# Elastic Load Balancing AWS Systems Manager Automation provides predefined runbooks for Elastic Load Balancing. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json). **Topics** + [ # `AWSConfigRemediation-DropInvalidHeadersForALB` ](automation-aws-drop-alb-headers.md) + [ # `AWS-EnableCLBAccessLogs` ](enable-clb-access-logs.md) + [ # `AWS-EnableCLBConnectionDraining` ](AWS-EnableCLBConnectionDraining.md) + [ # `AWSConfigRemediation-EnableCLBCrossZoneLoadBalancing` ](automation-aws-enable-clb-crosszone.md) + [ # `AWSConfigRemediation-EnableELBDeletionProtection` ](automation-aws-enable-elb-protection.md) + [ # `AWSConfigRemediation-EnableLoggingForALBAndCLB` ](automation-aws-enable-logging-alb-clb.md) + [ # `AWSSupport-TroubleshootCLBConnectivity` ](automation-aws-troubleshootclbconnectivity.md) + [ # `AWSConfigRemediation-EnableNLBCrossZoneLoadBalancing` ](automation-aws-enable-nlb-crosszone.md) + [ # `AWS-UpdateALBDesyncMitigationMode` ](AWS-UpdateALBDesyncMitigationMode.md) + [ # `AWS-UpdateCLBDesyncMitigationMode` ](AWS-UpdateCLBDesyncMitigationMode.md) + [ # `AWSSupport-TroubleshootELBHealthChecks` ](automation-aws-troubleshootelbhealthchecks.md) # `AWSConfigRemediation-DropInvalidHeadersForALB` **Description** The `AWSConfigRemediation-DropInvalidHeadersForALB` runbook enables the application load balancer you specify to remove HTTP headers with invalid headers. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DropInvalidHeadersForALB) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + LoadBalancerArn Type: String Description: (Required) The Amazon Resource Name (ARN) of the load balancer that you want to drop invalid headers. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `elasticloadbalancing:DescribeLoadBalancerAttributes` + `elasticloadbalancing:ModifyLoadBalancerAttributes` **Document Steps** + `aws:executeAwsApi` - Enables the drop invalid headers setting for the load balancer you specify in the `LoadBalancerArn` parameter. + `aws:executeScript` - Verifies the drop invalid headers setting has been enabled on the load balancer you specify in the `LoadBalancerArn` parameter. # `AWS-EnableCLBAccessLogs` **Description** The `AWS-EnableCLBAccessLogs` runbook enables access logs for a Classic Load Balancer. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-EnableCLBAccessLogs) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. + EmitInterval Type: Integer Valid values: 5 \$1 60 Default: 60 Description: (Optional) The interval for publishing the access logs in minutes. + LoadBalancerNames Type: String Description: (Required) A comma separated list of Classic Load Balancers you want to enable access logs for. + S3BucketName Type: String Description: (Required) The name of the Amazon Simple Storage Service (Amazon S3) bucket where the access logs are stored. + S3BucketPrefix Type: String Description: (Optional) The logical hierarchy you created for your Amazon S3 bucket, for example `my-bucket-prefix/prod`. If the prefix is not provided, the log is placed at the root level of the bucket. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `elasticloadbalancing:ModifyLoadBalancerAttributes` **Document Steps** + `aws:executeAwsApi` - Enables access logs for the Classic Load Balancers you specify in the `LoadBalancerNames` parameter. **Outputs** EnableCLBAccessLogs.SuccessesLoadBalancers - List of load balancer names where access logs were successfully enabled. EnableCLBAccessLogs.FailedLoadBalancers - MapList of load balancer names where enabling access logs failed and the reason for the failure. # `AWS-EnableCLBConnectionDraining` **Description** The `AWS-EnableCLBConnectionDraining` runbook enables connection draining on a Classic Load Balancer (CLB) to the specified timeout value. Connection drainings enables the CLB to complete in-flight requests made to instances that are deregistering or unhealthy with the specified timeout being the time it keeps connections alive before reporting the instance as deregistered. For more information about connection draining on CLBs, see [Configure connection draining for your Classic Load Balancer](url-elb-cg;config-conn-drain.html) in the *User Guide for Classic Load Balancers*. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-EnableCLBConnectionDraining) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. + LoadBalancerName Type: String Description: (Required) The name of the load balancer you want to enable connection draining on. + ConnectionTimeout Type: Integer Valid values: 1-3600 Default: 300 Description: (Required) The connection timeout value for the load balancer. The timeout value can be set between 1 and 3600 seconds. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `elasticloadbalancing:DescribeLoadBalancerAttributes` + `elasticloadbalancing:ModifyLoadBalancerAttributes` **Document Steps** + ModifyLoadBalancerConnectionDraining (aws:executeAwsApi): Enables connection draining and sets the specified timeout value for the load balancer you specify. + VerifyLoadBalancerConnectionDrainingEnabled (aws:assertAwsResourceProperty): Verifies that connection draining is enabled for the load balancer. + VerifyLoadBalancerConnectionDrainingTimeout (aws:assertAwsResourceProperty): Verifies that the connection timeout value for the load balancer matches the value you specified. # `AWSConfigRemediation-EnableCLBCrossZoneLoadBalancing` **Description** The `AWSConfigRemediation-EnableCLBCrossZoneLoadBalancing` runbook enables cross-zone load balancing for the Classic Load Balancer (CLB) you specify. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCLBCrossZoneLoadBalancing) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + LoadBalancerName Type: String Description: (Required) The name of the CLB that you want to enable cross-zone load balancing on. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `elb:DescribeLoadBalancerAttributes` + `elb:ModifyLoadBalancerAttributes` **Document Steps** + `aws:executeAwsApi` - Enables cross-zone load balancing for the CLB you specify in the `LoadBalancerName` parameter. + `aws:assertAwsResourceProperty` - Verifies cross-zone load balancing has been enabled on the CLB. # `AWSConfigRemediation-EnableELBDeletionProtection` **Description** The `AWSConfigRemediation-EnableELBDeletionProtection` runbook enables deletion protection for the elastic load balancer (ELB) you specify. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableELBDeletionProtection) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + LoadBalancerArn Type: String Description: (Required) The Amazon Resource Name (ARN) of the ELB that you want to enable deletion protection on. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `elasticloadbalancing:DescribeLoadBalancerAttributes` + `elasticloadbalancing:DescribeLoadBalancers` + `elasticloadbalancing:ModifyLoadBalancerAttributes` **Document Steps** + `aws:executeScript` - Enables deletion protection on the ELB you specify in the `LoadBalancerArn` parameter. # `AWSConfigRemediation-EnableLoggingForALBAndCLB` **Description** The `AWSConfigRemediation-EnableLoggingForALBAndCLB` runbook enables logging for the specified AWS Application Load Balancer or a Classic Load Balancer (CLB). [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableLoggingForALBAndCLB) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + LoadBalancerId Type: String Description: (Required) The Classic Load Balancer name or the Application Load Balancer ARN. + S3BucketName Type: String Description: (Required) The Amazon S3 bucket name. + S3BucketPrefix Type: String Description: (Optional) The logical hierarchy you created for your Amazon Simple Storage Service (Amazon S3) bucket, for example `my-bucket-prefix/prod` . If the prefix is not provided, the log is placed at the root level of the bucket. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `elasticloadbalancing:DescribeLoadBalancerAttributes` + `elasticloadbalancing:ModifyLoadBalancerAttributes` **Document Steps** + `aws:executeScript` - Enables and verifies the logging for the Classic Load Balancer or the Application Load Balancer. # `AWSSupport-TroubleshootCLBConnectivity` **Description** The `AWSSupport-TroubleshootCLBConnectivity` runbook help you troubleshoot connectivity issues between a Classic Load Balancer (CLB) and Amazon Elastic Compute Cloud (Amazon EC2) instances. Also, connectivity issues between a client and the CLB are reviewed. This runbook also reviews health checks for the CLB, verifies that best practices are being followed, and creates a troubleshooting dashboard for you. Optionally, you can upload the automation output to an Amazon Simple Storage Service (Amazon S3) bucket. However, this runbook does not support uploading output to S3 buckets that are publicly accessible. We recommend creating a temporary S3 bucket for this automation. **Important** Using this runbook might incur charges for the dashboard that is created. For more information, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/) [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootCLBConnectivity) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. + InvestigationType Type: String Valid values: Best Practices \$1 Connectivity Issues \$1 Troubleshooting Dashboard Description: (Required) The operations you want the runbook to perform. + LoadBalancerName Type: String Description: (Required) The name of the CLB. + S3Location Type: String Description: (Optional) The name of the S3 bucket you want to send the automation results to. Publicly accessible buckets are not supported. If your S3 bucket uses server-side encryption, the user or role running this automation must have `kms:GenerateDataKey` permissions for the AWS KMS key. + S3LocationPrefix Type: String Description: (Optional) The Amazon S3 key prefix (subfolder) you want to upload the automation output to. The format output is stored in the following format: amzn-s3-demo-bucket/*S3LocationPrefix*/\$1\$1*InvestigationType*\$1\$1\$1\$1\$1automation:*EXECUTION\$1ID*\$1\$1.txt. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ec2:DescribeInstances` + `ec2:DescribeNetworkAcls` + `ec2:DescribeNetworkInterfaces` + `ec2:DescribeRouteTables` + `ec2:DescribeSecurityGroups` + `ec2:DescribeVpcAttribute` + `ec2:DescribeVpcs` + `ec2:DescribeSubnets` + `elasticloadbalancing:DescribeLoadBalancers` + `elasticloadbalancing:DescribeLoadBalancerPolicies` + `elasticloadbalancing:DescribeInstanceHealth` + `elasticloadbalancing:DescribeLoadBalancerAttributes` + `iam:ListRoles` + `cloudwatch:PutDashboard` + `ssm:GetAutomationExecution` + `ssm:StartAutomationExecution` + `ssm:DescribeAutomationExecutions` + `ssm:DescribeAutomationStepExecutions` + `ssm:DescribeInstanceInformation` + `ssm:DescribeInstanceProperties` + `ssm:GetDocument` + `ssm:ListCommands` + `ssm:ListCommandInvocations` + `ssm:ListDocuments` + `ssm:SendCommand` + `s3:GetBucketAcl` + `s3:GetBucketPolicyStatus` + `s3:GetPublicAccessBlock` + `s3:PutObject` **Document Steps** + `aws:executeScript` - Verifies that the CLB you specify in the `LoadBalancerName` parameter exists. + `aws:branch` - Branches based on the value specified for the `InvestigationType` parameter. + `aws:executeScript` - Performs connectivity checks to the CLB. + `aws:executeScript` - Verifies that the CLB configuration adheres to Elastic Load Balancing best practices. + `aws:executeScript` - Creates an Amazon CloudWatch dashboard for your CLB. + `aws:executeScript` - Creates a text file with the results of the automation and uploads it to the Amazon S3 bucket you specify in the `S3Location` parameter. **Outputs** RunBestPractices.Summary RunConnectivityChecks.Summary CreateTroubleshootingDashboard.Output UploadOutputToS3.Output # `AWSConfigRemediation-EnableNLBCrossZoneLoadBalancing` **Description** The `AWSConfigRemediation-EnableNLBCrossZoneLoadBalancing` runbook enables cross zone load balancing for the network load balancer (NLB) you specify. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableNLBCrossZoneLoadBalancing) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + LoadBalancerArn Type: String Description: (Required) The Amazon Resource Name (ARN) of the NLB that you want to enable cross zone load balancing on. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `elasticloadbalancing:DescribeLoadBalancerAttributes` + `elasticloadbalancing:ModifyLoadBalancerAttributes` **Document Steps** + `aws:executeAwsApi` - Enables cross zone load balancing for the NLB you specify in the `LoadBalancerArn` parameter. + `aws:executeScript` - Verifies cross zone load balancing has been enabled on the NLB. # `AWS-UpdateALBDesyncMitigationMode` **Description** The `AWS-UpdateALBDesyncMitigationMode` runbook will update the desync mitigation mode on an Application Load Balancer (ALB) to the specified mitigation mode. The desync mitigation mode determines how the load balancer handles requests that might pose a security risk to your application. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-UpdateALBDesyncMitigationMode) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. + LoadBalancerArn Type: String Description: (Required) The Amazon Resource Name (ARN) of the ALB that you want to modify the desync mitigation mode of. + DesyncMitigationMode Type: String Valid values: monitor \$1 defensive \$1 strictest Description: (Required) The mitigation mode that you want the ALB to use. For information about desync mitigation modes, see [Desync mitigation mode](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode) in the *User Guide for Application Load Balancers*. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `elasticloadbalancing:DescribeLoadBalancers` + `elasticloadbalancing:DescribeLoadBalancerAttributes` + `elasticloadbalancing:ModifyLoadBalancerAttributes` **Document Steps** + VerifyLoadBalancerType (aws:assertAwsResourceProperty) - Verifies that the value specified for the `LoadBalancerArn` input parameter is for an application load balancer before proceeding to the next step. + ModifyLoadBalancerDesyncMode (aws:executeAwsApi) - Updates the ALB to use the specified `DesyncMitigationMode`. + VerifyLoadBalancerDesyncMitigationMode (aws:executeScript) - Verifies that the desync mitigation mode was updated for the target ALB. **Outputs** VerifyLoadBalancerDesyncMitigationMode.ModificationResult - Message payload of the script verifying the modification to your ALB. # `AWS-UpdateCLBDesyncMitigationMode` **Description** The `AWS-UpdateCLBDesyncMitigationMode` runbook will update the desync mitigation mode on an Classic Load Balancer (CLB) to the specified mitigation mode. The desync mitigation mode determines how the load balancer handles requests that might pose a security risk to your application. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-UpdateCLBDesyncMitigationMode) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. + LoadBalancerName Type: String Description: (Required) The name of the CLB that you want to modify the desync mitigation mode of. + DesyncMitigationMode Type: String Valid values: monitor \$1 defensive \$1 strictest Description: (Required) The mitigation mode that you want the CLB to use. For information about desync mitigation modes, see [Desync mitigation mode](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode) in the *User Guide for Application Load Balancers*. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `elasticloadbalancing:DescribeLoadBalancerAttributes` + `elasticloadbalancing:ModifyLoadBalancerAttributes` **Document Steps** + ModifyLoadBalancerDesyncMode (aws:executeAwsApi) - Updates the CLB to use the specified `DesyncMitigationMode`. + VerifyLoadBalancerDesyncMitigationMode (aws:executeScript) - Verifies that the desync mitigation mode was updated for the target CLB. **Outputs** VerifyLoadBalancerDesyncMitigationMode.ModificationResult - Message payload of the script verifying the modification to your CLB. # `AWSSupport-TroubleshootELBHealthChecks` **Description** The **AWSSupport-TroubleshootELBHealthChecks** runbook helps troubleshoot AWS Elastic Load Balancing (Elastic Load Balancing) health check issues by analyzing its related Amazon CloudWatch (CloudWatch) metrics, verifying network connectivity, and executing diagnostic commands on its target instances. This runbook addresses the following use cases: + There are unhealthy instances within the target instances of a load balancer or a target group. + While there are no unhealthy instances, CloudWatch metrics indicate data points for `UnHealthyHostCounts` **Important** Important considerations: The automation focuses on troubleshooting instance type targets. The maximum number of instances allowed for troubleshooting is 50. The target instances must be managed by Systems Manager to enable the execution of diagnostic commands at the instance level. The `S3BucketName` parameter is optional, but certain diagnostic results are uploaded directly to the specified Amazon S3 bucket and are not displayed in the automation output. IPv6 network connectivity troubleshooting is not supported. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootELBHealthChecks) **Document type** Automation **Owner** Amazon **Platforms** / **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `elasticloadbalancing:DescribeLoadBalancers` + `elasticloadbalancing:DescribeTargetGroups` + `elasticloadbalancing:DescribeTargetHealth` + `elasticloadbalancing:DescribeInstanceHealth` + `ec2:DescribeInstances` + `ec2:DescribeNetworkInterfaces` + `ec2:DescribeSecurityGroups` + `ec2:DescribeSubnets` + `cloudwatch:GetMetricStatistics` + `ssm:SendCommand` + `ssm:GetCommandInvocation` + `ssm:DescribeInstanceInformation` + `s3:GetBucketLocation` + `s3:GetBucketAcl` + `s3:PutObject` Example Policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeInstanceHealth", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "cloudwatch:GetMetricStatistics", "ssm:SendCommand", "ssm:GetCommandInvocation", "ssm:DescribeInstanceInformation", "s3:GetBucketLocation", "s3:GetBucketAcl", "s3:PutObject" ], "Resource": "*" } ] } ``` **Instructions** Follow these steps to configure the automation: 1. Navigate to [https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootELBHealthChecks/description](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootELBHealthChecks/description) in Systems Manager under Documents. 1. Select **Execute automation**. 1. For the input parameters, enter the following: + **AutomationAssumeRole (Optional):** + Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows SSM Automation to perform the actions on your behalf. If no role is specified, SSM Automation uses the permissions of the user who starts this runbook. + Type: `AWS::IAM::Role::Arn` + **LoadBalancerOrTargetGroupName (Required):** + Description: (Required) The name of a Classic Load Balancer, or the name of the target group associated with an Application Load Balancer or Network Load Balancer. + Type: `String` + Allowed Pattern: `^[a-zA-Z0-9-]+$` + **ExecutionMode (Required):** + Description: (Required) Controls the automation execution mode. `Complete` runs all steps including runCommands on Amazon EC2 instances. `SkipRunCommands` executes all steps except running commands on instances. + Type: `String` + Allowed Values: `[Complete, SkipRunCommands]` + **S3BucketName (Optional):** + Description: (Optional) The name of the Amazon S3 bucket in your account where you want to upload the troubleshooting logs. + Type: `String` + Default: `""` 1. Select **Execute**. 1. The automation initiates. 1. The document performs the following steps: + **getBucketPublicStatus**: Checks if the target Amazon S3 bucket potentially grants read or write public access to its objects. + **getLoadBalancerDetails**: Identifies the load balancer type and returns a unified load balancer details object. + **checkLoadBalancerType**: Checks if the load balancer exists. + **getTargets**: Based on the different types of load balancers, queries describe APIs to return a map of healthy and unhealthy targets details. + **checkCloudWatchMetrics**: Checks the CloudWatch metrics `HealthyHostCounts` and `UnHealthyHostCounts` and generates the CloudWatch links. + **checkUnhealthyReasons**: Checks for unhealthy reasons and filters targets. + **checkConnectivity**: Checks the connectivity between the load balancer and its instances. + **runCommands**: Runs troubleshooting commands on instances and uploads the output if the bucket name is provided. + **generateReport**: Generates the final report based on the output of the previous steps and uploads the report to the Amazon S3 bucket if specified. 1. After completed, review the **Outputs** section for the detailed results of the execution. **Diagnostic Commands** The runbook executes the following diagnostic commands on instances: + **Linux Shell:** top, free, ss, curl, iptables, tcpdump + **Windows PowerShell:** Get-CimInstance, Get-NetFirewallProfile, Get-NetFirewallRule, Invoke-WebRequest, netstat, netsh, pktmon **References** Systems Manager Automation + [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootELBHealthChecks/description) + [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html) + [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html) + [Support Automation Workflows](https://aws.amazon.com/premiumsupport/technology/saw/)