# Amazon VPC
AWS Systems Manager Automation provides predefined runbooks for Amazon Virtual Private Cloud. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [
# `AWS-CloseSecurityGroup`
](close-security-group.md)
+ [
# `AWSSupport-ConfigureDNSQueryLogging`
](automation-aws-configure-dns-query-logging.md)
+ [
# `AWSSupport-ConfigureTrafficMirroring`
](automation-aws-configuretrafficmirroring.md)
+ [
# `AWSSupport-ConnectivityTroubleshooter`
](automation-awssupport-connectivitytroubleshooter.md)
+ [
# `AWSSupport-TroubleshootVPN`
](automation-aws-troubleshoot-vpn.md)
+ [
# `AWSConfigRemediation-DeleteEgressOnlyInternetGateway`
](automation-aws-delete-egress-igw.md)
+ [
# `AWSConfigRemediation-DeleteUnusedENI`
](automation-aws-delete-eni.md)
+ [
# `AWSConfigRemediation-DeleteUnusedSecurityGroup`
](automation-aws-delete-ec2-security-group.md)
+ [
# `AWSConfigRemediation-DeleteUnusedVPCNetworkACL`
](automation-aws-delete-vpc-nacl.md)
+ [
# `AWSConfigRemediation-DeleteVPCFlowLog`
](automation-aws-delete-vpc-flow-log.md)
+ [
# `AWSConfigRemediation-DetachAndDeleteInternetGateway`
](automation-aws-detach-delete-igw.md)
+ [
# `AWSConfigRemediation-DetachAndDeleteVirtualPrivateGateway`
](automation-aws-detach-delete-vpg.md)
+ [
# `AWS-DisableIncomingSSHOnPort22`
](disable-incoming-ssh.md)
+ [
# `AWS-DisablePublicAccessForSecurityGroup`
](automation-aws-disablepublicaccessforsecuritygroup.md)
+ [
# `AWSConfigRemediation-DisableSubnetAutoAssignPublicIP`
](automation-aws-disable-subnet-auto-public-ip.md)
+ [
# `AWSSupport-EnableVPCFlowLogs`
](automation-aws-enable-vpc-flowlogs.md)
+ [
# `AWSConfigRemediation-EnableVPCFlowLogsToCloudWatch`
](automation-aws-enable-flow-logs-cw.md)
+ [
# `AWSConfigRemediation-EnableVPCFlowLogsToS3Bucket`
](automation-aws-enable-flow-logs-s3.md)
+ [
# `AWS-ReleaseElasticIP`
](automation-aws-releaseelasticip.md)
+ [
# `AWS-RemoveNetworkACLUnrestrictedSSHRDP`
](aws-remove-nacl-unrestricted-ssh-rdp.md)
+ [
# `AWSConfigRemediation-RemoveUnrestrictedSourceIngressRules`
](automation-aws-remove-unrestricted-source-ingress.md)
+ [
# `AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules`
](automation-aws-remove-default-secg-rules.md)
+ [
# `AWSSupport-SetupIPMonitoringFromVPC`
](automation-awssupport-setupipmonitoringfromvpc.md)
+ [
# `AWSSupport-TerminateIPMonitoringFromVPC`
](automation-awssupport-terminateipmonitoringfromvpc.md)
# `AWS-CloseSecurityGroup`
**Description**
This runbook removes all ingress and egress rules from the security group you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-CloseSecurityGroup)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ SecurityGroupId
Type: String
Description: (Required) The ID of the security group you want to close.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:DescribeSecurityGroups`
+ `ec2:RevokeSecurityGroupEgress`
+ `ec2:RevokeSecurityGroupIngress`
**Document Steps**
+ `aws:executeScript` - Removes all ingress and egress rules from the security group you specify in the `SecurityGroupId` parameter.
# `AWSSupport-ConfigureDNSQueryLogging`
**Description**
The `AWSSupport-ConfigureDNSQueryLogging` runbook configures logging for DNS queries that originate in your virtual private cloud (VPC) or for Amazon Route 53 hosted zones. You can choose to publish query logs to Amazon CloudWatch Logs, Amazon Simple Storage Service (Amazon S3), or Amazon Data Firehose. For more information about query logging and resolver query logs, see [Public DNS query logging](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html) and [Resolver query logging](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html) .
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ConfigureDNSQueryLogging)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ LogDestinationArn
Type: String
Description: (Optional) The ARN of the CloudWatch Logs group, Amazon S3 bucket or Firehose stream you want to send query logs to. Note that Route 53 public DNS query logging only supports CloudWatch Logs groups. If you do not specify a value for this parameter, the automation creates a CloudWatch Logs group with the format ` AWSSupport-ConfigureDNSQueryLogging-{automation: EXECUTION_ID } ` , and an IAM resource policy to publish the query logs. The CloudWatch Logs group created by the automation has a retention period of 14 days.
+ QueryLogType
Type: String
Description: (Optional) The types of queries you want to log.
Valid values: Public \$1 Resolver/Private
Default: Public
+ ResourceId
Type: String
Description: (Required) The ID of the resource whose queries you want to log. If you specify `Public` for the `QueryLogType` parameter, the resource must be the ID of a Route 53 private hosted zone. If you specify `Resolver/Private` for the `QueryLogType` parameter, the resource must be the ID of a VPC.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:DescribeVpcs`
+ `firehose:ListTagsForDeliveryStream`
+ `firehose:PutRecord`
+ `firehose:PutRecordBatch`
+ `firehose:TagDeliveryStream`
+ `iam:AttachRolePolicy`
+ `iam:CreatePolicy`
+ `iam:CreateRole`
+ `iam:CreateServiceLinkedRole`
+ `iam:DeletePolicy`
+ `iam:DeleteRole`
+ `iam:DeleteRolePolicy`
+ `iam:GetPolicy`
+ `iam:GetRole`
+ `iam:PassRole`
+ `iam:PutRolePolicy`
+ `iam:TagRole`
+ `iam:UpdateRole`
+ `logs:CreateLogDelivery`
+ `logs:CreateLogGroup`
+ `logs:DeleteLogDelivery`
+ `logs:DeleteLogGroup`
+ `logs:DescribeLogGroups`
+ `logs:DescribeLogStreams`
+ `logs:DescribeResourcePolicies`
+ `logs:ListLogDeliveries`
+ `logs:PutResourcePolicy`
+ `logs:PutRetentionPolicy`
+ `logs:UpdateLogDelivery`
+ `route53:CreateQueryLoggingConfig`
+ `route53:DeleteQueryLoggingConfig`
+ `route53:GetHostedZone`
+ `route53resolver:AssociateResolverQueryLogConfig`
+ `route53resolver:CreateResolverQueryLogConfig`
+ `route53resolver:DeleteResolverQueryLogConfig`
+ `s3:GetBucketAcl`
**Document Steps**
+ `aws:executeScript` - Verifies the resource you specify for the `ResourceId` parameter exists, and checks whether the resource type matches the required `QueryLogType` option.
+ `aws:executeScript` - Verifies that the value you specify for the `LogDestinationArn` parameter matches the required `QueryLogType` .
+ `aws:executeScript` - Verifies the required permissions for Route 53 to publish logs to the CloudWatch Logs log group, and creates the required IAM resource policy if it doesn't exist.
+ `aws:executeScript` - Enables the DNS query logging on the selected destination.
# `AWSSupport-ConfigureTrafficMirroring`
**Description**
The `AWSSupport-ConfigureTrafficMirroring` runbook configures traffic mirroring to help you troubleshoot connectivity issues between a load balancer and Amazon Elastic Compute Cloud (Amazon EC2) instances. Traffic mirroring copies inbound and outbound traffic from the network interfaces that are attached to your instances. To configure traffic mirroring, this runbook creates the required targets, filters, and sessions. By default, the runbook configures mirroring for all inbound and outbound traffic for all protocols except Amazon DNS. If you want to mirror traffic from specific sources and destinations, you can modify the inbound and outbound rules after the automation completes.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ConfigureTrafficMirroring)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ SourceENI
Type: String
Description: (Required) The elastic network interface you want to configure traffic mirroring for.
+ Target
Type: String
Description: (Required) The destination for the mirrored traffic. You must specify the ID of a network interface, a Network Load Balancer, or a Gateway Load Balancer endpoint. If you specify a Network Load Balancer, there must be UDP listeners on port 4789.
+ SessionNumber
Type: String
Valid values: 1-32766
Description: (Required) The number of the mirror session you want to use.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:CreateTrafficMirrorTarget`
+ `ec2:CreateTrafficMirrorFilter`
+ `ec2:CreateTrafficMirrorFilterRule`
+ `ec2:CreateTrafficMirrorSession`
+ `ec2:DeleteTrafficMirrorSession`
+ `ec2:DeleteTrafficMirrorFilter`
+ `ec2:DeleteTrafficMirrorSession`
+ `ec2:DeleteTrafficMirrorFilterRule`
+ `iam:ListRoles`
+ `ssm:GetAutomationExecution`
+ `ssm:StartAutomationExecution`
**Document Steps**
+ `aws:executeScript` - Runs a script to create a target.
+ `aws:executeAwsApi` - Creates a filter rule.
+ `aws:executeAwsApi` - Creates a mirror filter rule for all inbound traffic.
+ `aws:executeAwsApi` - Creates a mirror filter rule for all outbound traffic.
+ `aws:executeAwsApi` - Creates a traffic mirror session.
+ `aws:executeAwsApi` - Deletes the filter if filter or session creation fails.
+ `aws:executeAwsApi` - Deletes the target if filter or session creation fails.
**Outputs**
CreateFilter.FilterId
CreateSession.SessionId
CreateTarget.TargetIDOutput
# `AWSSupport-ConnectivityTroubleshooter`
**Description**
The `AWSSupport-ConnectivityTroubleshooter` runbook diagnoses connectivity issues between the following:
+ AWS resources within an Amazon Virtual Private Cloud (Amazon VPC)
+ AWS resources in different Amazon VPCs within the same AWS Region that are connected using VPC peering
+ AWS resources in an Amazon VPC and an internet resource using an internet gateway
+ AWS resources in an Amazon VPC and an internet resource using a network address translation (NAT) gateway
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ConnectivityTroubleshooter)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ DestinationIP
Type: String
Description: (Required) The IPv4 address of the resource you want to connect to.
+ DestinationPort
Type: String
Default: true
Description: (Required) The port number you want to connect to on the destination resource.
+ DestinationVpc
Type: String
Default: All
Description: (Optional) The ID of the Amazon VPC you want to test connectivity to.
+ SourceIP
Type: String
Description: (Required) The private IPv4 address of the AWS resource in your Amazon VPC you want to test connectivity from.
+ SourcePortRange
Type: String
Description: (Optional) The port range used by the AWS resource in your Amazon VPC you want to test connectivity from.
+ SourceVpc
Type: String
Default: All
Description: (Optional) The ID of the Amazon VPC you want to test connectivity from.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:DescribeNatGateways`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:DescribeRouteTables`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeVpcPeeringConnections`
**Document Steps**
+ `aws:executeScript` - Gathers details about the AWS resource you specify in the `SourceIP` parameter.
+ `aws:executeScript` - Determines the destination of network traffic from the AWS resource using the routes gathered from the previous step.
+ `aws:branch` - Branches based on the destination of the network traffic.
+ `aws:executeAwsApi` - Gathers details about the destination resource.
+ `aws:executeScript` - Confirms that the ID returned for the destination Amazon VPC matches the value specified, if any, in the `DestinationVpc` parameter.
+ `aws:executeAwsApi` - Gathers the security group rules for the source and destination resources.
+ `aws:executeScript` - Confirms whether the security group rules allow the needed traffic between the source and destination resources.
+ `aws:executeAwsApi` - Gathers the network access control lists (NACLs) associated with the subnets for the source and destination resources.
+ `aws:executeScript` - Confirms whether the NACLs allow the needed traffic between the source and destination resources.
+ `aws:executeScript` - Confirms whether the source has a public IP address associated with the resource, if the route destination is an internet gateway.
+ `aws:executeAwsApi` - Gathers the security group rules for the source resource.
+ `aws:executeScript` - Confirms whether the security group rules allow the needed traffic from the source to the destination resource.
+ `aws:executeAwsApi` - Gathers the NACLs associated with the subnet for the source resource.
+ `aws:executeScript` - Confirms whether the NACLs allow the needed traffic from the source resource.
+ `aws:executeAwsApi` - Gathers details about the NAT gateway.
+ `aws:executeAwsApi` - Gathers the NACLs associated with the subnet for the NAT gateway.
+ `aws:executeScript` - Confirms whether the NACLs allow the needed traffic from the subnet for the NAT gateway.
+ `aws:executeScript` - Gathers the routes associated with the subnet for the NAT gateway.
+ `aws:executeScript` - Confirms whether the NAT gateway has a route to an internet gateway.
+ `aws:executeAwsApi` - Gathers details about the VPC peering connection.
+ `aws:executeScript` - Confirms both VPCs are in the same Region and that the ID returned for the destination VPC matches the value specified, if any, in the `DestinationVpc` parameter.
+ `aws:executeAwsApi` - Returns the subnet of the destination resource.
+ `aws:executeScript` - Gathers the routes associated with the subnet for the peered VPC.
+ `aws:executeScript` - Confirms whether the peered VPC has a route to the peering connection.
+ `aws:executeScript` - Confirms whether traffic is allowed from the source resource if the destination is not supported by the automation.
# `AWSSupport-TroubleshootVPN`
**Description**
The `AWSSupport-TroubleshootVPN` runbook helps you to trace and resolve errors in an AWS Site-to-Site VPN connection. The automation includes several automated checks designed to trace `IKEv1` or `IKEv2` errors related to AWS Site-to-Site VPN connection tunnels. The automation tries to match specific errors and its corresponding resolution form a list of common issues.
**Note: **This automation does not rectify the errors. It runs for the mentioned time range and scans the log group for errors in [VPN CloudWatch logs group](https://docs.aws.amazon.com//vpn/latest/s2svpn/log-contents.html).
**How does it work?**
The runbook runs a parameter validation to confirm if the Amazon CloudWatch log group included in the input parameter exists, if there are any log streams in the log group that correspond to VPN tunnel logging, if VPN connection id exists, and if the Tunnel IP address exists. It makes Logs Insights API calls on your CloudWatch log group that are configured for VPN logging.
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ LogGroupName
Type: String
Description: (Required) The Amazon CloudWatch log group name configured for AWS Site-to-Site VPN connection logging
Allowed Pattern: `^[\.\-_/#A-Za-z0-9]{1,512}`
+ VpnConnectionId
Type: String
Description: (Required) The AWS Site-to-Site VPN connection id to be troubleshooted.
Allowed Pattern: `^vpn-[0-9a-f]{8,17}$`
+ TunnelAIPAddress
Type: String
Description: (Required) The tunnel number 1 IPv4 address associated with your AWS Site-to-Site VPN.
Allowed Pattern: `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)[.]){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?){1}$`
+ TunnelBIPAddress
Type: String
Description: (Optional) The tunnel number 2 IPv4 address associated with your AWS Site-to-Site VPN.
Allowed Pattern: `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)[.]){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?){1}|^$`
+ IKEVersion
Type: String
Description: (Required) Select what IKE Version you are using. Allowed values : IKEv1, IKEv2
Valid values: `['IKEv1', 'IKEv2']`
+ StartTimeinEpoch
Type: String
Description: (Optional) Start time for log analysis. You can either use StartTimeinEpoch/EndTimeinEpoch or LookBackPeriod for logs analysis
Allowed Pattern: `^\d{10}|^$`
+ EndTimeinEpoch
Type: String
Description: (Optional) End time for log analysis. You can either use StartTimeinEpoch/EndTimeinEpoch or LookBackPeriod for logs analysis. If given both StartTimeinEpoch/EndTimeinEpoch and LookBackPeriod then LookBackPeriod takes precedence
Allowed Pattern: `^\d{10}|^$`
+ LookBackPeriod
Type: String
Description: (Optional) Two digit time in hours to look back for log analysis. Valid range : 01 - 99. This value takes precedence if you also give StartTimeinEpoch and EndTime
Allowed Pattern: `^(\d?[1-9]|[1-9]0)|^$`
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `logs:DescribeLogGroups`
+ `logs:GetQueryResults`
+ `logs:DescribeLogStreams`
+ `logs:StartQuery`
+ `ec2:DescribeVpnConnections`
**Instructions**
**Note: **This automation works on the CloudWatch log groups that is configured for your VPN tunnel logging, when the logging Output format is JSON.
Follow these steps to configure the automation:
1. Navigate to the [AWSSupport-TroubleshootVPN](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootVPN/description) in the AWS Systems Manager console.
1. For the input parameters enter the following:
+ **AutomationAssumeRole (Optional):**
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ **LogGroupName (Required):**
The Amazon CloudWatch log group name to be validated. This must be the CloudWatch log group which is configured for VPN to send logs to.
+ **VpnConnectionId (Required):**
The AWS Site-to-Site VPN connection id whose log group is traced for VPN error.
+ **TunnelAIPAddress (Required):**
The tunnel A IP address associated with your AWS Site-to-Site VPN connection.
+ **TunnelBIPAddress (Optional):**
The tunnel B IP address associated with your AWS Site-to-Site VPN connection.
+ **IKEVersion (Required):**
Select what IKEversion you are using. Allowed values : IKEv1, IKEv2.
+ **StartTimeinEpoch (Optional):**
The beginning of the time range to query for error. The range is inclusive, so the specified start time is included in the query. Specified as epoch time, the number of seconds since January 1, 1970, 00:00:00 UTC.
+ **EndTimeinEpoch (Optional):**
The end of the time range to query for errors. The range is inclusive, so the specified end time is included in the query. Specified as epoch time, the number of seconds since January 1, 1970, 00:00:00 UTC.
+ **LookBackPeriod (Required):**
Time in hours to look back to query for error.
**Note:** Configure a StartTimeinEpoch, EndTimeinEpoch, or LookBackPeriod to fix the time range for log analysis. Give a two-digit number in hours to check for errors in the past from the automation start time. Or, if the error is in the past within a specific time range, include StartTimeinEpoch and EndTimeinEpoch, instead of LookBackPeriod.
![\[Input parameters form for AWS Site-to-Site VPN connection validation and log analysis.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-vpn_input_parameters.png)
1. Select **Execute.**
1. The automation initiates.
1. The automation runbook performs the following steps:
+ **parameterValidation:**
Runs a series of validation on input parameters included in automation.
+ **branchOnValidationOfLogGroup:**
Checks if log group mentioned in the parameter is valid. If invalid, it halts the further initiation of automation steps.
+ **branchOnValidationOfLogStream:**
Checks if log stream exists in the included CloudWatch log group. If invalid, it halts the further initiation of automation steps.
+ **branchOnValidationOfVpnConnectionId:**
Checks if the VPN Connection id included in the parameter is valid. If invalid, it halts the further initiation of automation steps.
+ **branchOnValidationOfVpnIp:**
Checks if Tunnel IP address mentioned in parameter is valid or not. If invalid then it halts the further execution of automation steps.
+ **traceError:**
Makes a logs insight API call in your included CloudWatch log group and searches for the error related to IKEv1/IKEv2 along with a related suggested resolution.
1. After completed, review the Outputs section for the detailed results of the execution.
![\[Output section showing parameter validation results and error messages for VPN tunnels.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-vpn_outputs.png)
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSPremiumSupport-DDoSResiliencyAssessment)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/)
AWS service documentation
+ [Contents of Site-to-Site VPN logs](https://docs.aws.amazon.com//vpn/latest/s2svpn/log-contents.html)
# `AWSConfigRemediation-DeleteEgressOnlyInternetGateway`
**Description**
The `AWSConfigRemediation-DeleteEgressOnlyInternetGateway` runbook deletes the egress-only internet gateway you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteEgressOnlyInternetGateway)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ EgressOnlyInternetGatewayId
Type: String
Description: (Required) The ID of the egress-only internet gateway that you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DeleteEgressOnlyInternetGateway`
+ `ec2:DescribeEgressOnlyInternetGateways`
**Document Steps**
+ `aws:executeScript` - Deletes the egress-only internet gateway specified in the `EgressOnlyInternetGatewayId` parameter.
+ `aws:executeScript` - Verifies the egress-only internet gateway has been deleted.
# `AWSConfigRemediation-DeleteUnusedENI`
**Description**
The `AWSConfigRemediation-DeleteUnusedENI` runbook deletes an elastic network interface (ENI) that has an attachment status of `detached` .
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteUnusedENI)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ NetworkInterfaceId
Type: String
Description: (Required) The ID of the ENI that you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DeleteNetworkInterface`
+ `ec2:DescribeNetworkInterfaces `
**Document Steps**
+ `aws:executeAwsApi` - Deletes the ENI you specify in the `NetworkInterfaceId` parameter.
+ `aws:executeScript` - Verifies the ENI has been deleted.
# `AWSConfigRemediation-DeleteUnusedSecurityGroup`
**Description**
The `AWSConfigRemediation-DeleteUnusedSecurityGroup` runbook deletes the security group you specify in the `GroupId` parameter. If you attempt to delete a security group that is associated with an Amazon Elastic Compute Cloud (Amazon EC2) instance, or is referenced by another security group, the automation fails. This automation does not delete a default security group.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteUnusedSecurityGroup)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ GroupId
Type: String
Description: (Required) The ID of the security group that you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DeleteSecurityGroup`
**Document Steps**
+ `aws:executeAwsApi` - Returns the security group name using the value you provide in the `GroupId` parameter.
+ `aws:branch` - Confirms that the group name is not "default".
+ `aws:executeAwsApi` - Deletes the security group specified in the `GroupId` parameter.
+ `aws:executeScript` - Confirms the security group was deleted.
# `AWSConfigRemediation-DeleteUnusedVPCNetworkACL`
**Description**
The `AWSConfigRemediation-DeleteUnusedVPCNetworkACL` runbook deletes a network access control list (ACL) that is not associated with a subnet.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteUnusedVPCNetworkACL)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ NetworkAclId
Type: String
Description: (Required) The ID of the network ACL that you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DeleteNetworkAcl`
+ `ec2:DescribeNetworkAcls`
**Document Steps**
+ `aws:executeAwsApi` - Deletes the network ACL specified in the `NetworkAclId` parameter.
+ `aws:executeScript` - Confirms the network ACL specified in the `NetworkAclId` parameter was deleted.
# `AWSConfigRemediation-DeleteVPCFlowLog`
**Description**
The `AWSConfigRemediation-DeleteVPCFlowLog` runbook deletes the virtual private cloud (VPC) flow log you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteVPCFlowLog)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ FlowLogId
Type: String
Description: (Required) The ID of the flow log that you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DeleteFlowLogs`
+ `ec2:DescribeFlowLogs`
**Document Steps**
+ `aws:executeAwsApi` - Deletes the flow log you specify in the `FlowLogId` parameter.
+ `aws:executeScript` - Verifies the flow log has been deleted.
# `AWSConfigRemediation-DetachAndDeleteInternetGateway`
**Description**
The `AWSConfigRemediation-DetachAndDeleteInternetGateway` runbook detaches and deletes the internet gateway you specify. If any Amazon EC2 instances in your virtual private cloud (VPC) have elastic IP addresses or public IPv4 addresses associated with them, the runbook fails.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DetachAndDeleteInternetGateway)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ InternetGatewayId
Type: String
Description: (Required) The ID of the internet gateway that you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DeleteInternetGateway`
+ `ec2:DescribeInternetGateways`
+ `ec2:DetachInternetGateway`
**Document Steps**
+ `aws:waitForAwsResourceProperty` - Accepts the ID of the virtual private gateway and waits until the virtual private gateway's state property changes to `available` or times out.
+ `aws:executeAwsApi` - Retrieves a specified virtual private gateway configuration.
+ `aws:branch` - Branches based on the VpcAttachments.state parameter value.
+ `aws:waitForAwsResourceProperty` - Accepts the ID of the virtual private gateway and waits until the virtual private gateway's VpcAttachments.state's property changes to `attached` or times out.
+ `aws:executeAwsApi` - Accepts the ID of the virtual private gateway and the ID of the Amazon VPC as input, and detaches the virtual private gateway from the Amazon VPC.
+ `aws:waitForAwsResourceProperty` - Accepts the ID of the virtual private gateway and waits until the virtual private gateway's VpcAttachments.state's property changes to `detached` or times out.
+ `aws:executeAwsApi` - Accepts the ID of the virtual private gateway as input and deletes it.
+ `aws:waitForAwsResourceProperty` - Accepts the ID of the virtual private gateway as input and verifies its deletion.
`aws:executeAwsApi` - Gathers the VPC ID from the internet gateway ID.
+ `aws:executeAwsApi` - Detaches the internet gateway ID from the VPC.
+ `aws:executeAwsApi` - Deletes the internet gateway.
# `AWSConfigRemediation-DetachAndDeleteVirtualPrivateGateway`
**Description**
The `AWSConfigRemediation-DetachAndDeleteVirtualPrivateGateway` runbook detaches and deletes a given Amazon Elastic Compute Cloud (Amazon EC2) virtual private gateway attached to a virtual private cloud (VPC) created with Amazon Virtual Private Cloud (Amazon VPC).
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DetachAndDeleteVirtualPrivateGateway)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ VpnGatewayId
Type: String
Description: (Required) The ID of the virtual private gateway to be deleted.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DeleteVpnGateway`
+ `ec2:DetachVpnGateway`
+ `ec2:DescribeVpnGateways`
**Document Steps**
+ `aws:waitForAwsResourceProperty` - Accepts the ID of the virtual private gateway and waits until the virtual private gateway's state property changes to `available` or times out.
+ `aws:executeAwsApi` - Retrieves a specified virtual private gateway configuration.
+ `aws:branch` - Branches based on the VpcAttachments.state parameter value.
+ `aws:waitForAwsResourceProperty` - Accepts the ID of the virtual private gateway and waits until the virtual private gateway's VpcAttachments.state's property changes to `attached` or times out.
+ `aws:executeAwsApi` - Accepts the ID of the virtual private gateway and the ID of the Amazon VPC as input, and detaches the virtual private gateway from the Amazon VPC.
+ `aws:waitForAwsResourceProperty` - Accepts the ID of the virtual private gateway and waits until the virtual private gateway's VpcAttachments.state's property changes to `detached` or times out.
+ `aws:executeAwsApi` - Accepts the ID of the virtual private gateway as input and deletes it.
+ `aws:waitForAwsResourceProperty` - Accepts the ID of the virtual private gateway as input and verifies its deletion.
# `AWS-DisableIncomingSSHOnPort22`
**Description**
The `AWS-DisableIncomingSSHOnPort22` runbook removes rules that allow unrestricted incoming SSH traffic on TCP port 22 for security groups.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-DisableIncomingSSHOnPort22)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ SecurityGroupIds
Type: String
Description: (Required) A comma separated list of the IDs of the security groups you want to restrict SSH traffic for.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:DescribeSecurityGroups`
+ `ec2:RevokeSecurityGroupIngress`
**Document Steps**
+ `aws:executeAwsApi` - Removes all rules allowing incoming SSH traffic on TCP port 22 from the security groups you specify in the `SecurityGroupIds` parameter.
**Outputs**
DisableIncomingSSHTemplate.RestrictedSecurityGroupIds - A list of the IDs of the security groups that had inbound SSH rules removed.
# `AWS-DisablePublicAccessForSecurityGroup`
**Description**
This runbook disables default SSH and RDP ports that are opened to all IP addresses.
**Important**
This runbook fails with an "InvalidPermission.NotFound" error for security groups that meet both of the following criteria: 1) The security group is located in a non-default VPC; and 2) The inbound rules for the security group don't specify open ports using all four of the following patterns:
`0.0.0.0/0`
`::/0`
`SSH or RDP port + 0.0.0.0/0`
`SSH or RDP port + ::/0`
**Note**
This runbook is not available in the AWS Regions located within China.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-DisablePublicAccessForSecurityGroup)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ GroupId
Type: String
Description: (Required) The ID of the security group for which the ports should be disabled.
+ IpAddressToBlock
Type: String
Description: (Optional) Additional IPv4 addresses from which access should be blocked, in the format `1.2.3.4/32` .
# `AWSConfigRemediation-DisableSubnetAutoAssignPublicIP`
**Description**
The `AWSConfigRemediation-DisableSubnetAutoAssignPublicIP` runbook disables the IPv4 public addressing attribute for the subnet you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DisableSubnetAutoAssignPublicIP)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ SubnetId
Type: String
Description: (Required) The ID of the subnet that you want to disable the auto-assign public IPv4 address attribute on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DescribeSubnets`
+ `ec2:ModifySubnetAttribute`
**Document Steps**
+ `aws:executeAwsApi` - Disables the auto-assign public IPv4 address attribute for the subnet you specified in the `SubnetId` parameter.
+ `aws:assertAwsResourceProperty` - Verifies the attribute has been disabled.
# `AWSSupport-EnableVPCFlowLogs`
**Description**
The `AWSSupport-EnableVPCFlowLogs ` runbook creates Amazon Virtual Private Cloud (Amazon VPC) Flow Logs for subnets, network interfaces, and VPCs in your AWS account. If you create a flow log for a subnet or VPC, each elastic network interface in that subnet or Amazon VPC is monitored. Flow log data is published to the Amazon CloudWatch Logs log group or the Amazon Simple Storage Service (Amazon S3) bucket you specify. For more information about flow logs, see [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) in the *Amazon VPC User Guide* .
**Important**
Data ingestion and archival charges for vended logs apply when you publish flow logs to CloudWatch Logs or to Amazon S3. For more information, see [Flow Logs pricing](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-pricing)
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-EnableVPCFlowLogs)
**Note**
When selecting `s3` as the log destination, ensure that the bucket policy allows the log delivery service access to the bucket. For more information see [Amazon S3 bucket permissions for flow logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ DeliverLogsPermissionArn
Type: String
Description: (Optional) The ARN for the IAM role that permits Amazon Elastic Compute Cloud (Amazon EC2) to publish flow logs to the CloudWatch Logs log group in your account. If you specify `s3` for the `LogDestinationType` parameter, do not provide a value for this parameter. For more information, see [Publish flow logs to CloudWatch Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html) in the *Amazon VPC User Guide* .
+ LogDestinationARN
Type: String
Description: (Optional) The ARN of the resource to which the flow log data is published. If `cloud-watch-logs` is specified for the `LogDestinationType` parameter, provide the ARN of the CloudWatch Logs log group you want to publish flow log data to. Alternatively, use `LogGroupName` instead. If `s3` is specified for the `LogDestinationType` parameter, you must specify the ARN of the Amazon S3 bucket you want to publish flow log data to for this parameter. You can also specify a folder in the bucket.
**Important**
When choosing `s3` as the `LogDestinationType` you should ensure that the bucket selected follows [Amazon S3 Bucket security best practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html), and that you follow the data privacy laws for your organisation and geographic region.
+ LogDestinationType
Type: String
Valid values: cloud-watch-logs \$1 s3
Description: (Required) Determines where flow log data is published. If you specify `LogDestinationType` as `s3` , do not specify `DeliverLogsPermissionArn` or `LogGroupName` .
+ LogFormat
Type: String
Description: (Optional) The fields to include in the flow log, and the order in which they should appear in the record. For a list of available fields, see [Flow log records](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records) in the *Amazon VPC User Guide* . If you do not provide a value for this parameter, the flow log is created using the default format. If you specify this parameter, you must specify at least one field.
+ LogGroupName
Type: String
Description: (Optional) The name of the CloudWatch Logs log group where flow log data is published. If you specify `s3` for the `LogDestinationType` parameter, do not provide a value for this parameter.
+ ResourceIds
Type: StringList
Description: (Required) A comma-separated list of the IDs for the subnets, elastic network interfaces, or VPC for which you want to create a flow log.
+ TrafficType
Type: String
Valid values: ACCEPT \$1 REJECT \$1 ALL
Description: (Required) The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:CreateFlowLogs`
+ `ec2:DeleteFlowLogs`
+ `ec2:DescribeFlowLogs`
+ `iam:AttachRolePolicy`
+ `iam:CreateRole`
+ `iam:CreatePolicy`
+ `iam:DeletePolicy`
+ `iam:DeleteRole`
+ `iam:DeleteRolePolicy`
+ `iam:GetPolicy`
+ `iam:GetRole`
+ `iam:TagRole`
+ `iam:PassRole`
+ `iam:PutRolePolicy`
+ `iam:UpdateRole`
+ `logs:CreateLogDelivery`
+ `logs:CreateLogGroup`
+ `logs:DeleteLogDelivery`
+ `logs:DeleteLogGroup`
+ `logs:DescribeLogGroups`
+ `logs:DescribeLogStreams`
+ `s3:GetBucketLocation`
+ `s3:GetBucketAcl`
+ `s3:GetBucketPublicAccessBlock`
+ `s3:GetBucketPolicyStatus`
+ `s3:GetBucketAcl`
+ `s3:ListBucket`
+ `s3:PutObject`
Sample Policy
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SSMExecutionPermissions",
"Effect": "Allow",
"Action": [
"ssm:StartAutomationExecution",
"ssm:GetAutomationExecution"
],
"Resource": "*"
},
{
"Sid": "EC2FlowLogsPermissions",
"Effect": "Allow",
"Action": [
"ec2:CreateFlowLogs",
"ec2:DeleteFlowLogs",
"ec2:DescribeFlowLogs"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/resource-id",
"arn:aws:ec2:us-east-1:111122223333:subnet/resource-id",
"arn:aws:ec2:us-east-1:111122223333:vpc/resource-id",
"arn:aws:ec2:us-east-1:111122223333:transit-gateway/resource-id",
"arn:aws:ec2:us-east-1:111122223333:transit-gateway-attachment/resource-id"
]
},
{
"Sid": "IAMCreateRolePermissions",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetPolicy",
"iam:GetRole",
"iam:TagRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:UpdateRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/role-name",
"arn:aws:iam::111122223333:role/AWSSupportCreateFlowLogsRole"
]
},
{
"Sid": "CloudWatchLogsPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:DeleteLogDelivery",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:log-group-name",
"arn:aws:logs:us-east-1:111122223333:log-group:log-group-name:*"
]
},
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:GetBucketAcl",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
------
**Document Steps**
+ `aws:branch` - Branches based on the value specified for the `LogDestinationType` parameter.
+ `aws:executeScript` - Checks if the target Amazon Simple Storage Service (Amazon S3) potentially grants **read** or **write** `public` access to its objects.
+ `aws:executeScript` - Creates a log group if no value is specified for the `LogDestinationARN` parameter, and `cloud-watch-logs` is specified for the `LogDestinationType` parameter.
+ `aws:executeScript` - Creates flow logs based on the values specified in the runbook parameters.
# `AWSConfigRemediation-EnableVPCFlowLogsToCloudWatch`
**Description**
The `AWSConfigRemediation-EnableVPCFlowLogsToCloudWatch` runbook replaces an existing Amazon VPC flow log that publishes flow log data to Amazon Simple Storage Service (Amazon S3) with a flow log that publishes flow log data to the Amazon CloudWatch Logs (CloudWatch Logs) log group you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableVPCFlowLogsToCloudWatch)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DestinationLogGroup
Type: String
Description: (Required) The name of the CloudWatch Logs log group you want to publish flow log data to.
+ DeliverLogsPermissionArn
Type: String
Description: (Required) The ARN of the AWS Identity and Access Management (IAM) role you want to use that provides Amazon Elastic Compute Cloud (Amazon EC2) the requisite permissions to publish flow log data to CloudWatch Logs.
+ FlowLogId
Type: String
Description: (Required) The ID of the flow log that publishes to Amazon S3 you want to replace.
+ MaxAggregationInterval
Type: Integer
Valid values: 60 \$1 600
Description: (Optional) The maximum interval of time, in seconds, during which a flow of packets is captured and aggregated into a flow log record.
+ TrafficType
Type: String
Valid values: ACCEPT \$1 REJECT \$1 ALL
Description: (Required) The type of flow log data you want to record and publish.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:CreateFlowLogs`
+ `ec2:DeleteFlowLogs`
+ `ec2:DescribeFlowLogs`
**Document Steps**
+ `aws:executeAwsApi` - Gathers details about your VPC from the value you specify in the `FlowLogId` parameter.
+ `aws:executeAwsApi` - Creates a flow log based on the values you specify for the runbook parameters.
+ `aws:assertAwsResourceProperty` - Verifies the newly created flow log publishes to CloudWatch Logs.
+ `aws:executeAwsApi` - Deletes the flow log that publishes to Amazon S3.
+ `aws:executeScript` - Confirms the flow log that published to Amazon S3 was deleted.
# `AWSConfigRemediation-EnableVPCFlowLogsToS3Bucket`
**Description**
The `AWSConfigRemediation-EnableVPCFlowLogsToS3Bucket` runbook *replaces* an existing Amazon VPC flow log that publishes flow log data to Amazon CloudWatch Logs (CloudWatch Logs) with a flow log that publishes flow log data to the Amazon Simple Storage Service (Amazon S3) bucket you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableVPCFlowLogsToS3Bucket)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DestinationS3BucketArn
Type: String
Description: (Required) The ARN of the Amazon S3 bucket you want to publish flow log data to.
+ FlowLogId
Type: String
Description: (Required) The ID of the flow log that publishes to CloudWatch Logs you want to replace.
+ MaxAggregationInterval
Type: Integer
Valid values: 60 \$1 600
Description: (Optional) The maximum interval of time, in seconds, during which a flow of packets is captured and aggregated into a flow log record.
+ TrafficType
Type: String
Valid values: ACCEPT \$1 REJECT \$1 ALL
Description: (Required) The type of flow log data you want to record and publish.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:CreateFlowLogs`
+ `ec2:DeleteFlowLogs`
+ `ec2:DescribeFlowLogs`
**Document Steps**
+ `aws:executeAwsApi` - Gathers details about your VPC from the value you specify in the `FlowLogId` parameter.
+ `aws:executeAwsApi` - Creates a flow log based on the values you specify for the runbook parameters.
+ `aws:assertAwsResourceProperty` - Verifies the newly created flow log publishes to Amazon S3.
+ `aws:executeAwsApi` - Deletes the flow log that publishes to CloudWatch Logs.
+ `aws:executeScript` - Confirms the flow log that published to CloudWatch Logs was deleted.
# `AWS-ReleaseElasticIP`
**Description**
Release the specified Elastic IP address using the allocation ID.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-ReleaseElasticIP)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ AllocationId
Type: String
Description: (Required) The Allocation ID of the Elastic IP address.
# `AWS-RemoveNetworkACLUnrestrictedSSHRDP`
**Description**
The `AWS-RemoveNetworkACLUnrestrictedSSHRDP` runbook removes all network access control list (ACL) rules from the specified network ACL that allow ingress traffic from all source addresses to default SSH and RDP ports. Rules that include port ranges that overlap with the default SSH and RDP ports aren't removed.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-RemoveNetworkACLUnrestrictedSSHRDP)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ NetworkAclId
Type: String
Description: (Required) The ID of the network ACL that you want to remove unrestricted rules that allow ingress traffic from all source addresses to default SSH and RDP ports.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DeleteNetworkAclEntry`
+ `ec2:DescribeNetworkAcls`
**Document Steps**
+ `aws:executeScript` - Removes all ingress rules that allow traffic from all source addresses from the security group you specified in the `SecurityGroupId` parameter.
**Outputs**
RemoveNaclEntriesAndVerify.VerificationMessage - Verification messages of the successfully deleted network ACL rules.
RemoveNaclEntriesAndVerify.RulesDeletedAndApiResponses - The network ACL rules that were deleted, and the `DeleteNetworkAclEntry` API operation responses.
# `AWSConfigRemediation-RemoveUnrestrictedSourceIngressRules`
**Description**
The `AWSConfigRemediation-RemoveUnrestrictedSourceIngressRules` runbook removes all ingress rules from the security group you specify that allow traffic from all source addresses.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-RemoveUnrestrictedSourceIngressRules)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ SecurityGroupId
Type: String
Description: (Required) The ID of the security group that you want to remove ingress rules that allow traffic from all source addresses from.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DescribeSecurityGroups`
+ `ec2:RevokeSecurityGroupIngress`
**Document Steps**
+ `aws:executeScript` - Removes all ingress rules that allow traffic from all source addresses from the security group you specified in the `SecurityGroupId` parameter.
# `AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules`
**Description**
The `AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules` runbook removes all rules from the default security group of the virtual private cloud (VPC) you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ GroupId
Type: String
Description: (Required) The ID of the security group that you want to remove all rules from.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ec2:DescribeSecurityGroups`
+ `ec2:RevokeSecurityGroupEgress`
+ `ec2:RevokeSecurityGroupIngress`
**Document Steps**
+ `aws:assertAwsResourceProperty` - Confirms the security group you specified in the `GroupId` parameter is named default.
+ `aws:executeScript` - Removes all rules from the security group you specified in the `GroupId` parameter.
# `AWSSupport-SetupIPMonitoringFromVPC`
**Description**
`AWSSupport-SetupIPMonitoringFromVPC` creates an Amazon Elastic Compute Cloud (Amazon EC2) instance in the specified subnet and monitors selected target IPs (IPv4 or IPv6) by continuously running ping, MTR, traceroute and tracetcp tests. The results are stored in Amazon CloudWatch Logs logs, and metric filters are applied to quickly visualize latency and packet loss statistics in a CloudWatch dashboard.
**Additional Information**
The CloudWatch Logs data can be used for network troubleshooting and analysis of pattern/trends. Additionally, you can configure CloudWatch alarms with Amazon SNS notifications when packet loss and/or latency reach a threshold. The data can also be used when opening a case with AWS Support, to help isolate an issue quickly and reduce time to resolution when investigating a network issue.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-SetupIPMonitoringFromVPC)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ CloudWatchLogGroupNamePrefix
Type: String
Default: `/AWSSupport-SetupIPMonitoringFromVPC`
Description: (Optional) Prefix used for each CloudWatch log group created for the test results.
+ CloudWatchLogGroupRetentionInDays
Type: String
Valid values: 1 \$1 3 \$1 5 \$1 7 \$1 14 \$1 30 \$1 60 \$1 90 \$1 120 \$1 150 \$1 180 \$1 365 \$1 400 \$1 545 \$1 731 \$1 1827 \$1 3653
Default: 7
Description: (Optional) Number of days you want to keep the network monitoring results for.
+ InstanceType
Type: String
Valid values: t2.micro \$1 t2.small \$1 t2.medium \$1 t2.large \$1 t3.micro \$1 t3.small \$1 t3.medium \$1 t3.large \$1 t4g.micro \$1 t4g.small \$1 t4g.medium \$1 t4g.large
Default: t3.micro
Description: (Optional) The EC2 instance type for the EC2Rescue instance. Recommended size: t3.micro.
+ SubnetId
Type: String
Description: (Required) The subnet ID for the monitor instance. Be aware that if you specify a private subnet, then you must make sure there is Internet access to allow the monitor instance to setup the test (meaning, install the CloudWatch Logs agent, interact with Systems Manager and CloudWatch).
+ TargetIPs
Type: String
Description: (Required) Comma separated list of IPv4s and/or IPv6s to monitor. No spaces allowed. Maximum size is 255 characters. Be aware that if you provide an invalid IP, then the automation will fail and rollback the test setup.
+ TestInstanceSecurityGroupId
Type: String
Description: (Optional) The security group ID for the test instance. If not specified, the automation creates one during the instance creation. Make sure the security group allows outbound access to the monitoring IPs.
+ TestInstanceProfileName
Type: String
Description: (Optional) The name of an existing IAM instance profile for the test instance. If not specified, the automation creates one during the instance creation. The role must have the following permissions: `logs:CreateLogStream`, `logs:DescribeLogGroups`, `logs:DescribeLogStreams`, and `logs:PutLogEvents` and the AWS Managed Policy `AmazonSSMManagedInstanceCore`.
+ TestInterval
Type: String
Description: (Optional) The number of minutes between test intervals. The default value is `1` minute and the maximum is `10` minutes.
+ RetainDashboardAndLogsOnDeletion
Type: String
Description: (Optional) Specify `False` to delete the Amazon CloudWatch dashboard and Logs when deleting the AWS AWS CloudFormation stack. The default value is `True`. By default, the dashboard and logs are retained and will need to be manually deleted when they are no longer needed.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
**Warning**
It is recommended to pass `TestInstanceProfileName` parameter or ensure security guardrails in place to prevent misuse of mutable IAM permissions.
It is recommended that the user who runs the automation have the **AmazonSSMAutomationRole** IAM managed policy attached. In addition, the user must have the following policy attached to their user account, group, or role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateRole",
"iam:CreateInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:DetachRolePolicy",
"iam:AttachRolePolicy",
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:GetRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteInstanceProfile",
"iam:PutRolePolicy",
"iam:TagRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/SetupIPMonitoringFromVPC*",
"arn:aws:iam::111122223333:instance-profile/SetupIPMonitoringFromVPC*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudwatch:PutDashboard",
"cloudwatch:DeleteDashboards",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:CreateLaunchTemplate",
"ec2:DeleteSecurityGroup",
"ec2:DescribeImages",
"ec2:DescribeSubnets",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVpcs",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteSecurityGroup",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstanceStatus",
"ec2:CreateTags",
"ec2:AssignIpv6Addresses",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeLaunchTemplates",
"ec2:RevokeSecurityGroupEgress",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy",
"logs:TagResource",
"ssm:DescribeInstanceInformation",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:SendCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
If the `TestInstanceProfileName` parameter is provided, the following IAM permissions are not required to execute the runbook:
+ iam:CreateRole
+ iam:CreateInstanceProfile
+ iam:DetachRolePolicy
+ iam:AttachRolePolicy
+ iam:AddRoleToInstanceProfile
+ iam:RemoveRoleFromInstanceProfile
+ iam:DeleteRole
+ iam:DeleteRolePolicy
+ iam:DeleteInstanceProfile
**Document Steps**
1. ** `aws:executeAwsApi` ** - describe the provided subnet to get the VPC ID and IPv6 CIDR block association state.
1. ** `aws:executeScript` ** - validate the provided target IPs are syntactically correct IPv4 and/or IPv6 addresses, get the architecture of the selected instance type, and verify the subnet has an IPv6 pool association if any target IP is IPv6.
1. ** `aws:createStack` ** - create an AWS CloudFormation stack that provisions the test Amazon EC2 instance, IAM instance profile (if not provided), security group (if not provided), CloudWatch log groups, and CloudWatch dashboard.
(Cleanup) If the step fails:
** `aws:executeScript` ** - describe the CloudFormation stack events to identify the failure reason.
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:waitForAwsResourceProperty` ** - wait for the CloudFormation stack to complete creation.
(Cleanup) If the step fails:
** `aws:executeScript` ** - describe the CloudFormation stack events to identify the failure reason.
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:executeScript` ** - describe the CloudFormation stack resources to get the test instance ID, security group ID, IAM role, instance profile, and dashboard name.
(Cleanup) If the step fails:
** `aws:executeScript` ** - describe the CloudFormation stack events to identify the failure reason.
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:waitForAwsResourceProperty` ** - wait for the test instance to become a managed instance.
(Cleanup) If the step fails:
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:runCommand` ** - install the CloudWatch agent on the test instance.
(Cleanup) If the step fails:
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:runCommand` ** - define the network test scripts (MTR, ping, tracepath, and traceroute) for each of the provided IPs.
(Cleanup) If the step fails:
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:runCommand` ** - start the network tests and schedule subsequent executions using cronjobs that run every TestInterval minutes.
(Cleanup) If the step fails:
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:runCommand` ** - configure the CloudWatch agent to push test results from `/home/ec2-user/logs/` to CloudWatch Logs.
(Cleanup) If the step fails:
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:runCommand` ** - configure log rotation for the test results in `/home/ec2-user/logs/`.
1. ** `aws:executeScript` ** - set the retention policy for all CloudWatch log groups created by the CloudFormation stack.
1. ** `aws:executeScript` ** - create CloudWatch log group metric filters for ping latency and ping packet loss.
(Cleanup) If the step fails:
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:executeScript` ** - update the CloudWatch dashboard to include widgets for ping latency and ping packet loss statistics.
(Cleanup) If the step fails:
** `aws:executeAwsApi` ** - delete the CloudWatch dashboard, if it exists.
** `aws:deleteStack` ** - delete the CloudFormation stack and all associated resources.
1. ** `aws:branch` ** - evaluate the SleepTime parameter. If set to `0`, the automation ends without deleting the stack.
1. ** `aws:sleep` ** - wait for the specified SleepTime duration before deleting the CloudFormation stack.
1. ** `aws:deleteStack` ** - delete the CloudFormation stack. Based on the RetainDashboardAndLogsOnDeletion parameter, the CloudWatch dashboard and log groups are either retained or deleted.
(Cleanup) If the stack deletion fails:
** `aws:executeScript` ** - describe the CloudFormation stack events to identify the deletion failure reason.
**Outputs**
updateCloudWatchDashboard.StackUrl - the URL of the CloudFormation stack.
updateCloudWatchDashboard.DashboardUrl - the URL of the CloudWatch dashboard.
updateCloudWatchDashboard.DashboardName - the name of the CloudWatch dashboard.
updateCloudWatchDashboard.LogGroups - the list of CloudWatch log groups created.
describeStackResources.HelperInstanceId - the test instance ID.
describeStackResources.StackName - the CloudFormation stack name.
# `AWSSupport-TerminateIPMonitoringFromVPC`
**Description**
`AWSSupport-TerminateIPMonitoringFromVPC` terminates an IP monitoring test previously started by `AWSSupport-SetupIPMonitoringFromVPC` . Data related to the specified test ID will be deleted.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TerminateIPMonitoringFromVPC)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ AutomationExecutionId
Type: String
Description: (Required) The automation execution ID from when you previously ran the `AWSSupport-SetupIPMonitoringFromVPC` runbook. All resources associated with this execution ID are deleted.
+ InstanceId
Type: String
Description: (Required) The instance ID for the monitor instance.
+ SubnetId
Type: String
Description: (Required) The subnet ID for the monitor instance.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
It is recommended that the user who runs the automation have the **AmazonSSMAutomationRole** IAM managed policy attached. In addition, the user must have the following policy attached to their user, group, or role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:DetachRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRolePolicy"
],
"Resource": [
"arn:aws:iam::111122223333:role/AWSSupport/SetupIPMonitoringFromVPC_*",
"arn:aws:iam::111122223333:instance-profile/AWSSupport/SetupIPMonitoringFromVPC_*"
],
"Effect": "Allow"
},
{
"Action": [
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::aws:policy/service-role/AmazonSSMManagedInstanceCore"
],
"Effect": "Allow"
},
{
"Action": [
"cloudwatch:DeleteDashboards"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DeleteSecurityGroup",
"ec2:TerminateInstances",
"ec2:DescribeInstanceStatus"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
**Document Steps**
1. `aws:assertAwsResourceProperty` - check AutomationExecutionId and InstanceId are related to the same test.
1. `aws:assertAwsResourceProperty` - check SubnetId and InstanceId are related to the same test.
1. `aws:executeAwsApi` - retrieve the test security group.
1. `aws:executeAwsApi` - delete the CloudWatch dashboard.
1. `aws:changeInstanceState` - terminate the test instance.
1. `aws:executeAwsApi` - remove the IAM instance profile from the role.
1. `aws:executeAwsApi` - delete the IAM instance profile created by the automation.
1. `aws:executeAwsApi` - delete the CloudWatch inline policy from the role created by the automation.
1. `aws:executeAwsApi` - detach the **AmazonSSMManagedInstanceCore** managed policy from the role created by the automation.
1. `aws:executeAwsApi` - delete the IAM role created by the automation.
1. `aws:executeAwsApi` - delete the security group created by the automation, if it exists.
**Outputs**
None