create that invokeother AWS services by using actions that call other services. For example, if you use theaws:executeAwsApi, aws:createStack, or aws:copyImage actions, then you mustconfigure the service role with permission to invoke those services. You can enable permissionsto other AWS services by adding an IAM inline policy to the role. For more information, see Addan Automation inline policy to invoke other AWS services.This reference includes topics that describe each of the Systems Manager runbooks that are ownedby AWS, AWS Support, and AWS Config. Runbooks are organized by the relevant AWS service. Eachpage provides an explanation of the required and optional parameters you can specify when using therunbook. Each page also lists the steps in the runbook and the output of the automation, if any.This section does not include a separate page for runbooks that require approval such as the AWSCreateManagedLinuxInstanceWithApproval or AWS-StopEC2InstanceWithApproval runbook.Any runbook name that includes WithApproval, means the runbook includes the aws:approve action.This action temporarily pauses an automation until designated principals either approve or reject theaction. After the required number of approvals is reached, the automation resumes.For informa

AWS Systems Manager Automation provides predefined runbooks for Amazon API Gateway. For more information about runbooks, see Working with runbooks. For information about how to view runbook content, see View runbook content (p. 2). Topics AWSConfigRemediation-DeleteAPIGatewayStage (p. 3) 2.