# `AWSPremiumSupport-TroubleshootEKSCluster` **Description** The `AWSPremiumSupport-TroubleshootEKSCluster` runbook diagnoses common issues with an Amazon Elastic Kubernetes Service (Amazon EKS) cluster, underlying infrastructure, and provides recommended remediation steps. **Important** Access to `AWSPremiumSupport-*` runbooks requires a Business \$1 Support, Enterprise Support or Unified Operations Subscription. For more information, see [Compare AWS Support Plans](https://aws.amazon.com/premiumsupport/plans/). If you specify a value for the `S3BucketName` parameter, the automation evaluates the policy status of the Amazon Simple Storage Service (Amazon S3) bucket you specify. To help with the security of the logs gathered from your EC2 instance, if the policy status `isPublic` is set to `true` , or if the access control list (ACL) grants `READ|WRITE` permissions to the `All Users` Amazon S3 predefined group, the logs are not uploaded. For more information about Amazon S3 predefined groups, see [ Amazon S3 predefined groups](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#specifying-grantee-predefined-groups) in the *Amazon Simple Storage Service User Guide* . [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSPremiumSupport-TroubleshootEKSCluster) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. + ClusterName Type: String Description: (Required) The name of the Amazon EKS cluster that you want to troubleshoot. + S3BucketName Type: String Description: (Required) The name of the private Amazon S3 bucket where the report generated by the runbook should be uploaded. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `ec2:DescribeInstances` + `ec2:DescribeInstanceTypes` + `ec2:DescribeSubnets` + `ec2:DescribeSecurityGroups` + `ec2:DescribeRouteTables` + `ec2:DescribeNatGateways` + `ec2:DescribeVpcs` + `ec2:DescribeNetworkAcls` + `iam:GetInstanceProfile` + `iam:ListInstanceProfiles` + `iam:ListAttachedRolePolicies` + `eks:DescribeCluster` + `eks:ListNodegroups` + `eks:DescribeNodegroup` + `autoscaling:DescribeAutoScalingGroups` In addition, the AWS Identity and Access Management (IAM) policy attached to the user or role that starts the automation must allow the `ssm:GetParameter` operation to the following public AWS Systems Manager parameters to get the latest recommended Amazon EKS Amazon Machine Image (AMI) for the worker nodes. + `arn:aws:ssm:::parameter/aws/service/eks/optimized-ami/*/amazon-linux-2/recommended/image_id` + `arn:aws:ssm:::parameter/aws/service/ami-windows-latest/Windows_Server-2019-English-Core-EKS_Optimized-*/image_id` + `arn:aws:ssm:::parameter/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-EKS_Optimized-*/image_id` + `arn:aws:ssm:::parameter/aws/service/ami-windows-latest/Windows_Server-1909-English-Core-EKS_Optimized-*/image_id` + `arn:aws:ssm:::parameter/aws/service/eks/optimized-ami/*/amazon-linux-2-gpu/recommended/image_id` To upload the report generated by the runbook to an Amazon S3 bucket, the following permissions are required for the specified Amazon S3 bucket you specify. + `s3:GetBucketPolicyStatus` + `s3:GetBucketAcl` + `s3:PutObject` **Document Steps** + `aws:executeAwsApi` - Gathers details for the specified Amazon EKS cluster. + `aws:executeScript` - Gathers details of the Amazon Elastic Compute Cloud (Amazon EC2) instances, Auto Scaling groups, AMIs, and Amazon EC2 GPU graphic instance types. + `aws:executeScript` - Gathers details of the virtual private cloud (VPC), subnets, network address translation (NAT) gateways, subnet routes, security groups and network access control lists (ACLs) of the Amazon EKS cluster. + `aws:executeScript` - Gathers details of attached IAM instance profiles and role policies. + `aws:executeScript` - Gathers details of the Amazon S3 bucket you specify in the `S3BucketName` parameter. + `aws:executeScript` - Classifies the Amazon VPC subnets as public or private. + `aws:executeScript` - Checks the Amazon VPC subnets for tags that are required as part of an Amazon EKS cluster. + `aws:executeScript` - Checks the Amazon VPC subnets for the tags that are required for Elastic Load Balancing subnets. + `aws:executeScript` - Checks if the worker node Amazon EC2 instances use the latest Amazon EKS optimized AMIs + `aws:executeScript` - Checks if the Amazon VPC security groups attached to worker nodes for the tags that are required. + `aws:executeScript` - Checks the Amazon EKS cluster and worker node Amazon VPC security group rules for the recommended ingress rules to the Amazon EKS cluster. + `aws:executeScript` - Checks the Amazon EKS cluster and worker node Amazon VPC security group rules for the recommended egress rules from the Amazon EKS cluster. + `aws:executeScript` - Checks the network ACL configuration of the Amazon VPC subnets. + `aws:executeScript` - Checks if the worker node Amazon EC2 instances have the required managed policies. + `aws:executeScript` - Checks if the Auto Scaling groups have the necessary tags for cluster autoscaling. + `aws:executeScript` - Checks if the worker node Amazon EC2 instances are connected to the internet. + `aws:executeScript` - Generates a report based on the outputs from the previous steps. If a value is specified for the `S3BucketName` parameter, the generated report is uploaded to the Amazon S3 bucket.