AWS Security ChangesHomeSearch

AWS systems-manager-automation-runbooks documentation change

Service: systems-manager-automation-runbooks · 2025-10-07 · Documentation medium

File: systems-manager-automation-runbooks/latest/userguide/automation-aws-troubleshootecstaskfailedtostart.md

Summary

Added IAM role requirements for Lambda and expanded required permissions list

Security assessment

Documents security-related IAM requirements including mandatory AWSLambdaVPCAccessExecutionRole policy and trust relationships. While not fixing a specific vulnerability, it improves security documentation by specifying required permissions for secure automation execution

Diff

diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-aws-troubleshootecstaskfailedtostart.md b/systems-manager-automation-runbooks/latest/userguide/automation-aws-troubleshootecstaskfailedtostart.md
index c74846230..d95d1208e 100644
--- a//systems-manager-automation-runbooks/latest/userguide/automation-aws-troubleshootecstaskfailedtostart.md
+++ b//systems-manager-automation-runbooks/latest/userguide/automation-aws-troubleshootecstaskfailedtostart.md
@@ -29,0 +30,2 @@ If the analysis determines that network connectivity needs to be tested, a Lambd
+When a Lambda IAM role is provided, the automation will use it instead of creating a new one. The provided Lambda IAM role must include the AWS managed policy `AWSLambdaVPCAccessExecutionRole` and have a trust policy that allows it to be assumed by the Lambda service principal `lambda.amazonaws.com`. 
+
@@ -51,0 +54,6 @@ Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and A
+  * LambdaRoleArn
+
+Type: String
+
+Description: (Optional) The ARN of the IAM role that allows the AWS Lambda function to access the required AWS services and resources. If no role is specified, this Systems Manager Automation will create one IAM role for Lambda in your account with the name `NetworkToolSSMRunbookExecution<ExecutionId>` that includes the managed policy: `AWSLambdaVPCAccessExecutionRole`.
+
@@ -84,0 +93,2 @@ The `AutomationAssumeRole` parameter requires the following actions to use the r
+  * `ec2:DescribeDhcpOptions`
+
@@ -104,0 +115,10 @@ The `AutomationAssumeRole` parameter requires the following actions to use the r
+  * `ec2:DescribeVpcAttribute`
+
+  * `elasticfilesystem:DescribeFileSystems`
+
+  * `elasticfilesystem:DescribeMountTargets`
+
+  * `elasticfilesystem:DescribeMountTargetSecurityGroups`
+
+  * `elasticfilesystem:DescribeFileSystemPolicy`
+
@@ -130,0 +151,2 @@ The `AutomationAssumeRole` parameter requires the following actions to use the r
+  * `iam:ListUsers`
+
@@ -161,0 +184,13 @@ The `AutomationAssumeRole` parameter requires the following actions to use the r
+When `LambdaRoleArn` is provided, the automation does not need to create the role and the following permissions can be excluded:
+
+  * `iam:CreateRole`
+
+  * `iam:DeleteRole`
+
+  * `iam:AttachRolePolicy`
+
+  * `iam:DetachRolePolicy`
+
+
+
+