

# X-Ray
<a name="automation-ref-xray"></a>

AWS Systems Manager Automation provides predefined runbooks for AWS X-Ray. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json). 

**Topics**
+ [`AWSConfigRemediation-UpdateXRayKMSKey`](automation-aws-update-xray-key.md)

# `AWSConfigRemediation-UpdateXRayKMSKey`
<a name="automation-aws-update-xray-key"></a>

 **Description** 

 The `AWSConfigRemediation-UpdateXRayKMSKey` runbook enables encryption on your AWS X-Ray data using an AWS Key Management Service (AWS KMS) key. This runbook should only be used as a baseline to ensure that your AWS X-Ray data is encrypted according to minimum recommended security best practices. We recommend encrypting multiple sets of data with different KMS keys. 

 [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-UpdateXRayKMSKey) 

**Document type**

Automation

**Owner**

Amazon

**Platforms**

Linux, macOS, Windows

**Parameters**
+ AutomationAssumeRole

  Type: String

  Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ KeyId

  Type: String

  Description: (Required) The Amazon Resource Name (ARN), key ID, or the key alias of the KMS key you want AWS X-Ray to use to encrypt data.

**Required IAM permissions**

The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+  `ssm:StartAutomationExecution` 
+  `ssm:GetAutomationExecution` 
+  `kms:DescribeKey` 
+  `xray:GetEncryptionConfig` 
+  `xray:PutEncryptionConfig` 

 **Document Steps** 
+  `aws:executeAwsApi` - Enables encryption on your X-Ray data using the KMS key you specify in the `KeyId` parameter. 
+  `aws:waitForAwsResourceProperty` - Waits for the encryption configuration status of your X-Ray to be `ACTIVE` . 
+  `aws:executeAwsApi` - Gathers the ARN of the key you specify in the `KeyId` parameter. 
+  `aws:assertAwsResourceProperty` - Verifies encryption has been enabled on your X-Ray.