# Lambda
AWS Systems Manager Automation provides predefined runbooks for AWS Lambda. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [`AWSConfigRemediation-ConfigureLambdaFunctionXRayTracing`](automation-aws-config-lambda-xray.md)
+ [`AWSConfigRemediation-DeleteLambdaFunction`](automation-aws-delete-lambda.md)
+ [`AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK`](automation-aws-encrypt-lambda-variables.md)
+ [`AWSConfigRemediation-MoveLambdaToVPC`](automation-aws-lambda-to-vpc.md)
+ [`AWSSupport-RemediateLambdaS3Event`](automation-awssupport-remediatelambdas3event.md)
+ [`AWSSupport-TroubleshootLambdaInternetAccess`](AWSSupport-TroubleshootLambdaInternetAccess.md)
+ [`AWSSupport-TroubleshootLambdaS3Event`](automation-aws-troubleshootlambdas3event.md)
# `AWSConfigRemediation-ConfigureLambdaFunctionXRayTracing`
**Description**
The `AWSConfigRemediation-ConfigureLambdaFunctionXRayTracing` runbook enables AWS X-Ray live tracing on the AWS Lambda function you specify in the `FunctionName` parameter.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-ConfigureLambdaFunctionXRayTracing)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ FunctionName
Type: String
Description: (Required) The name or ARN of the Lambda function to enable tracing on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `lambda:UpdateFunctionConfiguration`
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
**Document Steps**
+ `aws:executeAwsApi` - Enables X-Ray tracing on the Lambda function you specify in the `FunctionName` parameter.
+ `aws:assertAwsResourceProperty` - Verifies that X-Ray tracing has been enabled on the Lambda function.
**Outputs**
UpdateLambdaConfig.UpdateFunctionConfigurationResponse - Response from the `UpdateFunctionConfiguration` API call.
# `AWSConfigRemediation-DeleteLambdaFunction`
**Description**
The `AWSConfigRemediation-DeleteLambdaFunction` runbook deletes the AWS Lambda function you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteLambdaFunction)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ LambdaFunctionName
Type: String
Description: (Required) The name of the Lambda function that you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `lambda:DeleteFunction`
+ `lambda:GetFunction`
**Document Steps**
+ `aws:executeAwsApi` - Deletes the Lambda function specified in the `LambdaFunctionName` parameter.
+ `aws:executeScript` - Verifies the Lambda function has been deleted.
# `AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK`
**Description**
The `AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK` runbook encrypts, at rest, the environment variables for the AWS Lambda (Lambda) function you specify using an AWS Key Management Service (AWS KMS) customer managed key. This runbook should only be used as a baseline to ensure that your Lambda function's environment variables are encrypted according to minimum recommended security best practices. We recommend encrypting multiple functions with different customer managed keys.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ FunctionName
Type: String
Description: (Required) The name or ARN of the Lambda function whose environment variables you want to encrypt.
+ KMSKeyArn
Type: String
Description: (Required) The ARN of the AWS KMS customer managed key you want to use to encrypt your Lambda function's environment variables.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `lambda:GetFunctionConfiguration `
+ `lambda:UpdateFunctionConfiguration`
**Document Steps**
+ `aws:waitForAwsResourceProperty` - Waits for the `LastUpdateStatus` property to be `Successful` .
+ `aws:executeAwsApi` - Encrypts the environment variables for the Lambda function you specify in the `FunctionName` parameter using the AWS KMS customer managed key you specify in the `KMSKeyArn` parameter.
+ `aws:assertAwsResourceProperty` - Confirms encryption is enabled on the environment variables for your Lambda function.
# `AWSConfigRemediation-MoveLambdaToVPC`
**Description**
The `AWSConfigRemediation-MoveLambdaToVPC` runbook moves an AWS Lambda (Lambda) function to an Amazon Virtual Private Cloud (Amazon VPC).
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-MoveLambdaToVPC)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ FunctionName
Type: String
Description: (Required) The name of the Lambda function to move to an Amazon VPC.
+ SecurityGroupIds
Type: String
Description: (Required) The security group IDs you want to assign to the elastic network interfaces (ENIs) associated with your Lambda function.
+ SubnetIds
Type: String
Description: (Required) The subnet IDs you want to create the elastic network interfaces (ENIs) associated with your Lambda function.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `lambda:GetFunction`
+ `lambda:GetFunctionConfiguration`
+ `lambda:UpdateFunctionConfiguration`
**Document Steps**
+ `aws:executeAwsApi` - Updates the Amazon VPC configuration for the Lambda function you specify in the `FunctionName` parameter.
+ `aws:waitForAwsResourceProperty` - Waits for the Lambda function `LastUpdateStatus` to be `successful` .
+ `aws:executeScript` - Verifies the Lambda function Amazon VPC configuration has been successfully updated.
# `AWSSupport-RemediateLambdaS3Event`
**Description**
The `AWSSupport-TroubleshootLambdaS3Event` runbook provides an automated solution for the procedures outlined in the AWS Knowledge Center articles [Why doesn't my Amazon S3 event notification trigger my Lambda function?](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-configure-s3-event-notification/) and [ Why do I get the error "Unable to validate the following destination configurations" when creating an Amazon S3 event notification to trigger my Lambda function?](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-invoke-error-s3-bucket-permission/) This runbook helps you identify and remediate why an Amazon Simple Storage Service (Amazon S3) event notification failed to trigger the AWS Lambda function you specified. If the runbook output suggests validating and configuring your Lambda function concurrency, see [Asynchronous invocation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html) and [AWS Lambda Function scaling](https://docs.aws.amazon.com/lambda/latest/dg/scaling.html) .
**Note**
"Unable to validate the following destination configurations" errors can also occur due to incorrect Amazon Simple Notification Service (Amazon SNS) and Amazon Simple Queue Service (Amazon SQS) Amazon S3 event configurations. This runbook only checks Lambda function configurations. If after using the runbook, you are still receiving the "Unable to validate the following destination configurations" error, please review any existing Amazon SNS and Amazon SQS Amazon S3 event configurations.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-RemediateLambdaS3Event)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ LambdaFunctionArn
Type: String
Description: (Required) The ARN of the Lambda function.
+ S3BucketName
Type: String
Description: (Required) The name of the Amazon S3 bucket whose event notifications triggers the Lambda function.
+ Action
Type: String
Valid values: Troubleshoot \$1 Remediate
Description: (Required) The action you want the runbook to perform. The `Troubleshoot` option helps identify any issues, but does not perform any mutating actions to resolve the issue. The `Remediate` option helps identify and attempts to resolve issues for you.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetDocument`
+ `ssm:ListDocuments`
+ `ssm:DescribeAutomationExecutions`
+ `ssm:DescribeAutomationStepExecutions`
+ `ssm:GetAutomationExecution`
+ `lambda:GetPolicy`
+ `lambda:AddPermission`
+ `s3:GetBucketNotification`
**Document Steps**
+ `aws:branch` - Branches based on the input specified for the `Action` parameter.
If the value specified is `Troubleshoot` :
+ `aws:executeAutomation` - Runs the `AWSSupport-TroubleshootLambdaS3Event` runbook.
+ `aws:executeAwsApi` - Checks the output of the `AWSSupport-TroubleshootLambdaS3Event` runbook that ran in the previous step.
If the value specified is `Remediate` :
+ `aws:executeScript` - Runs a script to remediate the issues outlined in the [Why doesn't my Amazon S3 event notification trigger my Lambda function?](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-configure-s3-event-notification/) and [ Why do I get the error "Unable to validate the following destination configurations" when creating an Amazon S3 event notification to trigger my Lambda function?](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-invoke-error-s3-bucket-permission/) Knowledge Center articles.
**Outputs**
checkoutput.Output
remediatelambdas3event.Output
# `AWSSupport-TroubleshootLambdaInternetAccess`
**Description**
The `AWSSupport-TroubleshootLambdaInternetAccess` runbook helps you troubleshoot internet access issues for a AWS Lambda function that was launched into Amazon Virtual Private Cloud (Amazon VPC). Resources such as subnet routes, security groups rules, and network access control list (ACL) rules are reviewed to confirm outbound internet access is allowed.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootLambdaInternetAccess)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ FunctionName
Type: String
Description: (Required) The name of the Lambda function you want to troubleshoot internet access for.
+ destinationIp
Type: String
Description: (Required) The destination IP address you want to establish an outbound connection to.
+ destinationPort
Type: String
Default: 443
Description: (Optional) The destination port you want to establish an outbound connection on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `lambda:GetFunction`
+ `ec2:DescribeRouteTables`
+ `ec2:DescribeNatGateways`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeNetworkAcls`
**Document Steps**
+ `aws:executeScript` - Verifies the configuration of various resources in your VPC where the Lambda function was launched.
+ `aws:branch` - Branches based on whether the Lambda function specified is in a VPC or not.
+ `aws:executeScript` - Reviews the route table routes for the subnet where the Lambda function was launched, and verifies that routes to a network address translation (NAT) gateway, and internet gateway are present. Confirms the Lambda function is not in a public subnet.
+ `aws:executeScript` - Verifies the security group associated with the Lambda function allows outbound internet access based on the values specified for the `destinationIp` and `destinationPort` parameters.
+ `aws:executeScript` - Verifies the ACL rules associated with the subnets of the Lambda function and the NAT gateway allow outbound internet access based on the values specified for the `destinationIp` and `destinationPort` parameters.
**Outputs**
checkVpc.vpc - The ID of the VPC where your Lambda function was launched.
checkVpc.subnet - The IDs of the subnets where your Lambda function was launched.
checkVpc.securityGroups - Security groups associated with the Lambda function.
checkNACL.NACL - Analysis message with resource names. `LambdaIp` refers to the private IP address of the elastic network interface for your Lambda function. The `LambdaIpRules` object is only generated for subnets that have a route to a NAT gateway. The following content is an example of the output.
```
{
"subnet-1234567890":{
"NACL":"acl-1234567890",
"destinationIp_Egress":"Allowed",
"destinationIp_Ingress":"notAllowed",
"Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule",
"LambdaIpRules":{
"{LambdaIp}":{
"Egress":"notAllowed",
"Ingress":"notAllowed",
"Analysis":"This is a NAT subnet NACL. It does not have ingress or egress rule allowed in it for Lambda's corresponding private ip {LambdaIp} Please allow this IP in your egress and ingress NACL rules"
}
}
},
"subnet-0987654321":{
"NACL":"acl-0987654321",
"destinationIp_Egress":"Allowed",
"destinationIp_Ingress":"notAllowed",
"Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule"
}
}
```
checkSecurityGroups.secgrps - Analysis for the security group associated with your Lambda function. The following content is an example of the output.
```
{
"sg-123456789":{
"Status":"Allowed",
"Analysis":"This security group has allowed destintion IP and port in its outbuond rule."
}
}
```
checkSubnet.subnets - Analysis for the subnets in your VPC associated with your Lambda function. The following content is an example of the output.
```
{
"subnet-0c4ee6cdexample15":{
"Route":{
"DestinationCidrBlock":"8.8.8.0/26",
"NatGatewayId":"nat-00f0example69fdec",
"Origin":"CreateRoute",
"State":"active"
},
"Analysis":"This Route Table has an active NAT gateway path. Also, The NAT gateway is launched in public subnet",
"RouteTable":"rtb-0b1fexample16961b"
}
}
```
# `AWSSupport-TroubleshootLambdaS3Event`
**Description**
The `AWSSupport-TroubleshootLambdaS3Event` runbook provides an automated solution for the procedures outlined in the AWS Knowledge Center articles [Why doesn't my Amazon S3 event notification trigger my Lambda function? ](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-configure-s3-event-notification/) and [ Why do I get the error "Unable to validate the following destination configurations" when creating an Amazon S3 event notification to trigger my Lambda function? ](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-invoke-error-s3-bucket-permission/) This runbook helps you identify why an Amazon Simple Storage Service (Amazon S3) event notification failed to trigger the AWS Lambda function you specified. If the runbook output suggests validating and configuring your Lambda function concurrency, see [Asynchronous invocation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html) and [AWS Lambda Function scaling](https://docs.aws.amazon.com/lambda/latest/dg/scaling.html) .
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootLambdaS3Event)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ LambdaFunctionArn
Type: String
Description: (Required) The ARN of the Lambda function that the Amazon S3 event notification triggers.
+ S3BucketName
Type: String
Description: (Required) The name of the Amazon S3 bucket whose event notifications triggers the Lambda function.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `lambda:GetPolicy`
+ `s3:GetBucketNotification`
**Document Steps**
+ `aws:executeScript` - Runs the script to validate configuration settings for the Amazon S3 event notification. Validates the resource-based IAM policy for your Lambda function, and generates an AWS Command Line Interface (AWS CLI) command to add the needed permissions if the required permissions are missing from the policy. Validates other Lambda functions resource policies which are part of event notifications for the same S3 bucket and generates an AWS CLI command as output if the required permissions are missing.
**Outputs**
lambdaS3Event.output