# Amazon RDS
AWS Systems Manager Automation provides predefined runbooks for Amazon Relational Database Service. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [
# `AWS-CreateEncryptedRdsSnapshot`
](create-encrypted-rds-snapshot.md)
+ [
# `AWS-CreateRdsSnapshot`
](automation-aws-createrdssnapshot.md)
+ [
# `AWSConfigRemediation-DeleteRDSCluster`
](automation-aws-delete-rds-cluster.md)
+ [
# `AWSConfigRemediation-DeleteRDSClusterSnapshot`
](automation-aws-delete-rds-cluster-snap.md)
+ [
# `AWSConfigRemediation-DeleteRDSInstance`
](automation-aws-delete-rds-instance.md)
+ [
# `AWSConfigRemediation-DeleteRDSInstanceSnapshot`
](automation-aws-delete-rds-snapshot.md)
+ [
# `AWSConfigRemediation-DisablePublicAccessToRDSInstance`
](automation-aws-disable-rds-instance-public-access.md)
+ [
# `AWSConfigRemediation-EnableCopyTagsToSnapshotOnRDSCluster`
](automation-aws-enable-tags-snapshot-rds-cluster.md)
+ [
# `AWSConfigRemediation-EnableCopyTagsToSnapshotOnRDSDBInstance`
](automation-aws-enable-tags-snapshot-rds-instance.md)
+ [
# `AWSConfigRemediation-EnableEnhancedMonitoringOnRDSInstance`
](automation-aws-enable-rds-monitoring.md)
+ [
# `AWSConfigRemediation-EnableMinorVersionUpgradeOnRDSDBInstance`
](automation-aws-enable-rds-minor-version.md)
+ [
# `AWSConfigRemediation-EnableMultiAZOnRDSInstance`
](automation-aws-multi-az-rds.md)
+ [
# `AWSConfigRemediation-EnablePerformanceInsightsOnRDSInstance`
](automation-aws-enable-performance-insights-rds.md)
+ [
# `AWSConfigRemediation-EnableRDSClusterDeletionProtection`
](automation-aws-enable-rds-cluster-deletion-protection.md)
+ [
# `AWSConfigRemediation-EnableRDSInstanceBackup`
](automation-aws-enable-rds-instance-backup.md)
+ [
# `AWSConfigRemediation-EnableRDSInstanceDeletionProtection`
](automation-aws-enable-rds-instance-deletion-protection.md)
+ [
# `AWSConfigRemediation-ModifyRDSInstancePortNumber`
](automation-aws-modify-rds-port.md)
+ [
# `AWSSupport-ModifyRDSSnapshotPermission`
](automation-awssupport-modifyrdssnapshotpermission.md)
+ [
# `AWSPremiumSupport-PostgreSQLWorkloadReview`
](automation-aws-postgresqlworkloadreview.md)
+ [
# `AWS-RebootRdsInstance`
](automation-aws-rebootrdsinstance.md)
+ [
# `AWSSupport-ShareRDSSnapshot`
](automation-aws-sharerdssnapshot.md)
+ [
# `AWS-StartRdsInstance`
](automation-aws-startrdsinstance.md)
+ [
# `AWS-StartStopAuroraCluster`
](start-stop-aurora-cluster.md)
+ [
# `AWS-StopRdsInstance`
](automation-aws-stoprdsinstance.md)
+ [
# `AWSSupport-TroubleshootConnectivityToRDS`
](automation-awssupport-troubleshootconnectivitytords.md)
+ [
# `AWSSupport-TroubleshootRDSIAMAuthentication`
](automation-aws-troubleshoot-rds-iam-authentication.md)
+ [
# `AWSSupport-ValidateRdsNetworkConfiguration`
](automation-aws-validate-rds-network-configuration.md)
# `AWS-CreateEncryptedRdsSnapshot`
**Description**
The `AWS-CreateEncryptedRdsSnapshot` runbook creates an encrypted snapshot from an unencrypted Amazon Relational Database Service (Amazon RDS) instance.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-CreateEncryptedRdsSnapshot)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ DBInstanceIdentifier
Type: String
Description: (Required) The ID of the Amazon RDS instance you want to create a snapshot of.
+ DBSnapshotIdentifier
Type: String
Description: (Optional) The name template for the Amazon RDS snapshot. The default name template is *DBInstanceIdentifier-yyyymmddhhmmss*.
+ EncryptedDBSnapshotIdentifier
Type: String
Description: (Optional) The name for the encrypted snapshot. The default name is the value you specify for the `DBSnapshotIdentifier` parameter appended with `-encrypted`.
+ InstanceTags
Type: String
Description: (Optional) Tags to add to the DB instance. (Example: Key=tagKey1,Value=tagValue1;Key=tagKey2,Value=tagValue2)'
+ KmsKeyId
Type: String
Default: `alias/aws/rds`
Description: (Optional) The ARN, key ID, or the key alias of the of the customer managed key you want to use to encrypt the snapshot.
+ SnapshotTags
Type: String
Description: (Optional) Tags to add to the snapshot. (Example: Key=tagKey1,Value=tagValue1;Key=tagKey2,Value=tagValue2)'
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `rds:AddTagsToResource`
+ `rds:CopyDBSnapshot`
+ `rds:CreateDBSnapshot`
+ `rds:DeleteDBSnapshot`
+ `rds:DescribeDBSnapshots`
**Document Steps**
+ `aws:executeScript` - Creates a snapshot of the DB instance you specify in the `DBInstanceIdentifier` parameter.
+ `aws:executeScript` - Verifies the snapshot created in the previous step exists and is `available`.
+ `aws:executeScript` - Copies the previously created snapshot to an encrypted snapshot.
+ `aws:executeScript` - Verifies the encrypted snapshot created in the previous step exists.
**Outputs**
CopyRdsSnapshotToEncryptedRdsSnapshot.EncryptedSnapshotId - The ID of the encrypted Amazon RDS snapshot.
# `AWS-CreateRdsSnapshot`
**Description**
Create an Amazon Relational Database Service (Amazon RDS) snapshot for an Amazon RDS instance.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-CreateRdsSnapshot)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ DBInstanceIdentifier
Type: String
Description: (Required) The DBInstanceId ID of the RDS Instance to create Snapshot from.
+ DBSnapshotIdentifier
Type: String
Description: (Optional) The DBSnapshotIdentifier ID of the RDS snapshot to create.
+ InstanceTags
Type: String
Description: (Optional) Tags to create for instance.
+ SnapshotTags
Type: String
Description: (Optional) Tags to create for snapshot.
**Document Steps**
createRDSSnapshot – Creates the RDS snapshot and returns the snapshot ID.
verifyRDSSnapshot – Checks that the snapshot created in the previous step exists.
**Outputs**
createRDSSnapshot.SnapshotId – The ID of the created snapshot.
# `AWSConfigRemediation-DeleteRDSCluster`
**Description**
The `AWSConfigRemediation-DeleteRDSCluster` runbook deletes the Amazon Relational Database Service (Amazon RDS) cluster you specify. AWS Config must be enabled in the AWS Region where you run this automation.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteRDSCluster)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DBClusterId
Type: String
Description: (Required) The resource identifier for the DB cluster you want to enable deletion protection on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `config:GetResourceConfigHistory`
+ `rds:DeleteDBCluster`
+ `rds:DeleteDBInstance`
+ `rds:DescribeDBClusters`
**Document Steps**
+ `aws:executeScript` - Deletes the DB cluster you specify in the `DBClusterId` parameter.
# `AWSConfigRemediation-DeleteRDSClusterSnapshot`
**Description**
The `AWSConfigRemediation-DeleteRDSClusterSnapshot` runbook deletes the given Amazon Relational Database Service (Amazon RDS) cluster snapshot.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteRDSClusterSnapshot)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DBClusterSnapshotId
Type: String
Description: (Required) The Amazon RDS cluster snapshot identifier to be deleted.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DeleteDBClusterSnapshot`
+ `rds:DescribeDBClusterSnapshots`
**Document Steps**
+ `aws:branch` - Checks if the cluster snapshot is in the `available` state. If it is not available, the flow ends.
+ `aws:executeAwsApi` - Deletes the given Amazon RDS cluster snapshot using the database (DB) cluster snapshot identifier.
+ `aws:executeScript` - Verifies that the given Amazon RDS cluster snapshot was deleted.
# `AWSConfigRemediation-DeleteRDSInstance`
**Description**
The `AWSConfigRemediation-DeleteRDSInstance` runbook deletes the Amazon Relational Database Service (Amazon RDS) instance you specify. When you delete a database (DB) instance, all automated backups for that instance are deleted and can't be recovered. Manual DB snapshots are not deleted. If the DB instance you want to delete is in the `failed` , `incompatible-network` , or `incompatible-restore` state, you must set the `SkipFinalSnapshot` parameter to `true` .
**Note**
If the DB instance you want to delete is in an Amazon Aurora DB cluster, the runbook will not delete the DB instance if it is a read replica and the only instance in the DB cluster.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteRDSInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbiResourceId
Type: String
Description: (Required) The resource identifier for the DB instance you want to delete.
+ SkipFinalSnapshot
Type: Boolean
Default: false
Description: (Optional) If set to `true` , a final snapshot is not created before the DB instance is deleted.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DeleteDBInstance`
+ `rds:DescribeDBInstances`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB instance name from the value you specify in the `DbiResourceId` parameter.
+ `aws:branch` - Branches based on the value you specify in the `SkipFinalSnapshot` parameter.
+ `aws:executeAwsApi` - Deletes the DB instance you specify in the `DbiResourceId` parameter.
+ `aws:executeAwsApi` - Deletes the DB instance you specify in the `DbiResourceId` parameter after the final snapshot is created.
+ `aws:assertAwsResourceProperty` - Verifies the DB instance was deleted.
# `AWSConfigRemediation-DeleteRDSInstanceSnapshot`
**Description**
The `AWSConfigRemediation-DeleteRDSInstanceSnapshot` runbook deletes the Amazon Relational Database Service (Amazon RDS) instance snapshot you specify. Only snapshots in the `available` state are deleted. This runbook does not support deleting snapshots from Amazon Aurora database instances.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteRDSInstanceSnapshot)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbSnapshotId
Type: String
Description: (Required) The ID of the snapshot you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DeleteDBSnapshot`
+ `rds:DescribeDBSnapshots`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the state of the snapshot specified in the `DbSnapshotId` parameter.
+ `aws:assertAwsResourceProperty` - Confirms the state of the snapshot is `available` .
+ `aws:executeAwsApi` - Deletes the snapshot specified in the `DbSnapshotId` parameter.
+ `aws:executeScript` - Verifies the snapshot has been deleted.
# `AWSConfigRemediation-DisablePublicAccessToRDSInstance`
**Description**
The `AWSConfigRemediation-DisablePublicAccessToRDSInstance` runbook disables public accessibility for the Amazon Relational Database Service (Amazon RDS) database (DB) instance that you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DisablePublicAccessToRDSInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbiResourceId
Type: String
Description: (Required) The resource identifier for the DB instance that you want to disable public accessibility for.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB instance identifier from the DB instance resource identifier.
+ `aws:assertAwsResourceProperty` - Verifies the DB instances is in an `AVAILABLE` state.
+ `aws:executeAwsApi` - Disables public accessibility on your DB instance.
+ `aws:waitForAwsResourceProperty` - Waits for the DB instance to change to a `MODIFYING` state.
+ `aws:waitForAwsResourceProperty` - Waits for the DB instance to change to an `AVAILABLE` state.
+ `aws:assertAwsResourceProperty` - Confirms public accessibility is disabled on the DB instance.
# `AWSConfigRemediation-EnableCopyTagsToSnapshotOnRDSCluster`
**Description**
The `AWSConfigRemediation-EnableCopyTagsToSnapshotOnRDSCluster` runbook enables the `CopyTagsToSnapshot` setting on the Amazon Relational Database Service (Amazon RDS) cluster you specify. Enabling this setting copies all tags from the DB cluster to snapshots of the DB cluster. The default is not to copy them. AWS Config must be enabled in the AWS Region where you run this automation.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCopyTagsToSnapshotOnRDSCluster)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ ApplyImmediately
Type: Boolean
Default: false
Description: (Optional) If you specify `true` for this parameter, the modifications in this request and any pending modifications are asynchronously applied as soon as possible, regardless of the `PreferredMaintenanceWindow` setting for the DB cluster.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbClusterResourceId
Type: String
Description: (Required) The resource identifier for the DB cluster you want to enable the `CopyTagsToSnapshot` setting on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `config:GetResourceConfigHistory`
+ `rds:DescribeDBClusters`
+ `rds:ModifyDBCluster`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB cluster identifier from the DB cluster resource identifier.
+ `aws:assertAwsResourceProperty` - Confirms the DB cluster is in an `AVAILABLE` state.
+ `aws:executeAwsApi` - Enables the `CopyTagsToSnapshot` setting on your DB cluster.
+ `aws:assertAwsResourceProperty` - Confirms the `CopyTagsToSnapshot` setting is enabled on your DB cluster.
# `AWSConfigRemediation-EnableCopyTagsToSnapshotOnRDSDBInstance`
**Description**
The `AWSConfigRemediation-EnableCopyTagsToSnapshotOnRDSDBInstance` runbook enables the `CopyTagsToSnapshot` setting on the Amazon Relational Database Service (Amazon RDS) instance you specify. Enabling this setting copies all tags from the DB instance to snapshots of the DB instance. The default is not to copy them. AWS Config must be enabled in the AWS Region where you run this automation.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCopyTagsToSnapshotOnRDSDBInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ ApplyImmediately
Type: Boolean
Default: false
Description: (Optional) If you specify `true` for this parameter, the modifications in this request and any pending modifications are asynchronously applied as soon as possible, regardless of the `PreferredMaintenanceWindow` setting for the DB instance.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbiResourceId
Type: String
Description: (Required) The resource identifier for the DB instance you want to enable the `CopyTagsToSnapshot` setting on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `config:GetResourceConfigHistory`
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB instance identifier from the DB instance resource identifier.
+ `aws:assertAwsResourceProperty` - Confirms the DB instance is in an `AVAILABLE` state.
+ `aws:executeAwsApi` - Enables the `CopyTagsToSnapshot` setting on your DB instance.
+ `aws:assertAwsResourceProperty` - Confirms the `CopyTagsToSnapshot` setting is enabled on your DB instance.
# `AWSConfigRemediation-EnableEnhancedMonitoringOnRDSInstance`
**Description**
The `AWSConfigRemediation-EnableEnhancedMonitoringOnRDSInstance` runbook enables Enhanced Monitoring on the Amazon RDS database instance you specify. For information on Enhanced Monitoring, see [Enhanced Monitoring](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html) in the *Amazon RDS User Guide* .
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableEnhancedMonitoringOnRDSInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ MonitoringInterval
Type: Integer
Valid values: 1 \$1 5 \$1 10 \$1 15 \$1 30 \$1 60
Description: (Required) The interval in seconds when Enhanced Monitoring metrics are collected from the DB instance.
+ MonitoringRoleArn
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the IAM role that allows Amazon RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs.
+ ResourceId
Type: String
Description: (Required) The resource identifier for the DB instance you want to enable Enhanced Monitoring on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB instance identifier from the DB instance resource identifier.
+ `aws:assertAwsResourceProperty` - Confirms the DB Instance is in an `AVAILABLE` state.
+ `aws:executeAwsApi` - Enables Enhanced Monitoring on your DB instance.
+ `aws:executeScript` - Confirms that Enhanced Monitoring is enabled on your DB instance.
# `AWSConfigRemediation-EnableMinorVersionUpgradeOnRDSDBInstance`
**Description**
The `AWSConfigRemediation-EnableMinorVersionUpgradeOnRDS` runbook enables the `AutoMinorVersionUpgrade` setting on the Amazon RDS database instance you specify. Enabling this setting means that minor version upgrades are applied automatically to the DB instance during the maintenance window.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableMinorVersionUpgradeOnRDS)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbiResourceId
Type: String
Description: (Required) The resource identifier for the DB instance you want to the `AutoMinorVersionUpgrade` setting on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB instance identifier from the DB instance resource identifier.
+ `aws:assertAwsResourceProperty` - Confirms the DB Instance is in an `AVAILABLE` state.
+ `aws:executeAwsApi` - Enables the `AutoMinorVersionUpgrade` setting on your DB instance.
+ `aws:executeScript` - Confirms that the `AutoMinorVersionUpgrade` setting is enabled on your DB instance.
# `AWSConfigRemediation-EnableMultiAZOnRDSInstance`
**Description**
The `AWSConfigRemediation-EnableMultiAZOnRDSInstance` runbook changes your Amazon Relational Database Service (Amazon RDS) database (DB) instance to a Multi-AZ deployment. Changing this setting doesn't result in an outage. The change is applied during the next maintenance window unless you set the `ApplyImmediately` parameter to `true` .
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableMultiAZOnRDSInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ ApplyImmediately
Type: Boolean
Default: false
Description: (Optional) If you specify `true` for this parameter, the modifications in this request and any pending modifications are asynchronously applied as soon as possible, regardless of the `PreferredMaintenanceWindow` setting for the DB instance.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbiResourceId
Type: String
Description: (Required) The AWS Region-unique, immutable identifier for the DB instance to enable the `MultiAZ` setting.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
**Document Steps**
+ `aws:executeAwsApi` - Retrieves the DB instance name using the value provided in the `DBInstanceId` parameter.
+ `aws:executeAwsApi` - Verifies the `DBInstanceStatus` is `available` .
+ `aws:branch` - Checks whether the `MultiAZ` is already set to `true` on the DB instance you specify in the `DbiResourceId` parameter.
+ `aws:executeAwsApi` - Changes the `MultiAZ` setting to `true` on the DB instance you specify in the `DbiResourceId` parameter.
+ `aws:assertAwsResourceProperty` - Verifies the `MultiAZ` is set to `true` on the DB instance you specify in the `DbiResourceId` parameter.
# `AWSConfigRemediation-EnablePerformanceInsightsOnRDSInstance`
**Description**
The `AWSConfigRemediation-EnablePerformanceInsightsOnRDSInstance` runbook enables Performance Insights on the Amazon RDS DB instance you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnablePerformanceInsightsOnRDSInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbiResourceId
Type: String
Description: (Required) The resource identifier for the DB instance you want to enable Performance Insights on.
+ PerformanceInsightsKMSKeyId
Type: String
Default: `alias/aws/rds`
Description: (Optional) The Amazon Resource Name (ARN), key ID, or the key alias of the AWS Key Management Service (AWS KMS) customer managed key you want Performance Insights to use to encrypt all potentially sensitive data. If you enter the key alias for this parameter, prefix the value with **alias/** . If you do not specify a value for this parameter, the AWS managed key is used.
+ PerformanceInsightsRetentionPeriod
Type: Integer
Valid values: 7, 731
Default: 7
Description: (Optional) The number of days you want to retain Performance Insights data.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `kms:CreateGrant`
+ `kms:DescribeKey`
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB instance identifier from the DB instance resource identifier.
+ `aws:assertAwsResourceProperty` - Confirms the DB instance status is `available` .
+ `aws:executeAwsApi` - Gathers the ARN of the AWS KMS customer managed key specified in the `PerformanceInsightsKMSKeyId` parameter.
+ `aws:branch` - Checks whether a value is already assigned to the `PerformanceInsightsKMSKeyId` property of the DB instance.
+ `aws:executeAwsApi` - Enables Performance Insights on the DB instance you specify in the `DbiResourceId` parameter.
+ `aws:assertAwsResourceProperty` - Confirms the value specified for the `PerformanceInsightsKMSKeyId` parameter was used to enable encryption for Performance Insights on the DB instance.
+ `aws:assertAwsResourceProperty` - Confirms Performance Insights is enabled on the DB instance.
# `AWSConfigRemediation-EnableRDSClusterDeletionProtection`
**Description**
The `AWSConfigRemediation-EnableRDSClusterDeletionProtection` runbook enables deletion protection on the Amazon Relational Database Service (Amazon RDS) cluster you specify. AWS Config must be enabled in the AWS Region where you run this automation.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableRDSClusterDeletionProtection)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ ClusterId
Type: String
Description: (Required) The resource identifier for the DB cluster you want to enable deletion protection on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `config:GetResourceConfigHistory`
+ `rds:DescribeDBClusters`
+ `rds:ModifyDBCluster`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB cluster name from the DB cluster resource identifier.
+ `aws:assertAwsResourceProperty` - Verifies the DB cluster status is `available` .
+ `aws:executeAwsApi` - Enables deletion protection on the DB cluster you specify in the `ClusterId` parameter.
+ `aws:assertAwsResourceProperty` - Verifies deletion protection has been enabled on the DB cluster.
# `AWSConfigRemediation-EnableRDSInstanceBackup`
**Description**
The `AWSConfigRemediation-EnableRDSInstanceBackup` runbook enables backups for the Amazon Relational Database Service (Amazon RDS) database instance you specify. This runbook does not support enabling backups for Amazon Aurora database instances.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableRDSInstanceBackup)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ ApplyImmediately
Type: Boolean
Default: false
Description: (Optional) If you specify `true` for this parameter, the modifications in this request and any pending modifications are asynchronously applied as soon as possible, regardless of the `PreferredMaintenanceWindow` setting for the DB instance.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ BackupRetentionPeriod
Type: Integer
Valid values: 1-35
Description: (Required) The number of days that backups are retained.
+ DbiResourceId
Type: String
Description: (Required) The resource identifier for the DB instance you want to enable backups for.
+ PreferredBackupWindow
Type: String
Description: (Optional) The daily time range (in UTC) during which backups are created.
Constraints:
+ Must be in the format `hh24:mi-hh24:mi`
+ Must be in Coordinated Universal Time (UTC)
+ Must not conflict with the preferred maintenance window
+ Must be at least 30 minutes
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
**Document Steps**
+ `aws:executeScript` - Gathers the DB instance identifier from the DB instance resource identifier. Enables backups for your DB instance. Confirms backups are enabled on the DB instance.
# `AWSConfigRemediation-EnableRDSInstanceDeletionProtection`
**Description**
The `AWSConfigRemediation-EnableRDSInstanceDeletionProtection` runbook enables deletion protection on the Amazon RDS database instance you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableRDSInstanceDeletionProtection)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ ApplyImmediately
Type: Boolean
Default: false
Description: (Optional) If you specify `true` for this parameter, the modifications in this request and any pending modifications are asynchronously applied as soon as possible, regardless of the `PreferredMaintenanceWindow` setting for the DB instance.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DbInstanceResourceId
Type: String
Description: (Required) The resource identifier for the DB instance you want to enable deletion protection on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB instance identifier from the DB instance resource identifier.
+ `aws:executeAwsApi` - Enables deletion protection on your DB instance.
+ `aws:assertAwsResourceProperty` - Confirms deletion protection is enabled on the DB instance.
# `AWSConfigRemediation-ModifyRDSInstancePortNumber`
**Description**
The `AWSConfigRemediation-ModifyRDSInstancePortNumber` runbook modifies the port number on which the Amazon Relational Database Service (Amazon RDS) instance accepts connections. Running this automation will restart the database.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-ModifyRDSInstancePortNumber)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ PortNumber
Type: String
Description: (Optional) The port number you want the DB instance to accept connections on.
+ RDSDBInstanceResourceId
Type: String
Description: (Required) The resource identifier for the DB instance whose inbound port number you want to modify.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DescribeDBInstances`
+ `rds:ModifyDBInstance`
**Document Steps**
+ `aws:executeAwsApi` - Gathers the DB instance identifier from the DB instance resource identifier.
+ `aws:assertAwsResourceProperty` - Confirms the DB Instance is in an `AVAILABLE` state.
+ `aws:executeAwsApi` - Modifies the inbound port number on which your DB instance accepts connections.
+ `aws:waitForAwsResourceProperty` - Waits for the DB Instance to be in a `MODIFYING` state.
+ `aws:waitForAwsResourceProperty` - Waits for the DB Instance to be in in an `AVAILABLE` state.
# `AWSSupport-ModifyRDSSnapshotPermission`
**Description**
The `AWSSupport-ModifyRDSSnapshotPermission` runbook helps you modify permissions for multiple Amazon Relational Database Service (Amazon RDS) snapshots. Using this runbook, you can make snapshots `Public` or `Private` and share them with other AWS accounts. Snapshots encrypted with a default KMS key can't be shared with other accounts using this runbook.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ModifyRDSSnapshotPermission)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ AccountIds
Type: StringList
Default: none
Description: (Optional) The IDs of the accounts you want to share snapshots with. This parameter is required if you enter `No` for the value of the `Private` parameter.
+ AccountPermissionOperation
Type: String
Valid values: add \$1 remove
Default: none
Description: (Optional) The type of operation to perform.
+ Private
Type: String
Valid values: Yes \$1 No
Description: (Required) Enter `No` for the value if you want to share snapshots with specific accounts.
+ SnapshotIdentifiers
Type: StringList
Description: (Required) The names of the Amazon RDS snapshots whose permission you want to modify.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `rds:DescribeDBSnapshots`
+ `rds:ModifyDBSnapshotAttribute`
**Document Steps**
1. `aws:executeScript` - Verifies the IDs of the snapshots provided in the `SnapshotIdentifiers` parameter. After verifying the IDs, the script checks for encrypted snapshots and outputs a list if any are found.
1. `aws:branch` - Branches the automation based on the value you enter for the `Private` parameter.
1. `aws:executeScript` - Modifies permissions of the snapshots specified to share it with the accounts specified.
1. `aws:executeScript` - Modifies permissions of the snapshots to change them from `Public` to `Private` .
**Outputs**
ValidateSnapshots.EncryptedSnapshots
SharewithOtherAccounts.Result
MakePrivate.Result
MakePrivate.Commands
# `AWSPremiumSupport-PostgreSQLWorkloadReview`
**Description**
The `AWSPremiumSupport-PostgreSQLWorkloadReview` runbook captures multiple snapshots of your Amazon Relational Database Service (Amazon RDS) PostgreSQL database usage statistics. The statistics captured are required for an Support [Proactive Services](https://aws.amazon.com/premiumsupport/technology-and-programs/proactive-services/) expert to perform an operational review. The statistics are collected using a set of custom SQL and shell scripts. These scripts are downloaded to a temporary Amazon Elastic Compute Cloud (Amazon EC2) instance in your AWS account that is created by this runbook. The runbook requires you to provide credentials using an AWS Secrets Manager secret containing a username and password key-value pair. The username must have permissions to query the standard PostgreSQL statistics views and functions.
This runbook automatically creates the following AWS resources in your AWS account using an AWS CloudFormation stack. You can monitor the stack creation using the CloudFormation console.
+ A virtual private cloud (VPC) and an Amazon EC2 instance launched in a private subnet of the VPC with optional connectivity to the internet using a NAT gateway.
+ An AWS Identity and Access Management (IAM) role that is attached to the temporary Amazon EC2 instance with permissions to retrieve the Secrets Manager secret value. The role also provides permissions to upload files to an Amazon Simple Storage Service (Amazon S3) bucket of your choice, and optionally to an Support case.
+ A VPC peering connection to allow connectivity between your DB instance and the temporary Amazon EC2 instance.
+ Systems Manager, Secrets Manager, and Amazon S3 VPC endpoints that are attached to the temporary VPC.
+ A maintenance window with registered tasks that periodically start and stop the temporary Amazon EC2 instance, run data collection scripts, and upload files to an Amazon S3 bucket. An IAM role is also created for the maintenance window that provides permissions to perform the registered tasks.
When the runbook completes, the CloudFormation stack that is used to create the necessary AWS resources is deleted and the report is uploaded to the Amazon S3 bucket of your choice, and optionally an Support case.
**Note**
By default, the root Amazon EBS volume of the temporary Amazon EC2 instance is preserved. You can override this option by setting the `EbsVolumeDeleteOnTermination` parameter to `true`.
**Prerequisites**
+ **Enterprise Support subscription** This runbook and the Proactive Services Workload Diagnostics and Reviews require an Enterprise Support Subscription. Before using this runbook, contact your Technical Account Manager (TAM) or Specialist TAM (STAM) for instructions. For more information, see [Support Proactive Services](https://aws.amazon.com/premiumsupport/technology-and-programs/proactive-services/).
+ **Account and AWS Region quotas** Be sure you have not reached the maximum number of Amazon EC2 instances or VPCs that you can create in your account and Region where you use this runbook. If you need to request a limit increase, see the [Service limit increase form](https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase/).
+ **Database configuration**
1. The database you specify in the `DatabaseName` parameter should have the `pg_stat_statements` extension configured. If you have not configured `pg_stat_statements` in `shared_preload_libraries`, then you must edit the value in the DB Parameter Group and apply the changes. Changes to the parameter `shared_preload_libraries` requires you to reboot your DB instance. For more information, see [Working with parameter groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html). Adding `pg_stat_statements` to `shared_preload_libraries` will add some performance overhead. However, this is useful for tracking performance of individual statements. For more information about the `pg_stat_statements` extension, see the [PostgreSQL documentation](https://www.postgresql.org/docs/10/pgstatstatements.html). If you don't configure the `pg_stat_statements` extension or if the extension is not present in the database being used for statistics collection, the statement level analysis will not be presented in the operational review.
1. Make sure that `track_counts` and `track_activities` parameters are not turned off. If these parameters are turned off in the DB Parameter Group, no meaningful statistics will be available. Changing these parameters will require you to reboot your DB instance. For more information, see [Working with parameters on your Amazon RDS for PostgreSQL DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.Parameters.html).
1. If the `track_io_timing` parameter is turned off, the I/O level statistics will not be included in the operational review. Changing `track_io_timing` will require you to reboot your DB instance and will incur additional performance overhead depending on the DB instance workload. Despite the performance overhead for critical workloads, this parameter provides useful information related to I/O time per query.
**Billing and charges** Your AWS account will be charged for the costs associated with the temporary Amazon EC2 instance, associated Amazon EBS volume, the NAT gateway, and the data transferred while this automation is running. By default, this runbook creates a `t3.micro` Amazon Linux 2 instance to collect the statistics. The runbook starts and stops the instance between steps to reduce costs.
**Data security and governance** This runbook collects statistics by querying the [PostgreSQL statistics views and functions](https://www.postgresql.org/docs/current/monitoring-stats.html). Make sure the credentials provided in the `SecretId` parameter only allow read-only permissions to the statistics views and functions. As part of the automation, the collection scripts are uploaded to your Amazon S3 bucket and can be located in `s3://amzn-s3-demo-bucket/automation execution id/queries/`.
These scripts collect data that is used by an AWS Specialist to review key performance indicators at object level. The script collects information such as table name, schema name, and index name. If any of this information contains sensitive information like revenue indicators, username, email address, or any other personally identifiable information, then we recommend that you discontinue with this workload review. Contact your AWS TAM to discuss an alternative approach for the workload review.
Make sure you have the necessary approval and clearance to share the statistics and metadata collected by this automation with AWS.
**Security considerations** If you set the `UpdateRdsSecurityGroup` parameter to `yes`, the runbook updates the security group associated with your DB instance to allow inbound traffic from the temporary Amazon EC2 instance's private IP address.
If you set the `UpdateRdsRouteTable` parameter to `yes`, the runbook updates the route table associated with the subnet your DB instance is running in to allow traffic to the temporary Amazon EC2 instance through the VPC peering connection.
**User creation** To allow the collection script to connect to your Amazon RDS database, you must set up a user with permissions to read the statistic views. Then you must store the credentials in Secrets Manager. We recommend creating a new dedicated user for this automation. Creating a separate user allows you to audit and track activities performed by this automation.
1. Create a new user.
`psql -h -p -U -c "CREATE USER PASSWORD '';"`
1. Ensure that this user can only make read-only connections.
`psql -h -p -U -c "ALTER USER SET default_transaction_read_only=true;"`
1. Set user level limits.
`psql -h -p -U -c "ALTER USER SET work_mem=4096;"`
`psql -h -p -U -c "ALTER USER SET statement_timeout=10000;"`
`psql -h -p -U -c "ALTER USER SET idle_in_transaction_session_timeout=60000;"`
1. Grant `pg_monitor` permissions to the new user so it can access the DB statistics. (The `pg_monitor` role is a member of `pg_read_all_settings`, `pg_read_all_stats`, and `pg_stat_scan_table`.)
`psql -h -p -U -c "GRANT pg_monitor to ;"`
**Permissions added to the temporary Amazon EC2 instance profile by this Systems Manager Automation** The following permissions are added to the IAM role associated with the temporary Amazon EC2 instance. The `AmazonSSMManagedInstanceCore` managed policy is also associated with the IAM role to allow the Amazon EC2 instance to be managed by Systems Manager.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeTags"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/automation-execution-id/*",
"Effect": "Allow"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id",
"Effect": "Allow"
},
{
"Action": [
"support:AddAttachmentsToSet",
"support:AddCommunicationToCase",
"support:DescribeCases"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
**Permissions added to the temporary maintenance window by this Systems Manager Automation** The following permissions are automatically added to the IAM role associated with the Maintenance Windows tasks. The Maintenance Windows tasks starts, stops, and sends commands to the temporary Amazon EC2 instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ssm:GetAutomationExecution",
"ssm:ListCommands",
"ssm:ListCommandInvocations",
"ssm:GetCommandInvocation",
"ssm:GetCalendarState",
"ssm:CancelCommand",
"ec2:DescribeInstanceStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:SendCommand",
"ec2:StartInstances",
"ec2:StopInstances",
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/temporary-instance-id",
"arn:aws:ssm:*:*:document/AWS-RunShellScript",
"arn:aws:ssm:*:*:document/AWS-StopEC2Instance",
"arn:aws:ssm:*:*:document/AWS-StartEC2Instance",
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": "ssm.amazonaws.com"
},
"ArnLike": {
"iam:AssociatedResourceARN": "arn:aws:ssm:*:*:document/AWS-*"
}
},
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/SSM-*",
"Effect": "Allow"
}
]
}
```
------
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSPremiumSupport-PostgreSQLWorkloadReview)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ DBInstanceIdentifier
Type: String
Description: (Required) The ID of your DB instance.
+ DatabaseName
Type: String
Description: (Required) The database name hosted on your DB instance.
+ SecretId
Type: String
Description: (Required) The ARN of your Secrets Manager secret containing the username and password key value pair. The CloudFormation stack creates an IAM policy with permissions for the `GetSecretValue` operation to this ARN. The credentials are used to allow the temporary instance to collect the database statistics. Contact your TAM or STAM to discuss the minimum required permissions.
+ Acknowledge
Type: String
Description: (Required) Enter **yes** if you acknowledge that this runbook will create temporary resources in your account to collect statistics from your DB instance. We recommend contacting your TAM or STAM before running this automation.
+ SupportCase
Type: String
Description: (Optional) The Support case number provided by your TAM or STAM. If provided, the runbook updates the case and attaches the data collected. This option requires the temporary Amazon EC2 instance to have internet connectivity to access the Support API endpoint. You must set the `AllowVpcInternetAccess` parameter to `true`. The case subject must contain the phrase `AWSPremiumSupport-PostgreSQLWorkloadReview`.
+ S3BucketName
Type: String
Description: (Required) The Amazon S3 bucket name in your account where you want to upload the data collected by the automation. Verify the bucket policy does not grant any unnecessary read or write permissions to principals that do not need access to the contents of the bucket. We recommend creating a new temporary Amazon S3 bucket for the purpose of this automation. The runbook provides permissions to the `s3:PutObject` API operation to the IAM role attached to the temporary Amazon EC2 instance. The uploaded files will be located in `s3://bucket name/automation execution id/`.
+ InstanceType
Type: String
Description: (Optional) The type of the temporary Amazon EC2 instance that will run the custom SQL and shell scripts.
Valid values: t2.micro \$1 t2.small \$1 t2.medium \$1 t2.large \$1 t3.micro \$1 t3.small \$1 t3.medium \$1 t3.large
Default: t3.micro
+ VpcCidr
Type: String
Description: (Optional) The IP address range in CIDR notation for the new VPC (for example, `172.31.0.0/16`). Make sure you select a CIDR that does not overlap or match any existing VPC with connectivity to your DB instance. The smallest VPC you can create uses a /28 subnet mask, and the largest VPC uses a /16 subnet mask.
Default: 172.31.0.0/16
+ StackResourcesNamePrefix
Type: String
Description: (Optional) The CloudFormation stack resources name prefix and tag. The runbook creates the CloudFormation stack resources using this prefix as part of the name and tag applied to the resources. The structure for the tag key-value pair is `StackResourcesNamePrefix:{{automation:EXECUTION_ID}}`.
Default: AWSPostgreSQLWorkloadReview
+ Schedule
Type: String
Description: (Optional) The maintenance window schedule. Specifies how often the maintenance window runs the tasks. The default value is every `1 hour`.
Valid values: 15 minutes \$1 30 minutes \$1 1 hour \$1 2 hours \$1 4 hours \$1 6 hours \$1 12 hours \$1 1 day \$1 2 days \$1 4 days
Default: 1 hour
+ Duration
Type: Integer
Description: (Optional) The maximum duration, in minutes, you want to allow the automation to run. The maximum duration supported is 8,640 minutes (6 days). The default value is 4,320 minutes (3 days).
Valid values: 30-8640
Default: 4320
+ UpdateRdsRouteTable
Type: String
Description: (Optional) If set to `true`, the runbook updates the route table associated with the subnet your DB instance runs in. An IPv4 route is added to route traffic to the temporary Amazon EC2 instance private IPV4 address through the newly created VPC peering connection.
Valid values: true \$1 false
Default: false
+ AllowVpcInternetAccess
Type: String
Description: (Optional) If set to `true`, the runbook creates a NAT gateway to provide internet connectivity to the temporary Amazon EC2 instance to communicate with the Support API endpoint. You can leave this parameter as `false` if you only want the runbook to upload the output to your Amazon S3 bucket.
Valid values: true \$1 false
Default: false
+ UpdateRdsSecurityGroup
Type: String
Description: (Optional) If set to `true`, the runbook updates the security group associated with your DB instance to allow traffic from the temporary instance's private IP address.
Valid values: false \$1 true
Default: false
+ EbsVolumeDeleteOnTermination
Type: String
Description: (Optional) If set to `true`, the temporary Amazon EC2 instance's root volume is deleted after the runbook completes and deletes the CloudFormation stack.
Valid values: false \$1 true
Default: false
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `cloudformation:CreateStack`
+ `cloudformation:DeleteStack`
+ `cloudformation:DescribeStackEvents`
+ `cloudformation:DescribeStackResource`
+ `cloudformation:DescribeStacks`
+ `cloudformation:UpdateStack`
+ `ec2:AcceptVpcPeeringConnection`
+ `ec2:AllocateAddress`
+ `ec2:AssociateRouteTable`
+ `ec2:AssociateVpcCidrBlock`
+ `ec2:AttachInternetGateway`
+ `ec2:AuthorizeSecurityGroupEgress`
+ `ec2:AuthorizeSecurityGroupIngress`
+ `ec2:CreateEgressOnlyInternetGateway`
+ `ec2:CreateInternetGateway`
+ `ec2:CreateNatGateway`
+ `ec2:CreateRoute`
+ `ec2:CreateRouteTable`
+ `ec2:CreateSecurityGroup`
+ `ec2:CreateSubnet`
+ `ec2:CreateTags`
+ `ec2:CreateVpc`
+ `ec2:CreateVpcEndpoint`
+ `ec2:CreateVpcPeeringConnection`
+ `ec2:DeleteEgressOnlyInternetGateway`
+ `ec2:DeleteInternetGateway`
+ `ec2:DeleteNatGateway`
+ `ec2:DeleteRoute`
+ `ec2:DeleteRouteTable`
+ `ec2:DeleteSecurityGroup`
+ `ec2:DeleteSubnet`
+ `ec2:DeleteTags`
+ `ec2:DeleteVpc`
+ `ec2:DeleteVpcEndpoints`
+ `ec2:DescribeAddresses`
+ `ec2:DescribeEgressOnlyInternetGateways`
+ `ec2:DescribeImages`
+ `ec2:DescribeInstances`
+ `ec2:DescribeInstanceStatus`
+ `ec2:DescribeInternetGateways`
+ `ec2:DescribeNatGateways`
+ `ec2:DescribeRouteTables`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeVpcEndpoints`
+ `ec2:DescribeVpcPeeringConnections`
+ `ec2:DescribeVpcs`
+ `ec2:DetachInternetGateway`
+ `ec2:DisassociateRouteTable`
+ `ec2:DisassociateVpcCidrBlock`
+ `ec2:ModifySubnetAttribute`
+ `ec2:ModifyVpcAttribute`
+ `ec2:RebootInstances`
+ `ec2:ReleaseAddress`
+ `ec2:RevokeSecurityGroupEgress`
+ `ec2:RevokeSecurityGroupIngress`
+ `ec2:StartInstances`
+ `ec2:StopInstances`
+ `ec2:RunInstances`
+ `ec2:TerminateInstances`
+ `iam:AddRoleToInstanceProfile`
+ `iam:AttachRolePolicy`
+ `iam:CreateInstanceProfile`
+ `iam:CreateRole`
+ `iam:DeleteInstanceProfile`
+ `iam:DeleteRole`
+ `iam:DeleteRolePolicy`
+ `iam:DetachRolePolicy`
+ `iam:GetInstanceProfile`
+ `iam:GetRole`
+ `iam:GetRolePolicy`
+ `iam:PassRole`
+ `iam:PutRolePolicy`
+ `iam:RemoveRoleFromInstanceProfile`
+ `iam:TagPolicy`
+ `iam:TagRole`
+ `rds:DescribeDBInstances`
+ `s3:GetAccountPublicAccessBlock`
+ `s3:GetBucketAcl`
+ `s3:GetBucketPolicyStatus`
+ `s3:GetBucketPublicAccessBlock`
+ `s3:ListBucket`
+ `ssm:AddTagsToResource`
+ `ssm:CancelMaintenanceWindowExecution`
+ `ssm:CreateDocument`
+ `ssm:CreateMaintenanceWindow`
+ `ssm:DeleteDocument`
+ `ssm:DeleteMaintenanceWindow`
+ `ssm:DeregisterTaskFromMaintenanceWindow`
+ `ssm:DescribeAutomationExecutions`
+ `ssm:DescribeDocument`
+ `ssm:DescribeInstanceInformation`
+ `ssm:DescribeMaintenanceWindowExecutions`
+ `ssm:GetCalendarState`
+ `ssm:GetDocument`
+ `ssm:GetMaintenanceWindowExecution`
+ `ssm:GetParameters`
+ `ssm:ListCommandInvocations`
+ `ssm:ListCommands`
+ `ssm:ListTagsForResource`
+ `ssm:RegisterTaskWithMaintenanceWindow`
+ `ssm:RemoveTagsFromResource`
+ `ssm:SendCommand`
+ `support:AddAttachmentsToSet`
+ `support:AddCommunicationToCase`
+ `support:DescribeCases`
**Document Steps**
1. `aws:assertAwsResourceProperty` - Confirms the DB instance is in the `available` state.
1. `aws:executeAwsApi` - Gathers details about the DB instance.
1. `aws:executeScript` - Checks if the Amazon S3 bucket specified in the `S3BucketName` allows anonymous, or public read or write access permissions.
1. `aws:executeScript` - Gets the CloudFormation template content from the Automation runbook attachment that is used to create the temporary AWS resources in your AWS account.
1. `aws:createStack` - Creates the CloudFormation stack resources.
1. `aws:waitForAwsResourceProperty` - Waits until the Amazon EC2 instance created by the CloudFormation template is running.
1. `aws:executeAwsApi` - Gets the IDs for the temporary Amazon EC2 instance and VPC peering connection created by CloudFormation.
1. `aws:executeAwsApi` - Gets the IP address for the temporary Amazon EC2 instance to configure connectivity with your DB instance.
1. `aws:executeAwsApi` - Tags the Amazon EBS volume attached to the temporary Amazon EC2 instance.
1. `aws:waitForAwsResourceProperty` - Waits until the temporary Amazon EC2 instance passes status checks.
1. `aws:waitForAwsResourceProperty` - Waits until the temporary Amazon EC2 instance is managed by Systems Manager. If this step times out or fails, then the runbook reboots the instance.
1. `aws:executeAwsApi` - Reboots the temporary Amazon EC2 instance if the previous step failed or timed out.
1. `aws:waitForAwsResourceProperty` - Waits until the temporary Amazon EC2 instance is managed by Systems Manager after reboot.
1. `aws:runCommand` - Installs the metadata collector application requirements on the temporary Amazon EC2 instance.
1. `aws:runCommand` - Configures access to your DB instance by creating a configuration file on the temporary Amazon EC2 instance.
1. `aws:executeAwsApi` - Creates a maintenance window to periodically run the metadata collector application using Run Command. The maintenance window starts and stops the instance between commands.
1. `aws:waitForAwsResourceProperty` - Waits until the maintenance window created by the CloudFormation template is ready.
1. `aws:executeAwsApi` - Gets the IDs for the maintenance window and change calendar created by CloudFormation.
1. `aws:sleep` - Waits until the end date of the maintenance window.
1. `aws:executeAwsApi` - Turns off the maintenance window.
1. `aws:executeScript` - Gets the results of the tasks run during the maintenance window.
1. `aws:waitForAwsResourceProperty` - Waits for the maintenance window to finish the last task before continuing.
1. `aws:branch` - Branches the workflow based on whether you provided a value for the `SupportCase` parameter.
1. `aws:changeInstanceState` - Starts the temporary Amazon EC2 instance and waits for status checks to pass before uploading the report.
1. `aws:waitForAwsResourceProperty` - Waits until the temporary Amazon EC2 instance is managed by Systems Manager. If this step timeouts or fail, then the runbook reboots the instance.
1. `aws:executeAwsApi` - Reboots the temporary Amazon EC2 instance if the previous step failed or timed out.
1. `aws:waitForAwsResourceProperty` - Waits until the temporary Amazon EC2 instance is managed by Systems Manager after reboot.
1. `aws:runCommand` - Attaches the metadata report to the Support case if you provided a value for the `SupportCase` parameter. The script compresses and splits the report into 5 MB files. The maximum number of files the script attaches to a Support case is 12.
1. `aws:changeInstanceState` - Stops the temporary Amazon EC2 instance in case the CloudFormation stack fails to delete.
1. `aws:executeAwsApi` - Describes the CloudFormation stack events if the runbooks fails to create or update the CloudFormation stack.
1. `aws:waitForAwsResourceProperty` - Waits until the CloudFormation stack is in a terminal status before deleting.
1. `aws:executeAwsApi` - Deletes the CloudFormation stack excluding the maintenance window. The root Amazon EBS volume associated with the temporary Amazon EC2 instance is preserved if the `EbsVolumeDeleteOnTermination` parameter value was set to `false`.
# `AWS-RebootRdsInstance`
**Description**
The `AWS-RebootRdsInstance` runbook reboots an Amazon Relational Database Service (Amazon RDS) DB instance if it isn't already rebooting.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-RebootRdsInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ InstanceId
Type: String
Description: (Required) The ID of the Amazon RDS DB instance that you want to reboot.
**Document Steps**
RebootInstance - Reboots the DB instance if it is not already rebooting.
WaitForAvailableState - Waits for the DB instance to complete the reboot process.
**Outputs**
This automation has no outputs.
# `AWSSupport-ShareRDSSnapshot`
**Description**
The `AWSSupport-ShareRDSSnapshot` runbook provides an automated solution for the procedure outlined in the Knowledge Center article [How can I share an encrypted Amazon RDS DB snapshot with another account?](https://aws.amazon.com/premiumsupport/knowledge-center/share-encrypted-rds-snapshot-kms-key/) If your Amazon Relational Database Service (Amazon RDS) snapshot was encrypted using the default AWS managed key, you cannot share the snapshot. In this case, you must copy the snapshot using a customer managed key, and then share the snapshot with the target account. This automation performs these steps using the value you specify in the `SnapshotName` parameter, or the latest snapshot found for the selected Amazon RDS DB instance or cluster.
**Note**
If you do not specify a value for the `KMSKey` parameter, the automation creates a new AWS KMS customer managed key in your account that is used to encrypt the snapshot.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ShareRDSSnapshot)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AccountIds
Type: StringList
Description: (Required) Comma-separated list of account IDs to share the snapshot with.
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ Database
Type: String
Description: (Required) The name of the Amazon RDS DB instance or cluster whose snapshot you want to share. This parameter is optional if you specify a value for the `SnapshotName` parameter.
+ KMSKey
Type: String
Description: (Optional) The full Amazon Resource Name (ARN) of the AWS KMS customer managed key used to encrypt the snapshot.
+ SnapshotName
Type: String
Description: (Optional) The ID of the DB cluster or instance snapshot that you want to use.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `rds:DescribeDBInstances`
+ `rds:DescribeDBSnapshots`
+ `rds:CopyDBSnapshot`
+ `rds:ModifyDBSnapshotAttribute`
The `AutomationAssumeRole` requires the following actions to successfully start the runbook for a DB cluster.
+ `ssm:StartAutomationExecution`
+ `rds:DescribeDBClusters`
+ `rds:DescribeDBClusterSnapshots`
+ `rds:CopyDBClusterSnapshot`
+ `rds:ModifyDBClusterSnapshotAttribute`
The IAM role used to run the automation must be added as a key user to use the KMS key specified in the `ARNKmsKey` parameter. For information about adding key users to a KMS key, see [Changing a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the *AWS Key Management Service Developer Guide* .
The `AutomationAssumeRole` requires the following additional actions to successfully start the runbook if you do not specify a value for the `KMSKey` parameter.
+ `kms:CreateKey`
+ `kms:ScheduleKeyDeletion`
+ `kms:CreateGrant`
+ `kms:DescribeKey`
**Document Steps**
1. `aws:executeScript` - Checks whether a value was provided for the `KMSKey` parameter, and creates a AWS KMS customer managed key if no value is found.
1. `aws:branch` - Checks whether a value was provided for the `SnapshotName` parameter, and branches accordingly.
1. `aws:executeAwsApi` - Checks whether the snapshot provided is from a DB instance.
1. `aws:executeScript` - Formats the `SnapshotName` parameter replacing colons with a hyphen.
1. `aws:executeAwsApi` - Copies the snapshot using the specified `KMSKey` .
1. `aws:waitForAwsResourceProperty` - Waits for the copy snapshot operation to complete.
1. `aws:executeAwsApi` - Shares the new snapshot with the `AccountIds` specified.
1. `aws:executeAwsApi` - Checks whether the snapshot provided is from a DB cluster.
1. `aws:executeScript` - Formats the `SnapshotName` parameter replacing colons with a hyphen.
1. `aws:executeAwsApi` - Copies the snapshot using the specified `KMSKey` .
1. `aws:waitForAwsResourceProperty` - Waits for the copy snapshot operation to complete.
1. `aws:executeAwsApi` - Shares the new snapshot with the `AccountIds` specified.
1. `aws:executeAwsApi` - Checks whether the value provided for the `Database` parameter is a DB instance.
1. `aws:executeAwsApi` - Checks whether the value provided for the `Database` parameter is a DB cluster.
1. `aws:executeAwsApi` - Retrieves a list of snapshots for the specified `Database` .
1. `aws:executeScript` - Determines the latest snapshot available from the list assembled in the previous step.
1. `aws:executeAwsApi` - Copies the DB instance snapshot using the specified `KMSKey` .
1. `aws:waitForAwsResourceProperty` - Waits for the copy snapshot operation to complete.
1. `aws:executeAwsApi` - Shares the new snapshot with the `AccountIds` specified.
1. `aws:executeAwsApi` - Retrieves a list of snapshots for the specified `Database` .
1. `aws:executeScript` - Determines the latest snapshot available from the list assembled in the previous step.
1. `aws:executeAwsApi` - Copies the DB instance snapshot using the specified `KMSKey` .
1. `aws:waitForAwsResourceProperty` - Waits for the copy snapshot operation to complete.
1. `aws:executeAwsApi` - Shares the new snapshot with the `AccountIds` specified.
1. `aws:executeScript` - Deletes the AWS KMS customer managed key created by the automation if you did not specify a value for the `KMSKey` parameter and the automation fails.
# `AWS-StartRdsInstance`
**Description**
Start an Amazon Relational Database Service (Amazon RDS) instance.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-StartRdsInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ InstanceId
Type: String
Description: (Required) ID of the Amazon RDS instance to start.
# `AWS-StartStopAuroraCluster`
**Description**
This runbook starts or stops an Amazon Aurora cluster.
**Note**
To start a cluster it must be in a `stopped` status. To stop a cluster it must be in an `available` status. This runbook can't be used to start or stop a cluster that is an Aurora Serverless v1 cluster, an Aurora multi-master cluster, part of an Aurora global database, or a cluster that uses Aurora parallel query. The runbook can be used to stop and start an Aurora Serverless v2 cluster.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-StartStopAuroraCluster)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ ClusterName
Type: String
Description: (Required) The name of the Aurora cluster you want to stop or start.
+ Action
Type: String
Valid values: Start \$1 Stop
Default: Start
Description: (Required) The name of the Aurora cluster you want to stop or start.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `rds:DescribeDBClusters`
+ `rds:StartDBCluster`
+ `rds:StopDBCluster`
**Document Steps**
+ `aws:executeScript` - Starts or stops the cluster based on the values you specify for the.
**Outputs**
StartStopAuroraCluster.ClusterName - The name of the Aurora cluster
StartStopAuroraCluster.CurrentStatus - The current status of the Aurora cluster
StartStopAuroraCluster.Message - Details of the automation
# `AWS-StopRdsInstance`
**Description**
Stop an Amazon Relational Database Service (Amazon RDS) instance.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-StopRdsInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ InstanceId
Type: String
Description: (Required) ID of the Amazon RDS instance to stop.
# `AWSSupport-TroubleshootConnectivityToRDS`
**Description**
The `AWSSupport-TroubleshootConnectivityToRDS` runbook diagnoses connectivity issues between an EC2 instance and an Amazon Relational Database Service instance. The automation ensures the DB instance is available, and then checks the associated security group rules, network access control lists (network ACLs), and route tables for potential connectivity issues.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootConnectivityToRDS)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ DBInstanceIdentifier
Type: String
Description: (Required) The DB instance ID to test connectivity to.
+ SourceInstance
Type: String
Allowed pattern: ^i-[a-z0-9]\$18,17\$1\$1
Description: (Required) The ID of the EC2 instance to test connectivity from.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:DescribeInstances`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeRouteTables`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`
+ `rds:DescribeDBInstances`
**Document Steps**
+ `aws:assertAwsResourceProperty` - Confirms the DB instance status is `available` .
+ `aws:executeAwsApi` - Gets information about the DB instance.
+ `aws:executeAwsApi` - Gets information about the DB instance network ACLs.
+ `aws:executeAwsApi` - Gets the DB instance subnet CIDR.
+ `aws:executeAwsApi` - Gets information about the EC2 instance.
+ `aws:executeAwsApi` - Gets information about the EC2 instance network ACLs.
+ `aws:executeAwsApi` - Gets information about the security groups associated with the EC2 instance.
+ `aws:executeAwsApi` - Gets information about the security groups associated with the DB instance.
+ `aws:executeAwsApi` - Gets information about the route tables associated with the EC2 instance.
+ `aws:executeAwsApi` - Gets information about the main route table associated with the Amazon VPC for the EC2 instance.
+ `aws:executeAwsApi` - Gets information about the route tables associated with the DB instance.
+ `aws:executeAwsApi` - Gets information about the main route table associated with the Amazon VPC for the DB instance.
+ `aws:executeScript` - Evaluates security group rules.
+ `aws:executeScript` - Evaluates network ACLs.
+ `aws:executeScript` - Evaluates route tables.
+ `aws:sleep` - Ends the automation.
**Outputs**
getRDSInstanceProperties.DBInstanceIdentifier - The DB instance used in the automation.
getRDSInstanceProperties.DBInstanceStatus - The current status of the DBInstance.
evalSecurityGroupRules.SecurityGroupEvaluation - Results from comparing the `SourceInstance` security group rules to the DB instance security group rules.
evalNetworkAclRules.NetworkAclEvaluation - Results from comparing the `SourceInstance` network ACLs to the DB instance network ACLs.
evalRouteTableEntries.RouteTableEvaluation - Results from comparing the `SourceInstance` route table to the DB instance routes.
# `AWSSupport-TroubleshootRDSIAMAuthentication`
**Description**
The `AWSSupport-TroubleshootRDSIAMAuthentication` helps troubleshoot AWS Identity and Access Management (IAM) authentication for Amazon RDS for PostgreSQL, Amazon RDS for MySQL, Amazon RDS for MariaDB, Amazon Aurora PostgreSQL, and Amazon Aurora MySQL instances. Use this runbook to verify the configuration required for IAM authentication with an Amazon RDS instance or Aurora Cluster. It also provides steps to rectify the connectivity issues to the Amazon RDS Instance or Aurora Cluster.
**Important**
This runbook does not support Amazon RDS for Oracle or Amazon RDS for Microsoft SQL Server.
**Important**
If a source Amazon EC2 Instance is provided and the target Database is Amazon RDS, a child automation `AWSSupport-TroubleshootConnectivityToRDS` is invoked to troubleshoot TCP connectivity. The output also provides commands you can run on your Amazon EC2 instance or source machine to connect to the Amazon RDS instances using IAM authentication.
**How does it work?**
This runbook consists of six steps:
+ **Step 1: validateInputs: **Validates the inputs to the automation.
+ **Step 2: branchOnSourceEC2Provided: **Verifies if a source Amazon EC2 Instance ID is provided in the input parameters.
+ **Step 3: validateRDSConnectivity: ** Validates Amazon RDS connectivity from the source Amazon EC2 instance if provided.
+ **Step 4: validateRDSIAMAuthentication: **Validates if the IAM Authentication feature is enabled.
+ **Step 5: validateIAMPolicies: **Verifies if the required IAM permissions are present in the IAM user/role provided.
+ **Step 6: generateReport: **Generates a report of the results of the previously executed steps.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootRDSIAMAuthentication)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ RDSType
Type: String
Description: (Required): Select the type of relational database to which you are trying to connect and authenticate.
Allowed Values: `Amazon RDS` or `Amazon Aurora Cluster.`
+ DBInstanceIdentifier
Type: String
Description: (Required) The identifier of the target Amazon RDS Database Instance or Aurora Database Cluster.
Allowed Pattern: `^[A-Za-z0-9]+(-[A-Za-z0-9]+)*$`
Max Characters: 63
+ SourceEc2InstanceIdentifier
Type: `AWS::EC2::Instance::Id`
Description: (Optional) The Amazon EC2 Instance ID if you are connecting to the Amazon RDS Database Instance from an Amazon EC2 Instance running in the same account and region. Do not specify this parameter if the source is not an Amazon EC2 instance or if the target Amazon RDS type is an Aurora Database Cluster.
Default: `""`
+ DBIAMRoleName
Type: String
Description: (Optional) The IAM role name being used for IAM-based authentication. Provide only if the parameter `DBIAMUserName` is not provided, otherwise leave it empty. Either `DBIAMRoleName` or `DBIAMUserName` must be provided.
Allowed Pattern: `^[a-zA-Z0-9+=,.@_-]{1,64}$|^$`
Max Characters: 64
Default: `""`
+ DBIAMUserName
Type: String
Description: (Optional) The IAM user name used for IAM-based authentication. Provide only if the `DBIAMRoleName` parameter is not provided, otherwise leave it empty. Either `DBIAMRoleName` or `DBIAMUserName` must be provided.
Allowed Pattern: `^[a-zA-Z0-9+=,.@_-]{1,64}$|^$`
Max Characters: 64
Default: `""`
+ DBUserName
Type: String
Description: (Optional) The database user name mapped to an IAM role/user for IAM-based authentication within the database. The default option `*` evaluates if the `rds-db:connect` permission is allowed for all users in the Database.
Allowed Pattern: `^[a-zA-Z0-9+=,.@*_-]{1,64}$`
Max Characters: 64
Default: `*`
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:DescribeInstances`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeRouteTables`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`
+ `iam:GetPolicy`
+ `iam:GetRole`
+ `iam:GetUser`
+ `iam:ListAttachedRolePolicies`
+ `iam:ListAttachedUserPolicies`
+ `iam:ListRolePolicies`
+ `iam:ListUserPolicies`
+ `iam:SimulatePrincipalPolicy`
+ `rds:DescribeDBClusters`
+ `rds:DescribeDBInstances`
+ `ssm:DescribeAutomationStepExecutions`
+ `ssm:GetAutomationExecution`
+ `ssm:StartAutomationExecution`
**Instructions**
1. Navigate to the [AWSSupport-TroubleshootRDSIAMAuthentication](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootRDSIAMAuthentication) in the AWS Systems Manager Console.
1. Select **Execute Automation**
1. For input parameters, enter the following:
+ **AutomationAssumeRole (Optional):**
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ **RDSType (Required):**
Select the type of Amazon RDS to which you are trying to connect and authenticate. Choose from the two allowed values: `Amazon RDS` or `Amazon Aurora Cluster.`
+ **DBInstanceIdentifier (Required):**
Enter the identifier of the target Amazon RDS Database Instance or the Aurora Cluster to which you are trying to connect and use IAM credentials for authentication.
+ **SourceEc2InstanceIdentifier (Optional):**
Provide the Amazon EC2 Instance ID if you are connecting to the Amazon RDS Database Instance from an Amazon EC2 Instance present in the same account and region. Leave blank if the source is not Amazon EC2 or if the target Amazon RDS type is an Aurora Cluster.
+ **DBIAMRoleName (Optional):**
Enter the IAM Role name used for IAM-Based authentication. Provide only if `DBIAMUserName` is not provided; otherwise, leave blank. Either `DBIAMRoleName` or `DBIAMUserName` must be provided.
+ **DBIAMUserName (Optional):**
Enter the IAM User used for IAM-Based authentication. Provide only if `DBIAMRoleName` is not provided, otherwise, leave blank. Either `DBIAMRoleName` or `DBIAMUserName` must be provided.
+ **DBUserName (Optional):**
Enter the database user mapped to an IAM role/user for IAM-Based authentication within the database. The default option `*` is used to evaluate; nothing is provided in this field.
![\[Input parameters form for AWS Systems Manager with fields for EC2 instance and database configuration.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-rds-iam-authentication_input_parameters.png)
1. Select **Execute**.
1. Notice that the automation initiates.
1. The document performs the following steps:
+ **Step 1: validateInputs:**
Validates the inputs to the automation - `SourceEC2InstanceIdentifier` (optional), `DBInstanceIdentifier` or `ClusterID`, and `DBIAMRoleName` or `DBIAMUserName`. It verifies if the input parameters entered are present in your account and region. It also verifies if the user entered one of the IAM parameters (for example, `DBIAMRoleName` or `DBIAMUserName`). Additionally, it performs other verifications, such as if the Database mentioned is in Available status.
+ **Step 2: branchOnSourceEC2Provided:**
Verifies if Source Amazon EC2 is provided in the input parameters and the Database is Amazon RDS. If yes, it proceeds to step 3. If not, it skips step 3, which is Amazon EC2-Amazon RDS Connectivity validation and proceeds to step 4.
+ **Step 3: validateRDSConnectivity:**
If the Source Amazon EC2 is provided in the input parameters and the Database is Amazon RDS, step 2 initiates step 3. In this step, the child automation `AWSSupport-TroubleshootConnectivityToRDS` is invoked to validate Amazon RDS connectivity from source Amazon EC2. The child automation runbook `AWSSupport-TroubleshootConnectivityToRDS` verifies if the required network configurations (Amazon Virtual Private Cloud [Amazon VPC], Security Groups, Network Access Control List [NACL], Amazon RDS availability) are in place so that you can connect from the Amazon EC2 instance to the Amazon RDS instance.
+ **Step 4: validateRDSIAMAuthentication:**
Validates if the IAM Authentication feature is enabled on the Amazon RDS instance or Aurora Cluster.
+ **Step 5: validateIAMPolicies:**
Verifies if the required IAM permissions are present in the IAM user/role passed to enable the IAM credentials to authenticate into the Amazon RDS instance for the specified Database User (if any).
+ **Step 6: generateReport:**
Obtains all the information from the previous steps and prints the result or the output of each step. It also lists the steps to refer to and perform, to connect to the Amazon RDS instance using the IAM credentials.
1. When the automation is complete, review the **Outputs** section for the detailed results:
+ **Checking the IAM User/Role permission to connect to Database:**
Verifies if the required IAM permissions are present in the IAM user/role passed to enable the IAM credentials to authenticate into the Amazon RDS Instance for the specified Database User (if any).
+ **Checking IAM-Based Authentication Attribute for the Database:**
Verifies if the feature of the IAM authentication is enabled for the specified Amazon RDS Database/Aurora Cluster.
+ **Checking Connectivity from Amazon EC2 Instance to Amazon RDS Instance:**
Verifies if the required network configurations (Amazon VPC, Security Groups, NACL, Amazon RDS availability) are in place so that you can connect from the Amazon EC2 instance to the Amazon RDS Instance.
+ **Next Steps:**
Lists the commands and steps to refer to and perform, to connect to the Amazon RDS Instance using the IAM credentials.
![\[Troubleshooting results for IAM permissions and authentication for an Aurora MySQL database.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-rds-iam-authentication_outputs.png)
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootRDSIAMAuthentication)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/)
# `AWSSupport-ValidateRdsNetworkConfiguration`
**Description**
`AWSSupport-ValidateRdsNetworkConfiguration` automation helps to avoid incompatible-network state for your existing Amazon Relational Database Service (Amazon RDS) / Amazon Aurora / Amazon DocumentDB instance before you perform `ModifyDBInstance` or `StartDBInstance` operation. If the instance is already in incompatible-network state, the runbook will provide the reason.
**How does it work?**
This runbook determines if your Amazon RDS database instance will go into incompatilble-network state, or if it has, determine the reason it's in incompatible-network state.
The runbook performs the following checks against your Amazon RDS database instance:
+ Amazon Elastic Network Interface (ENI) quota per region.
+ All subnets in the database Subnet Group exist.
+ There are sufficient free IP addresses available for the subnet(s).
+ (For publicly accessible Amazon RDS instances) Settings of VPC attributes (`enableDnsSupport` and `enableDnsHostnames`).
**Important**
When using this document against Amazon Aurora / Amazon DocumentDB clusters, ensure that you use `DBInstanceIdentifier` instead of `ClusterIdentifier`. Otherwise, the document will fail in the first step.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ValidateRdsNetworkConfiguration)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `rds:DescribeDBInstances`
+ `servicequotas:GetServiceQuota`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:DescribeVpcAttribute`
+ `ec2:DescribeSubnets`
Sample policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ValidateRdsNetwork",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"servicequotas:GetServiceQuota",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSubnets"
],
"Resource": [
"arn:aws:rds:us-east-1:111122223333:db:db-instance-name"
]
}
]
}
```
------
**Instructions**
1. Navigate to the [AWSSupport-ValidateRdsNetworkConfiguration](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ValidateRdsNetworkConfiguration) in the AWS Systems Manager Console.
1. Select **Execute Automation**
1. For input parameters, enter the following:
+ **AutomationAssumeRole (Optional):**
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ **DBInstanceIdentifier (Required):**
Enter the Amazon Relational Database Service Instance Identifier.
![\[Input parameters form with AutomationAssumeRole and DBInstanceIdentifier fields.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-validate-rds-network-configuration_input_parameters.png)
1. Select **Execute**.
1. Notice that the automation initiates.
1. The document performs the following steps:
+ **Step 1: assertRdsState:**
Checks if the provided instance identifier exists and has any of the following states: `available`, `stopped`, or `incompatible-network`.
+ **Step 2: gatherRdsInformation:**
Gathers required information about the Amazon RDS instance to use later in the automation.
+ **Step 3: checkEniQuota:**
Checks for the current available quota of Amazon ENI for the region.
+ **Step 4: validateVpcAttributes:**
Validates that the DNS parameters (`enableDnsSupport` and `enableDnsHostnames`) of the Amazon VPC are set to true (or not if the Amazon RDS instance is `PubliclyAccessible`).
+ **Step 5: validateSubnetAttributes:**
Validates the existence of subnets in the `DBSubnetGroup` and checks for available IPs for each subnet.
+ **Step 6: generateReport:**
Obtains all the information from the previous steps and prints the result or the output of each step. It also lists the steps to refer to and perform, to connect to the Amazon RDS instance using the IAM credentials.
1. When the automation is complete, review the **Outputs** section for the detailed results:
Amazon RDS instance with valid network configuration:
![\[Report showing successful AWS RDS network configuration checks with all items passed.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-validate-rds-network-configuration_outputs_valid_network.png)
Amazon RDS instance with incorrect network configuration (VPC attribute enableDnsHostnames is set to false):
![\[Network configuration report showing issues and troubleshooting results for an RDS instance.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-validate-rds-network-configuration_outputs_invalid_network.png)
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ValidateRdsNetworkConfiguration)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/)
AWS service documentation
+ [How do I resolve issues with an Amazon RDS database that is in an incompatible-network state?](https://repost.aws/knowledge-center/rds-incompatible-network)
+ [How do I resolve issues with an Amazon DocumentDB instance that is in an incompatible-network state?](https://repost.aws/knowledge-center/documentdb-incompatible-network)