AWS fis documentation change
Summary
Added documentation for rollback scripts, FlowsPercent parameter, expanded Interface/Sources parameters, and required EC2 permissions for experiment roles
Security assessment
The changes document required IAM permissions (ec2:DescribeInstances, ec2:DescribeSubnets) for experiment roles, which is security-related documentation. However, there's no evidence this addresses an existing security vulnerability.
Diff
diff --git a/fis/latest/userguide/actions-ssm-agent.md b/fis/latest/userguide/actions-ssm-agent.md index b4a0eff56..7144a1217 100644 --- a//fis/latest/userguide/actions-ssm-agent.md +++ b//fis/latest/userguide/actions-ssm-agent.md @@ -5 +5 @@ -Use the aws:ssm:send-command actionPre-configured AWS FIS SSM documentsExamplesLimitationsTroubleshooting +Use the aws:ssm:send-command actionPre-configured AWS FIS SSM documentsExamplesLimitationsRollback scriptsTroubleshooting @@ -347,0 +348,2 @@ Adds latency and jitter to the network interface using the **tc** tool for traff +Use the `FlowsPercent` parameter to add latency on a percentage of the connections. + @@ -358 +360 @@ arn:aws:ssm:region::document/AWSFIS-Run-Network-Latency-Sources - * **Interface** – Optional. The network interface. The default is `eth0`. + * **Interface** – Optional. The network interfaces, separated by commas. ALL and DEFAULT values are supported. The default is `DEFAULT`, which will target the primary network interface for the Operating System. @@ -364 +366,3 @@ arn:aws:ssm:region::document/AWSFIS-Run-Network-Latency-Sources - * **Sources** – Required. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region. + * **FlowsPercent** – Optional. The percentage of network flows that will be affected by the action. The default is 100%. + + * **Sources** – Required. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, an AZ name (us-east-1a), an AZ ID (use1-az1), ALL, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region. @@ -374,0 +379,9 @@ arn:aws:ssm:region::document/AWSFIS-Run-Network-Latency-Sources +When using this document, the experiment role requires the following permissions: + + * `ec2:DescribeInstances` + + * `ec2:DescribeSubnets` + + + + @@ -413,0 +427,2 @@ Adds packet loss to the network interface using the **tc** tool for traffic to o +Use the `FlowsPercent` parameter to inject packet loss on a percentage of the connections. + @@ -424 +439 @@ arn:aws:ssm:region::document/AWSFIS-Run-Network-Packet-Loss-Sources - * **Interface** – Optional. The network interface. The default is `eth0`. + * **Interface** – Optional. The network interfaces, separated by commas. ALL and DEFAULT values are supported. The default is `DEFAULT`, which will target the primary network interface for the Operating System. @@ -428 +443,3 @@ arn:aws:ssm:region::document/AWSFIS-Run-Network-Packet-Loss-Sources - * **Sources** – Required. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region. + * **FlowsPercent** – Optional. The percentage of network flows that will be affected by the action. The default is 100%. + + * **Sources** – Required. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, an AZ name (us-east-1a), an AZ ID (use1-az1), ALL, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region. @@ -438,0 +456,9 @@ arn:aws:ssm:region::document/AWSFIS-Run-Network-Packet-Loss-Sources +When using this document, the experiment role requires the following permissions: + + * `ec2:DescribeInstances` + + * `ec2:DescribeSubnets` + + + + @@ -466,0 +493,67 @@ For an example tutorial, see [Run CPU stress on an instance](./fis-tutorial-run- +## Rollback scripts + +AWS FIS SSM documents automatically create rollback scripts as a safety mechanism to restore system state after fault injection experiments. These scripts ensure that injected faults are removed, even if the action fails or is terminated unexpectedly. + +### Rollback script creation + +Rollback scripts are created automatically when fault injection experiments begin. + +###### Creation details + + * **Location** – Scripts are created in the `/var/lib/amazon/ssm/` directory. + + * **Naming pattern** – ``FAULT_NAME`-`FAULT_IDENTIFIER`-Rollback.sh` where `FAULT_IDENTIFIER` is a randomly generated 32-character string + + * **Timing** – Created at the beginning of each fault injection experiment, before fault injection starts. + + * **Content** – Contains all necessary environment variables and commands to reverse the specific fault. + + + + +For example, a network latency experiment might create a rollback script at `/var/lib/amazon/ssm/NetworkLatency-abc123-Rollback.sh`. + +### Rollback logging + +Rollback scripts implement dual logging to capture all rollback activities for troubleshooting and audit purposes. + +###### Log file locations + +When a rollback script executes, it creates logs in two locations: + + * **Temporary files** – `/tmp/aws-fis-rollback-`TIMESTAMP`-`PID`.log` + + * **System logs** – Sent to syslog with facility `local0.info` + + + + +###### Log file naming + +Temporary log files use the following naming convention: + + + /tmp/aws-fis-rollback-YYYY-MM-DDTHH:MM:SSZ-PID.log + +Where `YYYY-MM-DDTHH:MM:SSZ` is the UTC timestamp and `PID` is the process ID of the rollback script. + +###### Syslog configuration + +Rollback logs are sent to syslog with the following configuration: + + * **Tag** – `aws-fis-rollback` + + * **Priority** – `local0.info` + + * **Format** – `[YYYY-MM-DDTHH:MM:SSZ] `log_message`` + + + + +###### To view rollback logs + +Use the following command to view all rollback logs from the systemd journal: + + + sudo journalctl -t aws-fis-rollback +