# AWS FIS Actions reference
<a name="fis-actions-reference"></a>

An action is the fault injection activity that you run on a target using AWS Fault Injection Service (AWS FIS). AWS FIS provides preconfigured actions for specific types of targets across AWS services. You add actions to an experiment template, which you then use to run experiments.

This reference describes the common actions in AWS FIS, including information about the action parameters and the required IAM permissions. You can also list the supported AWS FIS actions using the AWS FIS console or the [list-actions](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/fis/list-actions.html) command from the AWS Command Line Interface (AWS CLI). Once you have the name of a specific action, you can view detailed information about the action by using the [get-action](https://docs.aws.amazon.com/cli/latest/reference/fis/get-action.html) command. For more information on using AWS FIS commands with the AWS CLI, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/) and [fis](https://docs.aws.amazon.com/cli/latest/reference/fis/index.html) in the *AWS CLI Command Reference*. 

For more information on how AWS FIS actions work, see [Actions for AWS FIS](action-sequence.md) and [How AWS Fault Injection Service works with IAM](security_iam_service-with-iam.md).

**Topics**
+ [

## Fault injection actions
](#fis-actions-reference-fis)
+ [

## Recovery action
](#fis-actions-recovery)
+ [

## Wait action
](#fis-actions-reference-wait)
+ [

## Amazon CloudWatch actions
](#cloudwatch-actions-reference)
+ [

## Amazon DynamoDB actions
](#dynamodb-actions-reference)
+ [

## Amazon Aurora DSQL actions
](#dsql-actions-reference)
+ [

## Amazon EBS actions
](#ebs-actions-reference)
+ [

## Amazon EC2 actions
](#ec2-actions-reference)
+ [

## Amazon ECS actions
](#ecs-actions-reference)
+ [

## Amazon EKS actions
](#eks-actions-reference)
+ [

## Amazon ElastiCache actions
](#elasticache-actions-reference)
+ [

## Amazon Kinesis Data Streams actions
](#aws-kinesis-actions)
+ [

## AWS Lambda actions
](#aws-lambda-actions-reference)
+ [

## Amazon MemoryDB action
](#memorydb-actions-reference)
+ [

## Network actions
](#network-actions-reference)
+ [

## Amazon RDS actions
](#rds-actions-reference)
+ [

## Amazon S3 actions
](#s3-actions-reference-fis)
+ [

## Systems Manager actions
](#ssm-actions-reference)
+ [

## AWS Direct Connect actions
](#directconnect-actions-reference)
+ [

# Use Systems Manager SSM documents with AWS FIS
](actions-ssm-agent.md)
+ [

# Use the AWS FIS aws:ecs:task actions
](ecs-task-actions.md)
+ [

# Use the AWS FIS aws:eks:pod actions
](eks-pod-actions.md)
+ [

# Use the AWS FIS aws:lambda:function actions
](use-lambda-actions.md)

## Fault injection actions
<a name="fis-actions-reference-fis"></a>

AWS FIS supports the following fault injection actions.

**Topics**
+ [

### aws:fis:inject-api-internal-error
](#inject-api-internal-error)
+ [

### aws:fis:inject-api-throttle-error
](#inject-api-throttle-error)
+ [

### aws:fis:inject-api-unavailable-error
](#inject-api-unavailable-error)

### aws:fis:inject-api-internal-error
<a name="inject-api-internal-error"></a>

Injects Internal Errors into requests made by the the target IAM role. The specific response depends on each service and API. For more information, please review the SDK and API documentation of your service.

**Resource type**
+ **aws:iam:role**

**Parameters**
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **service** – The target AWS API namespace. The supported value is `ec2` and `kinesis`.
+ **percentage** – The percentage (1-100) of calls to inject the fault into.
+ **operations** – The operations to inject the fault into, separated using commas. For a list of the API actions for the `ec2` namespace, see [Amazon EC2 API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html) and [Amazon Kinesis Data Streams API Reference](https://docs.aws.amazon.com/kinesis/latest/APIReference/API_Operations.html). 

**Permissions**
+ `fis:InjectApiInternalError`

### aws:fis:inject-api-throttle-error
<a name="inject-api-throttle-error"></a>

Injects throttling errors into requests made by the target IAM role. The specific response depends on each service and API. For more information, please review the SDK and API documentation of your service.

**Resource type**
+ **aws:iam:role**

**Parameters**
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **service** – The target AWS API namespace. The supported value is `ec2` and `kinesis`.
+ **percentage** – The percentage (1-100) of calls to inject the fault into.
+ **operations** – The operations to inject the fault into, separated using commas. For a list of the API actions for the `ec2` namespace, see [Amazon EC2 API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html) and [Amazon Kinesis Data Streams API Reference](https://docs.aws.amazon.com/kinesis/latest/APIReference/API_Operations.html). 

**Permissions**
+ `fis:InjectApiThrottleError`

### aws:fis:inject-api-unavailable-error
<a name="inject-api-unavailable-error"></a>

Injects Unavailable errors into requests made by the target IAM role. The specific response depends on each service and API. For more information, please review the SDK and API documentation of your service.

**Resource type**
+ **aws:iam:role**

**Parameters**
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **service** – The target AWS API namespace. The supported value is `ec2` and `kinesis`.
+ **percentage** – The percentage (1-100) of calls to inject the fault into.
+ **operations** – The operations to inject the fault into, separated using commas. For a list of the API actions for the `ec2` namespace, see [Amazon EC2 API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html) and [Amazon Kinesis Data Streams API Reference](https://docs.aws.amazon.com/kinesis/latest/APIReference/API_Operations.html). 

**Permissions**
+ `fis:InjectApiUnavailableError`

## Recovery action
<a name="fis-actions-recovery"></a>

Recovery actions are performed to mitigate risk or protect applications after impairment.

AWS FIS supports the following recovery actions.

### aws:arc:start-zonal-autoshift
<a name="recovery"></a>

Automatically shifts traffic for supported resources away from a potentially impaired Availability Zone (AZ) and reroutes them to healthy AZs in the same AWS Region. This allows for experiencing zonal autoshift through FIS. Zonal autoshift is a capability in Amazon Application Recovery Controller (ARC) that allows AWS to shift traffic for a resource away from an AZ, on your behalf, when AWS determines that there is an impairment that could potentially affect customers in the AZ.

When you run the `aws:arc:start-zonal-autoshift` action, AWS FIS manages the zonal shift using the StartZonalShift, UpdateZonalShift, and CancelZonalShift APIs with the `expiresIn` field for these requests set to 1 minute as a safety mechanism. This enables AWS FIS to quickly rollback the zonal shift in the case of any unexpected events such as network outages or system issues. In the ARC console, the expiration time field will display AWS FIS-managed, and the actual expected expiration is determined by the duration specified in the zonal shift action.

**Resource type**
+ **aws:arc:zonal-shift-managed-resource**

  Zonal shift managed resources are resource types including Amazon EKS clusters, Amazon EC2 Application and Network Load Balancers, and Amazon EC2 Auto Scaling groups that can be enabled for ARC zonal autoshift. For more information, see [supported resources](https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-shift.resource-types.html) and [enabling zonal autoshift resources](https://docs.aws.amazon.com//r53recovery/latest/dg/arc-zonal-autoshift.start-cancel.html) in the *ARC Developer Guide*.

**Parameters**
+ **duration** – The length of time for which traffic will be shifted. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **availabilityZoneIdentifier** – Traffic moves away from this AZ. This can be an AZ name (us-east-1a) or AZ ID (use1-az1).
+ **managedResourceTypes** – The resource types from which traffic will be shifted, separated by commas. Possible options are `ASG` (Auto Scaling Group), `ALB` (Application Load Balancer), `NLB` (Network Load Balancer), and `EKS` (Amazon EKS). 
+ **zonalAutoshiftStatus** – The `zonalAutoshiftStatus` status of the resources that you want to target. Possible options are `ENABLED` `DISABLED`, and `ANY`. The default is `ENABLED`.

**Permissions**
+ arc-zonal-shift:StartZonalShift
+ arc-zonal-shift:GetManagedResource
+ arc-zonal-shift:UpdateZonalShift
+ arc-zonal-shift:CancelZonalShift
+ arc-zonal-shift:ListManagedResources
+ autoscaling:DescribeTags
+ tag:GetResources

## Wait action
<a name="fis-actions-reference-wait"></a>

AWS FIS supports the following wait action.

### aws:fis:wait
<a name="wait"></a>

Runs the AWS FIS wait action.

**Parameters**
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ None

## Amazon CloudWatch actions
<a name="cloudwatch-actions-reference"></a>

AWS FIS supports the following Amazon CloudWatch action.

### aws:cloudwatch:assert-alarm-state
<a name="assert-alarm-state"></a>

Verifies that the specified alarms are in one of the specified alarm states.

**Resource type**
+ None

**Parameters**
+ **alarmArns** – The ARNs of the alarms, separated by commas. You can specify up to five alarms.
+ **alarmStates** – The alarm states, separated by commas. The possible alarm states are `OK`, `ALARM`, and `INSUFFICIENT_DATA`.

**Permissions**
+ `cloudwatch:DescribeAlarms`

## Amazon DynamoDB actions
<a name="dynamodb-actions-reference"></a>

AWS FIS supports the following Amazon DynamoDB action.

### aws:dynamodb:global-table-pause-replication
<a name="global-table-pause-replication"></a>

Pauses Amazon DynamoDB multi-Region global table replication to any replica table. Tables may continue to be replicated for up to 5 minutes after action begins.

**Multi-Region strongly consistent (MRSC) global tables**  
The following statements will be dynamically appended to the policy for the target DynamoDB MRSC global table:

```
{
   "Statement":[
      {
         "Sid": "DoNotModifyFisDynamoDbPauseReplicationEXPxxxxxxxxxxxxxxx",
         "Effect":"Deny",
         "Principal":{
            "AWS": "*"
         },
         "Action":[
            "dynamodb:UpdateTable"
         ],
         "Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/ExampleGlobalTable",
         "Condition": {
            "DateLessThan": {
                "aws:CurrentTime": "2024-04-10T09:51:41.511Z"
            },
            "ArnEquals": {
                "aws:PrincipalArn": "arn:aws:iam::123456789012:role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication"
            }
         }
      },
      {
         "Sid": "DoNotModifyFisDynamoDbPauseReplicationEXPxxxxxxxxxxxxxxxForApplicationAutoScaling",
         "Effect":"Deny",
         "Principal":{
            "AWS": "*"
         },
         "Action":[
            "dynamodb:DescribeTable",
            "dynamodb:UpdateTable"
         ],
         "Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/ExampleGlobalTable",
         "Condition": {
            "DateLessThan": {
              "aws:CurrentTime": "2024-04-10T09:51:41.511Z"
            },
            "ArnEquals": {
                "aws:PrincipalArn": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable"
            }
         }
      }
   ]
}
```

If a target table does not have any attached resource polices, a resource policy is created for the duration of the experiment, and automatically deleted when the experiment ends. Otherwise, the fault statement is inserted into an existing policy, without any additional modifications to the existing policy statements. The fault statement is then removed from the policy at the end of the experiment.

Target Amazon DynamoDB MRSC global tables are subject to an additional quota. This quota enforces that no single table may be subject to more than 5,040 minutes of impairment in a 7-day rolling window.

**Multi-Region eventually consistent (MREC) global tables**  
The following statement will be dynamically appended to the policy for the target DynamoDB MREC global table:

```
{
   "Statement":[
      {
         "Sid": "DoNotModifyFisDynamoDbPauseReplicationEXPxxxxxxxxxxxxxxx",
         "Effect":"Deny",
         "Principal":{
            "AWS": "*"
         },
         "Action":[
            "dynamodb:GetItem",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem",
            "dynamodb:DescribeTable",
            "dynamodb:UpdateTable",
            "dynamodb:Scan",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:UpdateTimeToLive"
         ],
         "Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/ExampleGlobalTable",
         "Condition": {
            "DateLessThan": {
              "aws:CurrentTime": "2024-04-10T09:51:41.511Z"
            },
            "ArnEquals": {
                "aws:PrincipalArn": "arn:aws:iam::123456789012:role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication"
            }
         }
      }
   ]
}
```

The following statement will be dynamically appended to the stream policy for the target DynamoDB MREC global table:

```
{
   "Statement":[
      {
         "Sid": "DoNotModifyFisDynamoDbPauseReplicationEXPxxxxxxxxxxxxxxx",
         "Effect":"Deny",
         "Principal":{
            "AWS": "*"
         },
         "Action":[
            "dynamodb:GetRecords",
            "dynamodb:DescribeStream",
            "dynamodb:GetShardIterator"
         ],
         "Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/ExampleGlobalTable/stream/2023-08-31T09:50:24.025",
         "Condition": {
            "DateLessThan": {
              "aws:CurrentTime": "2024-04-10T09:51:41.511Z"
            },
            "ArnEquals": {
                "aws:PrincipalArn": "arn:aws:iam::123456789012:role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication"
            }
         }
      }
   ]
}
```

If a target table or stream does not have any attached resource polices, a resource policy is created for the duration of the experiment, and automatically deleted when the experiment ends. Otherwise, the fault statement is inserted into an existing policy, without any additional modifications to the existing policy statements. The fault statement is then removed from the policy at the end of the experiment.

**Resource type**
+ **aws:dynamodb:global-table**

**Parameters**
+ **duration** – In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `dynamodb:PutResourcePolicy`
+ `dynamodb:DeleteResourcePolicy`
+ `dynamodb:GetResourcePolicy`
+ `dynamodb:DescribeTable`
+ `tag:GetResources`
+ `dynamodb:InjectError` \$1

\$1 The permission is only required if you are targeting MRSC global tables

## Amazon Aurora DSQL actions
<a name="dsql-actions-reference"></a>

AWS FIS supports the following Amazon Aurora DSQL actions.

### aws:dsql:cluster-connection-failure
<a name="cluster-connection-failure"></a>

Creates controlled connection failures in an Aurora DSQL cluster for a specified duration to test application resilience.

**Resource type**
+ **aws:dsql:cluster**

**Parameters**
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **percentage** – The percentage (1-100) of calls to inject the fault into.

**Permissions**
+ `dsql:InjectError`
+ `dsql:GetCluster`
+ `tag:GetResources`

To initiate the experiment with Aurora DSQL, see [Fault injection testing](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/disaster-recovery-resiliency.html#fault-injection-testing.html) in the *Aurora DSQL User Guide*.

## Amazon EBS actions
<a name="ebs-actions-reference"></a>

AWS FIS supports the following Amazon EBS action.

**Topics**
+ [

### aws:ebs:pause-volume-io
](#pause-volume-io)
+ [

### aws:ebs:volume-io-latency
](#volume-latency-injection)

### aws:ebs:pause-volume-io
<a name="pause-volume-io"></a>

Pauses I/O operations on target EBS volumes. The target volumes must be in the same Availability Zone and must be attached to instances built on the Nitro System. The volumes can't be attached to instances on an Outpost.

To initiate the experiment using the Amazon EC2 console, see [Fault testing on Amazon EBS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-fis.html) in the *Amazon EC2 User Guide*.

**Resource type**
+ **aws:ec2:ebs-volume**

**Parameters**
+ **duration** – The duration, from one second to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute, PT5S represents five seconds, and PT6H represents six hours. In the AWS FIS console, you enter the number of seconds, minutes, or hours. If the duration is small, such as PT5S, the I/O is paused for the specified duration, but it might take longer for the experiment to complete due to the time it takes to initialize the experiment.

**Permissions**
+ `ec2:DescribeVolumes`
+ `ec2:PauseVolumeIO`
+ `tag:GetResources`

### aws:ebs:volume-io-latency
<a name="volume-latency-injection"></a>

Injects latency on I/O operations of target EBS volumes. The target volumes must be in the same Availability Zone. The volumes can't be attached to instances on an Outpost.

To initiate the experiment using the Amazon EC2 console, see [ Fault testing on Amazon EBS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-fis.html) in the *Amazon EBS User Guide*.

**Resource type**
+ **aws:ec2:ebs-volume**

**Parameters**
+ **readIOPercentage** – The percentage of read I/O operations that latency will be injected on, from 0.1% to 100.%. This is the percentage of all read I/O operations on the volume that will be impacted during the experiment. The default is 100.
+ **readIOLatencyMilliseconds** – The amount of latency injected on read I/O operations in milliseconds, from 1ms (io2 volumes) or 10ms (non-io2 volumes) to 60 seconds. This is the latency value that will be observed on the specified percentage of the read I/O during the experiment. The default is 100.
+ **writeIOPercentage** – The percentage of write I/O operations that latency will be injected on, from 0.1% to 100.%. This is the percentage of all write I/O operations on the volume that will be impacted during the experiment. The default is 100.
+ **writeIOLatencyMilliseconds** – The amount of latency injected on write I/O operations in milliseconds, from 1ms (io2 volumes) or 10ms (non-io2 volumes) to 60 seconds. This is the latency value that will be observed on the specificed percentage of the read I/O during the experiment. The default is 100.
+ **duration** – The duration for which the latency will be injected, from 1 second to 12 hours.

**Permissions**
+ `ec2:DescribeVolumes`
+ `ec2:InjectVolumeIOLatency`
+ `tag:GetResources`

## Amazon EC2 actions
<a name="ec2-actions-reference"></a>

AWS FIS supports the following Amazon EC2 actions.

**Topics**
+ [

### aws:ec2:api-insufficient-instance-capacity-error
](#api-ice)
+ [

### aws:ec2:asg-insufficient-instance-capacity-error
](#asg-ice)
+ [

### aws:ec2:reboot-instances
](#reboot-instances)
+ [

### aws:ec2:send-spot-instance-interruptions
](#send-spot-instance-interruptions)
+ [

### aws:ec2:stop-instances
](#stop-instances)
+ [

### aws:ec2:terminate-instances
](#terminate-instances)

AWS FIS also supports fault injection actions through the AWS Systems Manager SSM Agent. Systems Manager uses an SSM document that defines actions to perform on EC2 instances. You can use your own document to inject custom faults, or you can use pre-configured SSM documents. For more information, see [Use Systems Manager SSM documents with AWS FIS](actions-ssm-agent.md).

### aws:ec2:api-insufficient-instance-capacity-error
<a name="api-ice"></a>

Injects `InsufficientInstanceCapacity` error responses on requests made by the target IAM roles. Supported operations are RunInstances, CreateCapacityReservation, StartInstances, CreateFleet calls. Requests that include capacity asks in multiple Availability Zones are not supported. This action doesn't support defining targets using resource tags, filters, or parameters.

For the Auto Scaling LaunchInstances operation, InsufficientInstanceCapacity errors will be returned in the response's `errors` field, but the Auto Scaling group's desired capacity will still be updated, allowing the asynchronous scaling process to potentially launch instances. For broader testing of insufficient capacity handling with LaunchInstances, consider using this action together with [aws:ec2:asg-insufficient-instance-capacity-error](#asg-ice).

**Resource type**
+ **aws:iam:role**

**Parameters**
+ **duration** – In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **availabilityZoneIdentifiers** – The comma separated list of Availability Zones. Supports Zone IDs (e.g. `"use1-az1, use1-az2"`) and Zone names (e.g. `"us-east-1a"`).
+ **percentage** – The percentage (1-100) of calls to inject the fault into.

**Permissions**
+ `ec2:InjectApiError`with condition key `ec2:FisActionId` value set to `aws:ec2:api-insufficient-instance-capacity-error` and `ec2:FisTargetArns` condition key set to target IAM roles.

For an example policy, see [Example: Use condition keys for `ec2:InjectApiError`](security_iam_id-based-policy-examples.md#security-iam-policy-examples-ec2).

### aws:ec2:asg-insufficient-instance-capacity-error
<a name="asg-ice"></a>

Injects `InsufficientInstanceCapacity` error responses on requests made by the target Auto Scaling groups. This action only supports Auto Scaling groups using launch templates. To learn more about insufficient instance capacity errors, see the [Amazon EC2 user guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#troubleshooting-launch-capacity). 

**Resource type**
+ **aws:ec2:autoscaling-group**

**Parameters**
+ **duration** – In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **availabilityZoneIdentifiers** – The comma separated list of Availability Zones. Supports Zone IDs (e.g. `"use1-az1, use1-az2"`) and Zone names (e.g. `"us-east-1a"`).
+ **percentage** – Optional. The percentage (1-100) of the target Auto Scaling group's launch requests to inject the fault. The default is 100.

**Permissions**
+ `ec2:InjectApiError`with condition key ec2:FisActionId value set to `aws:ec2:asg-insufficient-instance-capacity-error` and `ec2:FisTargetArns` condition key set to target Auto Scaling groups.
+ `autoscaling:DescribeAutoScalingGroups`

For an example policy, see [Example: Use condition keys for `ec2:InjectApiError`](security_iam_id-based-policy-examples.md#security-iam-policy-examples-ec2).

### aws:ec2:reboot-instances
<a name="reboot-instances"></a>

Runs the Amazon EC2 API action [RebootInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RebootInstances.html) on the target EC2 instances.

**Resource type**
+ **aws:ec2:instance**

**Parameters**
+ None

**Permissions**
+ `ec2:RebootInstances`
+ `ec2:DescribeInstances`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEC2Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEC2Access.html)

### aws:ec2:send-spot-instance-interruptions
<a name="send-spot-instance-interruptions"></a>

Interrupts the target Spot Instances. Sends a [Spot Instance interruption notice](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-interruptions.html#spot-instance-termination-notices) to target Spot Instances two minutes before interrupting them. The interruption time is determined by the specified **durationBeforeInterruption** parameter. Two minutes after the interruption time, the Spot Instances are terminated or stopped, depending on their interruption behavior. A Spot Instance that was stopped by AWS FIS remains stopped until you restart it.

Immediately after the action is initiated, the target instance receives an [EC2 instance rebalance recommendation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/rebalance-recommendations.html). If you specified **durationBeforeInterruption**, there could be a delay between the rebalance recommendation and the interruption notice.

For more information, see [Tutorial: Test Spot Instance interruptions using AWS FIS](fis-tutorial-spot-interruptions.md). Alternatively, to initiate the experiment by using the Amazon EC2 console, see [Initiate a Spot Instance interruption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/initiate-a-spot-instance-interruption.html) in the *Amazon EC2 User Guide*.

**Resource type**
+ **aws:ec2:spot-instance**

**Parameters**
+ **durationBeforeInterruption** – The time to wait before interrupting the instance, from 2 to 15 minutes. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT2M represents two minutes. In the AWS FIS console, you enter the number of minutes.

**Permissions**
+ `ec2:SendSpotInstanceInterruptions`
+ `ec2:DescribeInstances`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEC2Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEC2Access.html)

### aws:ec2:stop-instances
<a name="stop-instances"></a>

Runs the Amazon EC2 API action [StopInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html) on the target EC2 instances.

**Resource type**
+ **aws:ec2:instance**

**Parameters**
+ **startInstancesAfterDuration** – Optional. The time to wait before starting the instance, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours. If the instance has an encrypted EBS volume, you must grant AWS FIS permission to the KMS key used to encrypt the volume, or add the experiment role to the KMS key policy.
+ **completeIfInstancesTerminated** – Optional. If true, and if `startInstancesAfterDuration` is also true, this action will not fail when targeted EC2 instances have been terminated by a separate request outside of FIS and cannot be restarted. For example, Auto Scaling groups may terminate stopped EC2 instances under their control before this action completes. The default is false. 

**Permissions**
+ `ec2:StopInstances`
+ `ec2:StartInstances`
+ `ec2:DescribeInstances` – Optional. Required with **completeIfInstancesTerminated** to validate instance state at end of action.
+ `kms:CreateGrant` – Optional. Required with **startInstancesAfterDuration** to restart instances with encrypted volumes.

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEC2Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEC2Access.html)

### aws:ec2:terminate-instances
<a name="terminate-instances"></a>

Runs the Amazon EC2 API action [TerminateInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateInstances.html) on the target EC2 instances.

**Resource type**
+ **aws:ec2:instance**

**Parameters**
+ None

**Permissions**
+ `ec2:TerminateInstances`
+ `ec2:DescribeInstances`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEC2Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEC2Access.html)

## Amazon ECS actions
<a name="ecs-actions-reference"></a>

AWS FIS supports the following Amazon ECS actions.

**Topics**
+ [

### aws:ecs:drain-container-instances
](#drain-container-instances)
+ [

### aws:ecs:stop-task
](#stop-task)
+ [

### aws:ecs:task-cpu-stress
](#task-cpu-stress)
+ [

### aws:ecs:task-io-stress
](#task-io-stress)
+ [

### aws:ecs:task-kill-process
](#task-kill-process)
+ [

### aws:ecs:task-network-blackhole-port
](#task-network-blackhole-port)
+ [

### aws:ecs:task-network-latency
](#task-network-latency)
+ [

### aws:ecs:task-network-packet-loss
](#task-network-packet-loss)

### aws:ecs:drain-container-instances
<a name="drain-container-instances"></a>

Runs the Amazon ECS API action [UpdateContainerInstancesState](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_UpdateContainerInstancesState.html) to drain the specified percentage of underlying Amazon EC2 instances on the target clusters.

**Resource type**
+ **aws:ecs:cluster**

**Parameters**
+ **drainagePercentage** – The percentage (1-100).
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `ecs:DescribeClusters`
+ `ecs:UpdateContainerInstancesState`
+ `ecs:ListContainerInstances`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorECSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorECSAccess.html)

### aws:ecs:stop-task
<a name="stop-task"></a>

Runs the Amazon ECS API action [StopTask](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_StopTask.html) to stop the target task.

**Resource type**
+ **aws:ecs:task**

**Parameters**
+ None

**Permissions**
+ `ecs:DescribeTasks`
+ `ecs:ListTasks`
+ `ecs:StopTask`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorECSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorECSAccess.html)

### aws:ecs:task-cpu-stress
<a name="task-cpu-stress"></a>

Runs CPU stress on the target tasks. Uses the [AWSFIS-Run-CPU-Stress](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-CPU-Stress/description) SSM document. The tasks must be managed by AWS Systems Manager. For more information, see [ECS task actions](ecs-task-actions.md).

**Resource type**
+ **aws:ecs:task**

**Parameters**
+ **duration** – The duration of the stress test, in ISO 8601 format.
+ **percent** – Optional. The target load percentage, from 0 (no load) to 100 (full load). The default is 100.
+ **workers** – Optional. The number of stressors to use. The default is 0, which uses all stressors.
+ **installDependencies** – Optional. If this value is `True`, Systems Manager installs the required dependencies on the sidecar container for the SSM agent, if they are not already installed. The default is `True`. The dependency is **stress-ng**.

**Permissions**
+ `ecs:DescribeTasks`
+ `ssm:SendCommand`
+ `ssm:ListCommands`
+ `ssm:CancelCommand`

### aws:ecs:task-io-stress
<a name="task-io-stress"></a>

Runs I/O stress on the target tasks. Uses the [AWSFIS-Run-IO-Stress](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-IO-Stress/description) SSM document. The tasks must be managed by AWS Systems Manager. For more information, see [ECS task actions](ecs-task-actions.md).

**Resource type**
+ **aws:ecs:task**

**Parameters**
+ **duration** – The duration of the stress test, in ISO 8601 format.
+ **percent** – Optional. The percentage of free space on the file system to use during the stress test. The default is 80%.
+ **workers** – Optional. The number of workers. Workers perform a mix of sequential, random, and memory-mapped read/write operations, forced synchronizing, and cache dropping. Multiple child processes perform different I/O operations on the same file. The default is 1.
+ **installDependencies** – Optional. If this value is `True`, Systems Manager installs the required dependencies on the sidecar container for the SSM agent, if they are not already installed. The default is `True`. The dependency is **stress-ng**.

**Permissions**
+ `ecs:DescribeTasks`
+ `ssm:SendCommand`
+ `ssm:ListCommands`
+ `ssm:CancelCommand`

### aws:ecs:task-kill-process
<a name="task-kill-process"></a>

Stops the specified process in the tasks, using the **killall** command. Uses the [AWSFIS-Run-Kill-Process](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Kill-Process/description) SSM document. The task definition must have `pidMode` set to `task`. The tasks must be managed by AWS Systems Manager. For more information, see [ECS task actions](ecs-task-actions.md).

**Resource type**
+ **aws:ecs:task**

**Parameters**
+ **processName** – The name of the process to stop.
+ **signal** – Optional. The signal to send along with the command. The possible values are `SIGTERM` (which the receiver can choose to ignore) and `SIGKILL` (which cannot be ignored). The default is `SIGTERM`.
+ **installDependencies** – Optional. If this value is `True`, Systems Manager installs the required dependencies on the sidecar container for the SSM agent, if they are not already installed. The default is `True`. The dependency is **killall**.

**Permissions**
+ `ecs:DescribeTasks`
+ `ssm:SendCommand`
+ `ssm:ListCommands`
+ `ssm:CancelCommand`

### aws:ecs:task-network-blackhole-port
<a name="task-network-blackhole-port"></a>

Drops inbound or outbound traffic for the specified protocol and port, using the [Amazon ECS Fault Injection endpoints](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fault-injection.html). Uses the [AWSFIS-Run-Network-Blackhole-Port-ECS](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Blackhole-Port-ECS/description) SSM document. The task definition must have `pidMode` set to `task`. The tasks must be managed by AWS Systems Manager. You can't set `networkMode` to `bridge` in the task definition. For more information, see [ECS task actions](ecs-task-actions.md).

When `useEcsFaultInjectionEndpoints` is set to `false`, the fault uses the `iptables` tool, and uses the [AWSFIS-Run-Network-Blackhole-Port](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Blackhole-Port/description) SSM document. 

**Resource type**
+ **aws:ecs:task**

**Parameters**
+ **duration** – The duration of the test, in ISO 8601 format.
+ **port** – The port number.
+ **trafficType** – The type of traffic. The possible values are `ingress` and `egress`.
+ **protocol** – Optional. The protocol. The possible values are `tcp` and `udp`. The default is `tcp`.
+ **installDependencies** – Optional. If this value is `True`, Systems Manager installs the required dependencies on the sidecar container for the SSM agent, if they are not already installed. The default is `True`. The dependencies are **atd**, **curl-minimal**, **dig** and **jq**.
+ **useEcsFaultInjectionEndpoints** – Optional. If set to true, the Amazon ECS Fault Injection APIs will be used. The default is false.

**Permissions**
+ `ecs:DescribeTasks`
+ `ssm:SendCommand`
+ `ssm:ListCommands`
+ `ssm:CancelCommand`

### aws:ecs:task-network-latency
<a name="task-network-latency"></a>

Adds latency and jitter to the network interface for egress traffic to specific sources, using the [Amazon ECS Fault Injection endpoints](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fault-injection.html) . Uses the [AWSFIS-Run-Network-Latency-ECS](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Latency-ECS/description) SSM document. The task definition must have `pidMode` set to `task`. The tasks must be managed by AWS Systems Manager. You can't set `networkMode` to `bridge` in the task definition. For more information, see [ECS task actions](ecs-task-actions.md).

When `useEcsFaultInjectionEndpoints` is set to `false`, the fault uses the `tc` tool, and uses the [AWSFIS-Run-Network-Latency-Sources](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Latency-Sources/description) SSM document. 

Use the `flowsPercent` parameter to add latency on a percentage of the connections. To use the `flowsPercent` parameter, the ECS Agent version should be `1.100.0` or higher.

To use AZ names or AZ IDs in the `sources` parameter, all targets of the action must be on the same VPC.

**Resource type**
+ **aws:ecs:task**

**Parameters**
+ **duration** – The duration of the test, in ISO 8601 format.
+ **delayMilliseconds** – Optional. The delay, in milliseconds. The default is 200.
+ **jitterMilliseconds** – Optional. The jitter, in milliseconds. The default is 10.
+ **flowsPercent** – Optional. The percentage of network flows that will be affected by the action. The default is 100%.
+ **sources** – Optional. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, an AZ name (us-east-1a), an AZ ID (use1-az1), ALL, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region. The default is ALL, which matches all IPv4 traffic.
+ **installDependencies** – Optional. If this value is `True`, Systems Manager installs the required dependencies on the sidecar container for the SSM agent, if they are not already installed. The default is `True`. The dependencies are **atd**, **curl-minimal**, **dig**, **jq** and **lsof**.
+ **useEcsFaultInjectionEndpoints** – Optional. If set to true, the Amazon ECS Fault Injection APIs will be used. The default is false.

**Permissions**
+ `ecs:DescribeTasks`
+ `ecs:DescribeContainerInstances`
+ `ec2:DescribeInstances`
+ `ec2:DescribeSubnets`
+ `ssm:SendCommand`
+ `ssm:ListCommands`
+ `ssm:CancelCommand`

### aws:ecs:task-network-packet-loss
<a name="task-network-packet-loss"></a>

Adds packet loss to the network interface for egress traffic to specific sources, using the [Amazon ECS Fault Injection endpoints](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fault-injection.html). Uses the [AWSFIS-Run-Network-Packet-Loss-ECS](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Packet-Loss-ECS/description) SSM document. The task definition must have `pidMode` set to `task`. The tasks must be managed by AWS Systems Manager. You can't set `networkMode` to `bridge` in the task definition. For more information, see [ECS task actions](ecs-task-actions.md).

When `useEcsFaultInjectionEndpoints` is set to `false`, the fault uses the `tc` tool, and uses the [AWSFIS-Run-Network-Packet-Loss-Sources](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Packet-Loss-Sources/description) SSM document. 

Use the `flowsPercent` parameter to inject packet loss on a percentage of the connections. To use the `flowsPercent` parameter, the ECS Agent version should be `1.100.0` or higher.

To use AZ names or AZ IDs in the `sources` parameter, all targets of the action must be on the same VPC.

**Resource type**
+ **aws:ecs:task**

**Parameters**
+ **duration** – The duration of the test, in ISO 8601 format.
+ **lossPercent** – Optional. The percentage of packet loss. The default is 7%.
+ **flowsPercent** – Optional. The percentage of network flows that will be affected by the action. The default is 100%.
+ **sources** – Optional. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, an AZ name (us-east-1a), an AZ ID (use1-az1), ALL, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region. The default is ALL, which matches all IPv4 traffic.
+ **installDependencies** – Optional. If this value is `True`, Systems Manager installs the required dependencies on the sidecar container for the SSM agent, if they are not already installed. The default is `True`. The dependencies are **atd**, **curl-minimal**, **dig**, **jq** and **lsof**.
+ **useEcsFaultInjectionEndpoints** – Optional. If set to true, the Amazon ECS Fault Injection APIs will be used. The default is false.

**Permissions**
+ `ecs:DescribeTasks`
+ `ecs:DescribeContainerInstances`
+ `ec2:DescribeInstances`
+ `ec2:DescribeSubnets`
+ `ssm:SendCommand`
+ `ssm:ListCommands`
+ `ssm:CancelCommand`

## Amazon EKS actions
<a name="eks-actions-reference"></a>

AWS FIS supports the following Amazon EKS actions.

**Topics**
+ [

### aws:eks:inject-kubernetes-custom-resource
](#inject-kubernetes-custom-resource)
+ [

### aws:eks:pod-cpu-stress
](#pod-cpu-stress)
+ [

### aws:eks:pod-delete
](#pod-delete)
+ [

### aws:eks:pod-io-stress
](#pod-io-stress)
+ [

### aws:eks:pod-memory-stress
](#pod-memory-stress)
+ [

### aws:eks:pod-network-blackhole-port
](#pod-network-blackhole-port)
+ [

### aws:eks:pod-network-latency
](#pod-network-latency)
+ [

### aws:eks:pod-network-packet-loss
](#pod-network-packet-loss)
+ [

### aws:eks:terminate-nodegroup-instances
](#terminate-nodegroup-instance)

### aws:eks:inject-kubernetes-custom-resource
<a name="inject-kubernetes-custom-resource"></a>

Runs a ChaosMesh or Litmus experiment on a single target cluster. You must install ChaosMesh or Litmus on the target cluster.

When you create an experiment template and define a target of type `aws:eks:cluster`, you must target this action to a single Amazon Resource Name (ARN). This action doesn't support defining targets using resource tags, filters, or parameters.

When you install ChaosMesh, you must specify the appropriate container runtime. Starting with Amazon EKS version 1.23, the default runtime changed from Docker to **containerd**. Starting with version 1.24, Docker was removed.

**Resource type**
+ **aws:eks:cluster**

**Parameters**
+ **kubernetesApiVersion** – The API version of the [Kubernetes custom resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). The possible values are `chaos-mesh.org/v1alpha1` \$1 `litmuschaos.io/v1alpha1`.
+ **kubernetesKind** – The Kubernetes custom resource kind. The value depends on the API version.
  + `chaos-mesh.org/v1alpha1` – The possible values are `AWSChaos` \$1 `DNSChaos` \$1 `GCPChaos` \$1 `HTTPChaos` \$1 `IOChaos` \$1 `JVMChaos` \$1 `KernelChaos` \$1 `NetworkChaos` \$1 `PhysicalMachineChaos` \$1 `PodChaos` \$1 `PodHttpChaos` \$1 `PodIOChaos` \$1 `PodNetworkChaos` \$1 `Schedule` \$1 `StressChaos` \$1 `TimeChaos` \$1
  + `litmuschaos.io/v1alpha1` – The possible value is `ChaosEngine`.
+ **kubernetesNamespace** – The [Kubernetes namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/).
+ **kubernetesSpec** – The `spec` section of the Kubernetes custom resource, in JSON format.
+ **maxDuration** – The maximum time allowed for the automation execution to complete, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**  
No AWS Identity and Access Management (IAM) permissions are required for this action. The permissions required to use this action are controlled by Kubernetes using RBAC authorization. For more information, see [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) in the official Kubernetes documentation. For more information about Chaos Mesh, see the [official Chaos Mesh documentation](https://chaos-mesh.org/docs/). For more information about Litmus, see the [official Litmus documentation](https://docs.litmuschaos.io/docs/introduction/what-is-litmus/).

### aws:eks:pod-cpu-stress
<a name="pod-cpu-stress"></a>

Runs CPU stress on the target pods. For more information, see [EKS Pod actions](eks-pod-actions.md).

**Resource type**
+ **aws:eks:pod**

**Parameters**
+ **duration** – The duration of the stress test, in ISO 8601 format.
+ **percent** – Optional. The target load percentage, from 0 (no load) to 100 (full load). The default is 100.
+ **workers** – Optional. The number of stressors to use. The default is 0, which uses all stressors.
+ **kubernetesServiceAccount** – The Kubernetes service account. For information about the required permissions, see [Configure the Kubernetes service account](eks-pod-actions.md#configure-service-account).
+ **fisPodContainerImage** – Optional. The container image used to create the fault injector pod. The default is to use the images provided by AWS FIS. For more information, see [Pod container images](eks-pod-actions.md#eks-pod-container-images).
+ **maxErrorsPercent** – Optional. The percentage of targets that can fail before the fault injection fails. The default is 0.
+ **fisPodLabels** – Optional. The Kubernetes labels that are attached to the fault orchestration pod created by FIS.
+ **fisPodAnnotations** – Optional. The Kubernetes annotations that are attached to the fault orchestration pod created by FIS.
+ **fisPodSecurityPolicy** – Optional. The [Kubernetes Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) policy to use for the fault orchestration pod created by FIS and the ephemeral containers. Possible values are `privileged`, `baseline` and `restricted`. This action is compatible with all policy levels.

**Permissions**
+ `eks:DescribeCluster`
+ `ec2:DescribeSubnets`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEKSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEKSAccess.html)

### aws:eks:pod-delete
<a name="pod-delete"></a>

Deletes the target pods. For more information, see [EKS Pod actions](eks-pod-actions.md).

**Resource type**
+ **aws:eks:pod**

**Parameters**
+ **gracePeriodSeconds** – Optional. The duration, in seconds, to wait for the pod to terminate gracefully. If the value is 0, we perform the action immediately. If the value is nil, we use the default grace period for the pod.
+ **kubernetesServiceAccount** – The Kubernetes service account. For information about the required permissions, see [Configure the Kubernetes service account](eks-pod-actions.md#configure-service-account).
+ **fisPodContainerImage** – Optional. The container image used to create the fault injector pod. The default is to use the images provided by AWS FIS. For more information, see [Pod container images](eks-pod-actions.md#eks-pod-container-images).
+ **maxErrorsPercent** – Optional. The percentage of targets that can fail before the fault injection fails. The default is 0.
+ **fisPodLabels** – Optional. The Kubernetes labels that are attached to the fault orchestration pod created by FIS.
+ **fisPodAnnotations** – Optional. The Kubernetes annotations that are attached to the fault orchestration pod created by FIS.
+ **fisPodSecurityPolicy** – Optional. The [Kubernetes Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) policy to use for the fault orchestration pod created by FIS and the ephemeral containers. Possible values are `privileged`, `baseline` and `restricted`. This action is compatible with all policy levels.

**Permissions**
+ `eks:DescribeCluster`
+ `ec2:DescribeSubnets`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEKSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEKSAccess.html)

### aws:eks:pod-io-stress
<a name="pod-io-stress"></a>

Runs I/O stress on the target pods. For more information, see [EKS Pod actions](eks-pod-actions.md).

**Resource type**
+ **aws:eks:pod**

**Parameters**
+ **duration** – The duration of the stress test, in ISO 8601 format.
+ **workers** – Optional. The number of workers. Workers perform a mix of sequential, random, and memory-mapped read/write operations, forced synchronizing, and cache dropping. Multiple child processes perform different I/O operations on the same file. The default is 1.
+ **percent** – Optional. The percentage of free space on the file system to use during the stress test. The default is 80%.
+ **kubernetesServiceAccount** – The Kubernetes service account. For information about the required permissions, see [Configure the Kubernetes service account](eks-pod-actions.md#configure-service-account).
+ **fisPodContainerImage** – Optional. The container image used to create the fault injector pod. The default is to use the images provided by AWS FIS. For more information, see [Pod container images](eks-pod-actions.md#eks-pod-container-images).
+ **maxErrorsPercent** – Optional. The percentage of targets that can fail before the fault injection fails. The default is 0.
+ **fisPodLabels** – Optional. The Kubernetes labels that are attached to the fault orchestration pod created by FIS.
+ **fisPodAnnotations** – Optional. The Kubernetes annotations that are attached to the fault orchestration pod created by FIS.
+ **fisPodSecurityPolicy** – Optional. The [Kubernetes Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) policy to use for the fault orchestration pod created by FIS and the ephemeral containers. Possible values are `privileged`, `baseline` and `restricted`. This action is compatible with all policy levels.

**Permissions**
+ `eks:DescribeCluster`
+ `ec2:DescribeSubnets`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEKSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEKSAccess.html)

### aws:eks:pod-memory-stress
<a name="pod-memory-stress"></a>

Runs memory stress on the target pods. For more information, see [EKS Pod actions](eks-pod-actions.md).

**Resource type**
+ **aws:eks:pod**

**Parameters**
+ **duration** – The duration of the stress test, in ISO 8601 format.
+ **workers** – Optional. The number of stressors to use. The default is 1.
+ **percent** – Optional. The percentage of virtual memory to use during the stress test. The default is 80%.
+ **kubernetesServiceAccount** – The Kubernetes service account. For information about the required permissions, see [Configure the Kubernetes service account](eks-pod-actions.md#configure-service-account).
+ **fisPodContainerImage** – Optional. The container image used to create the fault injector pod. The default is to use the images provided by AWS FIS. For more information, see [Pod container images](eks-pod-actions.md#eks-pod-container-images).
+ **maxErrorsPercent** – Optional. The percentage of targets that can fail before the fault injection fails. The default is 0.
+ **fisPodLabels** – Optional. The Kubernetes labels that are attached to the fault orchestration pod created by FIS.
+ **fisPodAnnotations** – Optional. The Kubernetes annotations that are attached to the fault orchestration pod created by FIS.
+ **fisPodSecurityPolicy** – Optional. The [Kubernetes Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) policy to use for the fault orchestration pod created by FIS and the ephemeral containers. Possible values are `privileged`, `baseline` and `restricted`. This action is compatible with all policy levels.

**Permissions**
+ `eks:DescribeCluster`
+ `ec2:DescribeSubnets`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEKSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEKSAccess.html)

### aws:eks:pod-network-blackhole-port
<a name="pod-network-blackhole-port"></a>

Drops inbound or outbound traffic for the specified protocol and port. Only compatible with the [Kubernetes Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) `privileged`policy. For more information, see [EKS Pod actions](eks-pod-actions.md).

**Resource type**
+ **aws:eks:pod**

**Parameters**
+ **duration** – The duration of the test, in ISO 8601 format.
+ **protocol** – The protocol. The possible values are `tcp` and `udp`.
+ **trafficType** – The type of traffic. The possible values are `ingress` and `egress`.
+ **port** – The port number.
+ **kubernetesServiceAccount** – The Kubernetes service account. For information about the required permissions, see [Configure the Kubernetes service account](eks-pod-actions.md#configure-service-account).
+ **fisPodContainerImage** – Optional. The container image used to create the fault injector pod. The default is to use the images provided by AWS FIS. For more information, see [Pod container images](eks-pod-actions.md#eks-pod-container-images).
+ **maxErrorsPercent** – Optional. The percentage of targets that can fail before the fault injection fails. The default is 0.
+ **fisPodLabels** – Optional. The Kubernetes labels that are attached to the fault orchestration pod created by FIS.
+ **fisPodAnnotations** – Optional. The Kubernetes annotations that are attached to the fault orchestration pod created by FIS.

**Permissions**
+ `eks:DescribeCluster`
+ `ec2:DescribeSubnets`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEKSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEKSAccess.html)

### aws:eks:pod-network-latency
<a name="pod-network-latency"></a>

Adds latency and jitter to the network interface using the **tc** tool for traffic to or from specific sources. Only compatible with the [Kubernetes Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) `privileged`policy. For more information, see [EKS Pod actions](eks-pod-actions.md).

Use the `flowsPercent` parameter to add latency on a percentage of the connections.

**Resource type**
+ **aws:eks:pod**

**Parameters**
+ **duration** – The duration of the test, in ISO 8601 format.
+ **interface** – Optional. The network interfaces, separated by commas. ALL and DEFAULT values are supported. The default is `DEFAULT`, which will target the primary network interface for the Operating System.
+ **delayMilliseconds** – Optional. The delay, in milliseconds. The default is 200.
+ **jitterMilliseconds** – Optional. The jitter, in milliseconds. The default is 10.
+ **flowsPercent** – Optional. The percentage of network flows that will be affected by the action. The default is 100%.
+ **sources** – Optional. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, an AZ name (us-east-1a), an AZ ID (use1-az1), ALL, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region. For domain names, 10 DNS resolution attempts are made to collect IP addresses. Due to DNS load balancing and rotation, this action may not impair all possible IP addresses the domain could resolve to. The default is ALL, which matches all IPv4 traffic.
+ **kubernetesServiceAccount** – The Kubernetes service account. For information about the required permissions, see [Configure the Kubernetes service account](eks-pod-actions.md#configure-service-account).
+ **fisPodContainerImage** – Optional. The container image used to create the fault injector pod. The default is to use the images provided by AWS FIS. For more information, see [Pod container images](eks-pod-actions.md#eks-pod-container-images).
+ **maxErrorsPercent** – Optional. The percentage of targets that can fail before the fault injection fails. The default is 0.
+ **fisPodLabels** – Optional. The Kubernetes labels that are attached to the fault orchestration pod created by FIS.
+ **fisPodAnnotations** – Optional. The Kubernetes annotations that are attached to the fault orchestration pod created by FIS.

**Permissions**
+ `eks:DescribeCluster`
+ `ec2:DescribeSubnets`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEKSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEKSAccess.html)

### aws:eks:pod-network-packet-loss
<a name="pod-network-packet-loss"></a>

Adds packet loss to the network interface using the **tc** tool. Only compatible with the [Kubernetes Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) `privileged`policy. For more information, see [EKS Pod actions](eks-pod-actions.md).

Use the `flowsPercent` parameter to inject packet loss on a percentage of the connections.

**Resource type**
+ **aws:eks:pod**

**Parameters**
+ **duration** – The duration of the test, in ISO 8601 format.
+ **interface** – Optional. The network interfaces, separated by commas. ALL and DEFAULT values are supported. The default is `DEFAULT`, which will target the primary network interface for the Operating System.
+ **lossPercent** – Optional. The percentage of packet loss. The default is 7%.
+ **flowsPercent** – Optional. The percentage of network flows that will be affected by the action. The default is 100%.
+ **sources** – Optional. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, an AZ name (us-east-1a), an AZ ID (use1-az1), ALL, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region. For domain names, 10 DNS resolution attempts are made to collect IP addresses. Due to DNS load balancing and rotation, this action may not impair all possible IP addresses the domain could resolve to. The default is ALL, which matches all IPv4 traffic.
+ **kubernetesServiceAccount** – The Kubernetes service account. For information about the required permissions, see [Configure the Kubernetes service account](eks-pod-actions.md#configure-service-account).
+ **fisPodContainerImage** – Optional. The container image used to create the fault injector pod. The default is to use the images provided by AWS FIS. For more information, see [Pod container images](eks-pod-actions.md#eks-pod-container-images).
+ **maxErrorsPercent** – Optional. The percentage of targets that can fail before the fault injection fails. The default is 0.
+ **fisPodLabels** – Optional. The Kubernetes labels that are attached to the fault orchestration pod created by FIS.
+ **fisPodAnnotations** – Optional. The Kubernetes annotations that are attached to the fault orchestration pod created by FIS.

**Permissions**
+ `eks:DescribeCluster`
+ `ec2:DescribeSubnets`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEKSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEKSAccess.html)

### aws:eks:terminate-nodegroup-instances
<a name="terminate-nodegroup-instance"></a>

Runs the Amazon EC2 API action [TerminateInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateInstances.html) on the target node group. Only compatible with Amazon EKS managed node groups. Self-managed node groups are not supported. For more information, see [EKS manage compute](https://docs.aws.amazon.com/eks/latest/userguide/eks-compute.html).

**Resource type**
+ **aws:eks:nodegroup**

**Parameters**
+ **instanceTerminationPercentage** – The percentage (1-100) of instances to terminate.

**Permissions**
+ `ec2:DescribeInstances`
+ `ec2:TerminateInstances`
+ `eks:DescribeNodegroup`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEKSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEKSAccess.html)

## Amazon ElastiCache actions
<a name="elasticache-actions-reference"></a>

AWS FIS supports the following ElastiCache action.

### aws:elasticache:replicationgroup-interrupt-az-power
<a name="replicationgroup-interrupt-az-power"></a>

Interrupts power to nodes in the specified Availability Zone for target ElastiCache replication groups with Multi-AZ enabled. Only one Availability Zone per replication group can be impacted at a time. When a primary node is targeted, the corresponding read replica with the least replication lag is promoted to primary. Read replica replacements in the specified Availability Zone are blocked for the duration of this action, which means that target Replication Groups operate with reduced capacity. The target for this action supports both Redis and Valkey engines. The action does not support the "serverless" deployment option.

**Resource type**
+ **aws:elasticache:replicationgroup**

**Parameters**
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `elasticache:InterruptClusterAzPower`
+ `elasticache:DescribeReplicationGroups`
+ `tag:GetResources`

**Note**  
The ElastiCache interrupt AZ power action now supports all replication group types, including Valkey and Redis. To better represent this functionality, the action has been renamed. If you are currently using `aws:elasticache:interrupt-cluster-az-power`, we recommend that you migrate to the new action `aws:elasticache:replicationgroup-interrupt-az-power` to take advantage of the latest features.

## Amazon Kinesis Data Streams actions
<a name="aws-kinesis-actions"></a>

Amazon Kinesis Data Streams supports the following Kinesis actions.

**Topics**
+ [

### aws:kinesis:stream-provisioned-throughput-exception
](#throughput-exception)
+ [

### aws:kinesis:stream-expired-iterator-exception
](#iterator-exception)

### aws:kinesis:stream-provisioned-throughput-exception
<a name="throughput-exception"></a>

Injects `ProvisionedThroughputExceededException` error responses on requests for the targeted Kinesis Data Streams. Supported operations include: `GetRecords`, `GetShardIterator`, `PutRecord`, and `PutRecords`.

**Resource type**
+ ****aws:kinesis:stream****

**Parameters**
+ **duration** – The duration, which ranges from one minute to 12 hours. In the AWS FISAPI, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **percentage** – The percentage (1-100) of calls to inject the fault into.

**Permissions**
+ `kinesis:InjectApiError`

### aws:kinesis:stream-expired-iterator-exception
<a name="iterator-exception"></a>

Injects `ExpiredIteratorException` error responses for `GetRecords` calls targeting specified Kinesis Data Streams.

**Resource type**
+ ******aws:kinesis:stream******

**Parameters**
+ **duration** – The duration, which ranges from one minute to 12 hours. In the AWS FISAPI, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **percentage** – The percentage (1-100) of calls to inject the fault into.

**Permissions**
+ `kinesis:InjectApiError`

## AWS Lambda actions
<a name="aws-lambda-actions-reference"></a>

AWS Lambda supports the following Lambda actions

**Topics**
+ [

### aws:lambda:invocation-add-delay
](#invocation-add-delay)
+ [

### aws:lambda:invocation-error
](#invocation-error)
+ [

### aws:lambda:invocation-http-integration-response
](#invocation-http-integration-response)

### aws:lambda:invocation-add-delay
<a name="invocation-add-delay"></a>



Delays starting a function for a number of milliseconds that you specify. The effect of this action is similar to Lambda cold starts, but the additional time is spent as part of the billed duration and is applied to all execution environments rather than only affecting new execution environments. This means that you may experience both a Lambda cold start and this delay. By setting a latency value higher than the timeout configured on the Lambda function, this action will also provide access to a high fidelity timeout event.

**Resource type**
+ **aws:lambda:function**

**Parameters**
+ **duration** – The length of time that the action lasts. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **invocationPercentage** – Optional. The percentage (1-100) of function invocations to inject the fault into. The default is 100.
+ **startupDelayMilliseconds** – Optional. The amount of time in milliseconds (0-900,000) to wait between invocation and execution of function code. The default is 1000.

**Permissions**
+ `s3:PutObject`
+ `s3:DeleteObject`
+ `lambda:GetFunction`
+ `tag:GetResources`

### aws:lambda:invocation-error
<a name="invocation-error"></a>



Marks Lambda function invocations as failed. This action is useful for testing error handling mechanisms, such as alarms and retry configurations. While using this action, you select whether or not to run the function code before returning an error.

**Resource type**
+ **aws:lambda:function**

**Parameters**
+ **duration** – The length of time that the action lasts. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **invocationPercentage** – Optional. The percentage (1-100) of function invocations to inject the fault into. The default is 100.
+ **preventExecution** – If the value is true, the action will return the error without executing the function.

**Permissions**
+ `s3:PutObject`
+ `s3:DeleteObject`
+ `lambda:GetFunction`
+ `tag:GetResources`

### aws:lambda:invocation-http-integration-response
<a name="invocation-http-integration-response"></a>



Modifies the behavior of the function. You select a content type and HTTP response code to support integrations with ALB, API-GW and VPC Lattice. To enable selectively impacting upstream or downstream integrations, you can choose whether to directly return the modified response or whether to run the function and replace the response after the function finishes execution.

**Resource type**
+ **aws:lambda:function**

**Parameters**
+ **contentTypeHeader** – String value of HTTP content type header to return from Lambda function.
+ **duration** – The length of time that the action lasts. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **invocationPercentage** – Optional. The percentage (1-100) of function invocations to inject the fault into. The default is 100.
+ **preventExecution** – If the value is true, the action will return the response without executing the function.
+ **statusCode** – Value of HTTP status code (000-999) to return from Lambda function.

**Permissions**
+ `s3:PutObject`
+ `s3:DeleteObject`
+ `lambda:GetFunction`
+ `tag:GetResources`

## Amazon MemoryDB action
<a name="memorydb-actions-reference"></a>

AWS FIS supports the following MemoryDB action.

### aws:memorydb:multi-region-cluster-pause-replication
<a name="multi-region-cluster-pause-replication"></a>

Pauses the replication between one regional cluster and all other regional clusters within the multi-Region cluster. The regional cluster targeted is the cluster in the Region where the FIS experiment is running. While the replication is paused, the multi-Region cluster cannot be updated. Once the action completes, it may take a few minutes for the multi-Region cluster to return to an available state. To learn more about Amazon MemoryDB Multi-Region, see the [Amazon MemoryDB Multi-Region Developer Guide](https://docs.aws.amazon.com/memorydb/latest/devguide/multi-region.html). For Region availability, see [MemoryDB Multi-Region Prerequisites and limitations](https://docs.aws.amazon.com/memorydb/latest/devguide/multi-region.prereq.html).

**Resource type**
+ **aws:memorydb:multi-region-cluster**

**Parameters**
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `memorydb:DescribeMultiRegionClusters`
+ `memorydb:PauseMultiRegionClusterReplication`
+ `tag:GetResources`

## Network actions
<a name="network-actions-reference"></a>

AWS FIS supports the following network actions.

**Topics**
+ [

### aws:network:disrupt-connectivity
](#disrupt-connectivity)
+ [

### aws:network:route-table-disrupt-cross-region-connectivity
](#route-table-disrupt-cross-region-connectivity)
+ [

### aws:network:transit-gateway-disrupt-cross-region-connectivity
](#transit-gateway-disrupt-cross-region-connectivity)
+ [

### aws:network:disrupt-vpc-endpoint
](#disrupt-vpc-endpoint)

### aws:network:disrupt-connectivity
<a name="disrupt-connectivity"></a>

Denies the specified traffic to the target subnets by temporarily cloning the original network access control list (network ACL) associated with the targeted subnet. FIS adds deny rules to the cloned network ACL, which has a tag managedbyFIS=true, and associates it with the subnet for the duration of the action. At action completion, FIS deletes the cloned network ACL and restores the original network ACL association.

**Resource type**
+ **aws:ec2:subnet**

**Parameters**
+ **scope** – The type of traffic to deny. When the scope is not `all`, the maximum number of entries in network ACLs is 20. The possible values are:
  + `all` – Denies all traffic entering and leaving the subnet. Note that this option allows intra-subnet traffic, including traffic to and from network interfaces in the subnet.
  + `availability-zone` – Denies intra-VPC traffic to and from subnets in other Availability Zones. The maximum number of subnets that can be targeted in a VPC is 30.
  + `dynamodb` – Denies traffic to and from the Regional endpoint for DynamoDB in the current Region.
  + `prefix-list` – Denies traffic to and from the specified prefix list.
  + `s3` – Denies traffic to and from the Regional endpoint for Amazon S3 in the current Region.
  + `s3express` – Denies traffic to and from the zonal endpoint for Amazon S3 Express One Zone in the target subnets’ AZ. Target subnets must reside in AZs where S3 Express One Zone is currently available. For more information, see [S3 Express One Zone Availability Zones and Regions.](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Endpoints.html)
  + `vpc` – Denies traffic entering and leaving the VPC.
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **prefixListIdentifier** – If the scope is `prefix-list`, this is the identifier of the customer managed prefix list. You can specify a name, an ID, or an ARN. The prefix list can have at most 10 entries.

**Permissions**
+ `ec2:CreateNetworkAcl` – Creates the network ACL with the tag managedByFIS=true.
+ `ec2:CreateNetworkAclEntry` – The network ACL must have the tag managedByFIS=true.
+ `ec2:CreateTags`
+ `ec2:DeleteNetworkAcl` – The network ACL must have the tag managedByFIS=true.
+ `ec2:DescribeManagedPrefixLists`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeVpcs`
+ `ec2:GetManagedPrefixListEntries`
+ `ec2:ReplaceNetworkAclAssociation`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorNetworkAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorNetworkAccess.html)

### aws:network:route-table-disrupt-cross-region-connectivity
<a name="route-table-disrupt-cross-region-connectivity"></a>

Blocks traffic that originates in the target subnets and is destined for the specified Region. Creates route tables that include all routes for the Region to isolate. To allow FIS to create these route tables, raise the Amazon VPC quota for `routes per route table` to 250 (or 350 if the `region` parameter is us-east-1) plus the number of routes in your existing route tables.

**Resource type**
+ **aws:ec2:subnet**

**Parameters**
+ `region` – The code of the Region to isolate (for example, eu-west-1).
+ `duration` – The length of time the action lasts. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `ec2:AssociateRouteTable`
+ `ec2:CreateManagedPrefixList` †
+ `ec2:CreateNetworkInterface` †
+ `ec2:CreateRoute` †
+ `ec2:CreateRouteTable` †
+ `ec2:CreateTags` †
+ `ec2:DeleteManagedPrefixList` †
+ `ec2:DeleteNetworkInterface` †
+ `ec2:DeleteRouteTable` †
+ `ec2:DescribeManagedPrefixLists`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:DescribeRouteTables`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeVpcPeeringConnections`
+ `ec2:DescribeVpcs`
+ `ec2:DisassociateRouteTable`
+ `ec2:GetManagedPrefixListEntries`
+ `ec2:ModifyManagedPrefixList` †
+ `ec2:ModifyVpcEndpoint`
+ `ec2:ReplaceRouteTableAssociation`

† Scoped using the tag managedByFIS=true. You do not need to manage this tag. AWS FIS adds and removes this tag during the experiment. 

**AWS managed policy**
+ [AWSFaultInjectionSimulatorNetworkAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorNetworkAccess.html)

### aws:network:transit-gateway-disrupt-cross-region-connectivity
<a name="transit-gateway-disrupt-cross-region-connectivity"></a>

Blocks traffic from the target transit gateway peering attachments that is destined for the specified Region.

**Resource type**
+ **aws:ec2:transit-gateway**

**Parameters**
+ `region` – The code of the Region to isolate (for example, eu-west-1).
+ `duration` – The length of time the action lasts. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `ec2:AssociateTransitGatewayRouteTable`
+ `ec2:DescribeTransitGatewayAttachments`
+ `ec2:DescribeTransitGatewayPeeringAttachments`
+ `ec2:DescribeTransitGateways`
+ `ec2:DisassociateTransitGatewayRouteTable`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorNetworkAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorNetworkAccess.html)

### aws:network:disrupt-vpc-endpoint
<a name="disrupt-vpc-endpoint"></a>

Blocks inbound and outbound traffic of the target interface VPC endpoints. FIS creates a managed security group with empty rules and temporarily replaces security groups of the target VPC endpoints with this managed security group. If modifications are made to the target resources during action execution, the action will fail and the resources will not be restored to their pre-experiment state. Additionally, if a FIS-managed security group is modified during action execution, it will not be deleted by FIS. .

**Resource type**
+ **aws:ec2:vpc-endpoint**

**Parameters**
+ `duration` – The length of time the action lasts. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `ec2:DescribeVpcEndpoints`
+ `ec2:DescribeSecurityGroups`
+ `ec2:ModifyVpcEndpoint`
+ `ec2:CreateSecurityGroup`
+ `ec2:DeleteSecurityGroup`
+ `ec2:RevokeSecurityGroupEgress`
+ `ec2:CreateTags`
+ `vpce:AllowMultiRegion` \$1

\$1 The permission is only required if you are targeting cross-region VPC endpoints

## Amazon RDS actions
<a name="rds-actions-reference"></a>

AWS FIS supports the following Amazon RDS actions.

**Topics**
+ [

### aws:rds:failover-db-cluster
](#failover-db-cluster)
+ [

### aws:rds:reboot-db-instances
](#reboot-db-instances)

### aws:rds:failover-db-cluster
<a name="failover-db-cluster"></a>

Runs the Amazon RDS API action [FailoverDBCluster](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_FailoverDBCluster.html) on the target Aurora DB cluster. RDS clusters and DocumentDB clusters are supported.

**Resource type**
+ **aws:rds:cluster**

**Parameters**
+ None

**Permissions**
+ `rds:FailoverDBCluster`
+ `rds:DescribeDBClusters`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorRDSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorRDSAccess.html)

### aws:rds:reboot-db-instances
<a name="reboot-db-instances"></a>

Runs the Amazon RDS API action [RebootDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RebootDBInstance.html) on the target DB instance. RDS clusters and DocumentDB clusters are supported.

**Resource type**
+ **aws:rds:db**

**Parameters**
+ **forceFailover** – Optional. If the value is true, and if instances are Multi-AZ, forces failover from one Availability Zone to another. The default is false.

**Permissions**
+ `rds:RebootDBInstance`
+ `rds:DescribeDBInstances`
+ `tag:GetResources`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorRDSAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorRDSAccess.html)

## Amazon S3 actions
<a name="s3-actions-reference-fis"></a>

AWS FIS supports the following Amazon S3 action.

**Topics**
+ [

### aws:s3:bucket-pause-replication
](#bucket-pause-replication)

### aws:s3:bucket-pause-replication
<a name="bucket-pause-replication"></a>

 Pauses replication from target source buckets to destination buckets. Destination buckets can be in different AWS Regions or within the same Region as the source bucket. Existing objects may continue to be replicated for up to one hour after action begins. This action only supports targeting by tags. To learn more about Amazon S3 Replication, see the [Amazon S3 user guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html).

**Resource type**
+ **aws:s3:bucket**

**Parameters**
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
+ **region** – The AWS region where destination buckets are located.
+ **destinationBuckets** – Optional. Comma separated list of destination S3 bucket(s).
+ **prefixes** – Optional. Comma separated list of S3 object key prefixes from replication rule filters. Replication rules of target buckets with a filter based on the prefix(es) will be paused. 

**Permissions**
+ `S3:PutReplicationConfiguration` with condition key `S3:IsReplicationPauseRequest` set to `True`
+ `S3:GetReplicationConfiguration` with condition key `S3:IsReplicationPauseRequest` set to `True`
+ `S3:PauseReplication`
+ `S3:ListAllMyBuckets`
+ `tag:GetResources`

For an example policy, see [Example: Use condition keys for `aws:s3:bucket-pause-replication`](security_iam_id-based-policy-examples.md#security-iam-policy-examples-s3).

## Systems Manager actions
<a name="ssm-actions-reference"></a>

AWS FIS supports the following Systems Manager actions.

**Topics**
+ [

### aws:ssm:send-command
](#ssm-send-command)
+ [

### aws:ssm:start-automation-execution
](#ssm-start-automation-execution)

### aws:ssm:send-command
<a name="ssm-send-command"></a>

Runs the Systems Manager API action [SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) on the target EC2 instances. The Systems Manager document (SSM document) defines the actions that Systems Manager performs on your instances. For more information, see [Use the aws:ssm:send-command action](actions-ssm-agent.md#specifying-ssm-actions).

**Resource type**
+ **aws:ec2:instance**

**Parameters**
+ **documentArn** – The Amazon Resource Name (ARN) of the document. In the console, this parameter is completed for you if you choose a value from **Action type** that corresponds to one of the [pre-configured AWS FIS SSM documents](actions-ssm-agent.md#fis-ssm-docs).
+ **documentVersion** – Optional. The version of the document. If empty, the default version runs.
+ **documentParameters** – Conditional. The required and optional parameters that the document accepts. The format is a JSON object with keys that are strings and values that are either strings or arrays of strings.
+ **duration** – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `ssm:SendCommand`
+ `ssm:ListCommands`
+ `ssm:CancelCommand`

**AWS managed policy**
+ [AWSFaultInjectionSimulatorEC2Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorEC2Access.html)

### aws:ssm:start-automation-execution
<a name="ssm-start-automation-execution"></a>

Runs the Systems Manager API action [StartAutomationExecution](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartAutomationExecution.html).

**Resource type**
+ None

**Parameters**
+ **documentArn** – The Amazon Resource Name (ARN) of the automation document.
+ **documentVersion** – Optional. The version of the document. If empty, the default version runs.
+ **documentParameters** – Conditional. The required and optional parameters that the document accepts. The format is a JSON object with keys that are strings and values that are either strings or arrays of strings.
+ **maxDuration** – The maximum time allowed for the automation execution to complete, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `ssm:GetAutomationExecution`
+ `ssm:StartAutomationExecution`
+ `ssm:StopAutomationExecution`
+ `iam:PassRole` – Optional. Required if the automation document assumes a role.

**AWS managed policy**
+ [AWSFaultInjectionSimulatorSSMAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSFaultInjectionSimulatorSSMAccess.html)

## AWS Direct Connect actions
<a name="directconnect-actions-reference"></a>

AWS FIS supports the following AWS Direct Connect action.

**Topics**
+ [

### aws:directconnect:virtual-interface-disconnect
](#directconnect-virtual-interface-disconnect)

### aws:directconnect:virtual-interface-disconnect
<a name="directconnect-virtual-interface-disconnect"></a>

Tests the resilience of the AWS Direct Connect connection by temporarily disrupting the Border Gateway Protocol (BGP) sessions between the on-premises networks and peers associated with target Virtual Interfaces (VIFs). Before initiating the experiment, FIS verifies that all VIFs targeted in the experiment are in an 'available' state and each VIF has all BGP peers with 'available' state and 'up' BGP status. During the experiment, BGP peering sessions for the targeted Virtual Interfaces will be placed in the down state. For the detailed information about Direct Connect failover testing, please refer to the [AWS Direct Connect documentation](https://docs.aws.amazon.com/directconnect/latest/UserGuide/resiliency_failover.html).

**Resource type**
+ aws:directconnect:virtual-interface

**Parameters**
+ `duration` – The duration, from 10 minutes to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT10M represents ten minutes. In the AWS FIS console, you enter the number of seconds, minutes, or hours.

**Permissions**
+ `directconnect:DescribeVirtualInterfaces`
+ `directconnect:StartBgpFailoverTest`
+ `directconnect:ListVirtualInterfaceTestHistory`
+ `directconnect:StopBgpFailoverTest`
+ `tag:GetResources`

# Use Systems Manager SSM documents with AWS FIS
<a name="actions-ssm-agent"></a>

AWS FIS supports custom fault types through the AWS Systems Manager SSM Agent and the AWS FIS action [aws:ssm:send-command](fis-actions-reference.md#ssm-send-command). Pre-configured Systems Manager SSM documents (SSM documents) that can be used to create common fault injection actions are available as public AWS documents that begin with the AWSFIS- prefix.

SSM Agent is Amazon software that can be installed and configured on Amazon EC2 instances, on-premises servers, or virtual machines (VMs). This makes it possible for Systems Manager to manage these resources. The agent processes requests from Systems Manager, and then runs them as specified in the request. You can include your own SSM document to inject custom faults, or reference one of the public Amazon-owned documents.

**Requirements**

For actions that require SSM Agent to run the action on the target, you must ensure the following:
+ The agent is installed on the target. SSM Agent is installed by default on some Amazon Machine Images (AMIs). Otherwise, you can install the SSM Agent on your instances. For more information, see [Manually install SSM Agent for EC2 instances](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html) in the *AWS Systems Manager User Guide*.
+ Systems Manager has permission to perform actions on your instances. You grant access using an IAM instance profile. For more information, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) and [Attach an IAM instance profile to an EC2 instance](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-launch-managed-instance.html) in the *AWS Systems Manager User Guide*.

## Use the aws:ssm:send-command action
<a name="specifying-ssm-actions"></a>

An SSM document defines the actions that Systems Manager performs on your managed instances. Systems Manager includes a number of pre-configured documents, or you can create your own. For more information about creating your own SSM document, see [Creating Systems Manager documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/create-ssm-doc.html) in the *AWS Systems Manager User Guide*. For more information about SSM documents in general, see [AWS Systems Manager documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html) in the *AWS Systems Manager User Guide*.

AWS FIS provides pre-configured SSM documents. You can view the pre-configured SSM documents under **Documents** in the AWS Systems Manager console: [https://console.aws.amazon.com/systems-manager/documents](https://console.aws.amazon.com/systems-manager/documents). You can also choose from a selection of pre-configured documents in the AWS FIS console. For more information, see [Pre-configured AWS FIS SSM documents](#fis-ssm-docs).

To use an SSM document in your AWS FIS experiments, you can use the [aws:ssm:send-command](fis-actions-reference.md#ssm-send-command) action. This action fetches and runs the specified SSM document on your target instances.

When you use the `aws:ssm:send-command` action in your experiment template, you must specify additional parameters for the action, including the following:
+ **documentArn** – Required. The Amazon Resource Name (ARN) of the SSM document.
+ **documentParameters** – Conditional. The required and optional parameters that the SSM document accepts. The format is a JSON object with keys that are strings and values that are either strings or arrays of strings.
+ **documentVersion** – Optional. The version of the SSM document to run.

You can view the information for an SSM document (including the parameters for the document) by using the Systems Manager console or the command line.

**To view information about an SSM document using the console**

1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Documents**.

1. Select the document, and choose the **Details** tab.

**To view information about an SSM document using the command line**  
Use the SSM [describe-document](https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-document.html) command.

**Learn more about action state**  
SSM action state is determined by [SSM command statuses](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitor-commands.html).

## Pre-configured AWS FIS SSM documents
<a name="fis-ssm-docs"></a>

You can use pre-configured AWS FIS SSM documents with the `aws:ssm:send-command` action in your experiment templates.

**Requirements**
+ The pre-configured SSM documents provided by AWS FIS are supported only on the following operating systems:
  + Amazon Linux 2023, Amazon Linux 2
  + Ubuntu
  + RHEL 8, 9
  + CentOS 9
+ The pre-configured SSM documents provided by AWS FIS are supported only on EC2 instances. They are not supported on other types of managed nodes, such as on-premises servers.

To use these SSM documents in experiments on ECS tasks, use the corresponding [Amazon ECS actions](fis-actions-reference.md#ecs-actions-reference). For example, the **aws:ecs:task-cpu-stress** action uses the AWSFIS-Run-CPU-Stress document.

**Topics**
+ [

### AWSFIS-Run-CPU-Stress
](#awsfis-run-cpu-stress)
+ [

### AWSFIS-Run-Disk-Fill
](#awsfis-run-disk-fill)
+ [

### AWSFIS-Run-IO-Stress
](#awsfis-run-io-stress)
+ [

### AWSFIS-Run-Kill-Process
](#awsfis-run-kill-process)
+ [

### AWSFIS-Run-Memory-Stress
](#awsfis-run-memory-stress)
+ [

### AWSFIS-Run-Network-Blackhole-Port
](#awsfis-run-network-blackhole-port)
+ [

### AWSFIS-Run-Network-Latency
](#awsfis-run-network-latency)
+ [

### AWSFIS-Run-Network-Latency-Sources
](#awsfis-run-network-latency-sources)
+ [

### AWSFIS-Run-Network-Packet-Loss
](#awsfis-run-network-packet-loss)
+ [

### AWSFIS-Run-Network-Packet-Loss-Sources
](#awsfis-run-network-packet-loss-sources)

**Difference between action duration and DurationSeconds in AWS FIS SSM documents**  
 Some SSM documents limit their own execution time, for example the DurationSeconds parameter is used by some of the pre-configured AWS FIS SSM documents. As a result you need to specify two independent durations in the AWS FIS action definition: 
+  **Action duration**: For experiments with a single action, the action duration is equivalent to the experiment duration. With multiple actions, the experiment duration depends on individual action durations and the order in which they are run. AWS FIS monitors each action until its action duration elapsed. 
+  Document parameter **DurationSeconds**: The duration, specified in seconds, for which the SSM document will execute. 

 You can choose different values for the two types of duration: 
+  **Action duration exceeds DurationSeconds**: The SSM document execution finishes before the action is complete. AWS FIS waits until the action duration elapsed before subsequent actions are started. 
+  **Action duration is shorter than DurationSeconds**: The SSM document continues the execution after the action is complete. If the SSM document execution is still in progress and the action duration elapsed then the action status is set to Completed. AWS FIS only monitors the execution until the action duration elapsed. 

 Note that some SSM documents have variable durations. For example AWS FIS SSM documents have the option to install prerequisites, which can extend the overall execution duration beyond the specified DurationSeconds parameter. Thus, if you set the action duration and DurationSeconds to the same value, it is possible that the SSM script may run longer than the action duration. 

### AWSFIS-Run-CPU-Stress
<a name="awsfis-run-cpu-stress"></a>

Runs CPU stress on an instance using the **stress-ng** tool. Uses the [AWSFIS-Run-CPU-Stress](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-CPU-Stress/description) SSM document.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-CPU-Stress

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-CPU-Stress

**Document parameters**
+ **DurationSeconds** – Required. The duration of the CPU stress test, in seconds.
+ **CPU** – Optional. The number of CPU stressors to use. The default is 0, which uses all CPU stressors.
+ **LoadPercent** – Optional. The target CPU load percentage, from 0 (no load) to 100 (full load). The default is 100.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances if they are not already installed. The default is `True`. The dependency is **stress-ng**.

The following is an example of the string you can enter in the console.

```
{"DurationSeconds":"60", "InstallDependencies":"True"}
```

### AWSFIS-Run-Disk-Fill
<a name="awsfis-run-disk-fill"></a>

Allocates disk space on the root volume of an instance to simulate a disk full fault. Uses the [AWSFIS-Run-Disk-Fill](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Disk-Fill/description) SSM document.

If the experiment injecting this fault is stopped, either manually or through a stop condition, AWS FIS attempts to roll back by canceling the running SSM document. However, if the disk is 100% full, either due to the fault or the fault plus application activity, Systems Manager might be unable to complete the cancel operation. Therefore, if you might need to stop the experiment, ensure that the disk will not become 100% full.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-Disk-Fill

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-Disk-Fill

**Document parameters**
+ **DurationSeconds** – Required. The duration of the disk fill test, in seconds.
+ **Percent** – Optional. The percentage of the disk to allocate during the disk fill test. The default is 95%.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances if they are not already installed. The default is `True`. The dependencies are **atd**, **kmod** and **fallocate**.

The following is an example of the string you can enter in the console.

```
{"DurationSeconds":"60", "InstallDependencies":"True"}
```

### AWSFIS-Run-IO-Stress
<a name="awsfis-run-io-stress"></a>

Runs IO stress on an instance using the **stress-ng** tool. Uses the [AWSFIS-Run-IO-Stress](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-IO-Stress/description) SSM document.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-IO-Stress

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-IO-Stress

**Document parameters**
+ **DurationSeconds** – Required. The duration of the IO stress test, in seconds.
+ **Workers** – Optional. The number of workers that perform a mix of sequential, random, and memory-mapped read/write operations, forced synchronizing, and cache dropping. Multiple child processes perform different I/O operations on the same file. The default is 1.
+ **Percent** – Optional. The percentage of free space on the file system to use during the IO stress test. The default is 80%.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances if they are not already installed. The default is `True`. The dependency is **stress-ng**.

The following is an example of the string you can enter in the console.

```
{"Workers":"1", "Percent":"80", "DurationSeconds":"60", "InstallDependencies":"True"}
```

### AWSFIS-Run-Kill-Process
<a name="awsfis-run-kill-process"></a>

Stops the specified process in the instance, using the **killall** command. Uses the [AWSFIS-Run-Kill-Process](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Kill-Process/description) SSM document.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-Kill-Process

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-Kill-Process

**Document parameters**
+ **ProcessName** – Required. The name of the process to stop.
+ **Signal** – Optional. The signal to send along with the command. The possible values are `SIGTERM` (which the receiver can choose to ignore) and `SIGKILL` (which cannot be ignored). The default is `SIGTERM`.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances if they are not already installed. The default is `True`. The dependency is **killall**.

The following is an example of the string you can enter in the console.

```
{"ProcessName":"myapplication", "Signal":"SIGTERM"}
```

### AWSFIS-Run-Memory-Stress
<a name="awsfis-run-memory-stress"></a>

Runs memory stress on an instance using the **stress-ng** tool. Uses the [AWSFIS-Run-Memory-Stress](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Memory-Stress/description) SSM document.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-Memory-Stress

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-Memory-Stress

**Document parameters**
+ **DurationSeconds** – Required. The duration of the memory stress test, in seconds.
+ **Workers** – Optional. The number of virtual memory stressors. The default is 1.
+ **Percent** – Required. The percentage of virtual memory to use during the memory stress test.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances if they are not already installed. The default is `True`. The dependency is **stress-ng**.

The following is an example of the string you can enter in the console.

```
{"Percent":"80", "DurationSeconds":"60", "InstallDependencies":"True"}
```

### AWSFIS-Run-Network-Blackhole-Port
<a name="awsfis-run-network-blackhole-port"></a>

Drops inbound or outbound traffic for the protocol and port using the **iptables** tool. Uses the [AWSFIS-Run-Network-Blackhole-Port](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Blackhole-Port/description) SSM document.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-Network-Blackhole-Port

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-Network-Blackhole-Port

**Document parameters**
+ **Protocol** – Required. The protocol. The possible values are `tcp` and `udp`.
+ **Port** – Required. The port number.
+ **TrafficType** – Optional. The type of traffic. The possible values are `ingress` and `egress`. The default is `ingress`.
+ **DurationSeconds** – Required. The duration of the network blackhole test, in seconds.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances if they are not already installed. The default is `True`. The dependencies are **atd**, **dig**, **lsof**, and **iptables**.

The following is an example of the string you can enter in the console.

```
{"Protocol":"tcp", "Port":"8080", "TrafficType":"egress", "DurationSeconds":"60", "InstallDependencies":"True"}
```

### AWSFIS-Run-Network-Latency
<a name="awsfis-run-network-latency"></a>

Adds latency to the network interface using the **tc** tool. Uses the [AWSFIS-Run-Network-Latency](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Latency/description) SSM document.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-Network-Latency

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-Network-Latency

**Document parameters**
+ **Interface** – Optional. The network interface. The default is `eth0`.
+ **DelayMilliseconds** – Optional. The delay, in milliseconds. The default is 200.
+ **DurationSeconds** – Required. The duration of the network latency test, in seconds.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances if they are not already installed. The default is `True`. The dependencies are **atd**, **dig**, and **tc**.

The following is an example of the string you can enter in the console.

```
{"DelayMilliseconds":"200", "Interface":"eth0", "DurationSeconds":"60", "InstallDependencies":"True"}
```

### AWSFIS-Run-Network-Latency-Sources
<a name="awsfis-run-network-latency-sources"></a>

Adds latency and jitter to the network interface using the **tc** tool for traffic to or from specific sources. Uses the [AWSFIS-Run-Network-Latency-Sources](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Latency-Sources/description) SSM document.

Use the `FlowsPercent` parameter to add latency on a percentage of the connections.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-Network-Latency-Sources

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-Network-Latency-Sources

**Document parameters**
+ **Interface** – Optional. The network interfaces, separated by commas. ALL and DEFAULT values are supported. The default is `DEFAULT`, which will target the primary network interface for the Operating System.
+ **DelayMilliseconds** – Optional. The delay, in milliseconds. The default is 200.
+ **JitterMilliseconds** – Optional. The jitter, in milliseconds. The default is 10.
+ **FlowsPercent** – Optional. The percentage of network flows that will be affected by the action. The default is 100%.
+ **Sources** – Required. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, an AZ name (us-east-1a), an AZ ID (use1-az1), ALL, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region.
+ **TrafficType** – Optional. The type of traffic. The possible values are `ingress` and `egress`. The default is `ingress`.
+ **DurationSeconds** – Required. The duration of the network latency test, in seconds.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances if they are not already installed. The default is `True`. The dependencies are **atd**, **dig**, **jq**, **lsof**, and **tc**.

When using this document, the experiment role requires the following permissions:
+ `ec2:DescribeInstances`
+ `ec2:DescribeSubnets`

The following is an example of the string you can enter in the console.

```
{"DelayMilliseconds":"200", "JitterMilliseconds":"15", "Sources":"S3,www.example.com,72.21.198.67", "Interface":"eth0", "TrafficType":"egress", "DurationSeconds":"60", "InstallDependencies":"True"}
```

### AWSFIS-Run-Network-Packet-Loss
<a name="awsfis-run-network-packet-loss"></a>

Adds packet loss to the network interface using the **tc** tool. Uses the [AWSFIS-Run-Network-Packet-Loss](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Packet-Loss/description) SSM document.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-Network-Packet-Loss

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-Network-Packet-Loss

**Document parameters**
+ **Interface** – Optional. The network interface. The default is `eth0`.
+ **LossPercent** – Optional. The percentage of packet loss. The default is 7%.
+ **DurationSeconds** – Required. The duration of the network packet loss test, in seconds.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances. The default is `True`. The dependencies are **atd**, **lsof**, **dig**, and **tc**.

The following is an example of the string you can enter in the console.

```
{"LossPercent":"15", "Interface":"eth0", "DurationSeconds":"60", "InstallDependencies":"True"}
```

### AWSFIS-Run-Network-Packet-Loss-Sources
<a name="awsfis-run-network-packet-loss-sources"></a>

Adds packet loss to the network interface using the **tc** tool for traffic to or from specific sources. Uses the [AWSFIS-Run-Network-Packet-Loss-Sources](https://console.aws.amazon.com/systems-manager/documents/AWSFIS-Run-Network-Packet-Loss-Sources/description) SSM document.

Use the `FlowsPercent` parameter to inject packet loss on a percentage of the connections.

**Action type (console only)**  
aws:ssm:send-command/AWSFIS-Run-Network-Packet-Loss-Sources

**ARN**  
arn:aws:ssm:*region*::document/AWSFIS-Run-Network-Packet-Loss-Sources

**Document parameters**
+ **Interface** – Optional. The network interfaces, separated by commas. ALL and DEFAULT values are supported. The default is `DEFAULT`, which will target the primary network interface for the Operating System.
+ **LossPercent** – Optional. The percentage of packet loss. The default is 7%.
+ **FlowsPercent** – Optional. The percentage of network flows that will be affected by the action. The default is 100%.
+ **Sources** – Required. The sources, separated by commas, without spaces. The possible values are: an IPv4 address, an IPv4 CIDR block, a domain name, an AZ name (us-east-1a), an AZ ID (use1-az1), ALL, `DYNAMODB`, and `S3`. If you specify `DYNAMODB` or `S3`, this applies only to the Regional endpoint in the current Region.
+ **TrafficType** – Optional. The type of traffic. The possible values are `ingress` and `egress`. The default is `ingress`.
+ **DurationSeconds** – Required. The duration of the network packet loss test, in seconds.
+ **InstallDependencies** – Optional. If the value is `True`, Systems Manager installs the required dependencies on the target instances. The default is `True`. The dependencies are **atd**, **dig**, **jq**, **lsof**, and **tc**.

When using this document, the experiment role requires the following permissions:
+ `ec2:DescribeInstances`
+ `ec2:DescribeSubnets`

The following is an example of the string you can enter in the console.

```
{"LossPercent":"15", "Sources":"S3,www.example.com,72.21.198.67", "Interface":"eth0", "TrafficType":"egress", "DurationSeconds":"60", "InstallDependencies":"True"}
```

## Examples
<a name="fis-ssm-docs-example-template"></a>

For an example experiment template, see [Run a pre-configured AWS FIS SSM document](experiment-template-example.md#cpu-fault-injection).

For an example tutorial, see [Run CPU stress on an instance](fis-tutorial-run-cpu-stress.md).

## Limitations
<a name="fis-ssm-docs-limitations"></a>
+ The following documents cannot run in parallel:
  + AWSFIS-Run-Network-Blackhole-Port
  + AWSFIS-Run-Network-Latency
  + AWSFIS-Run-Network-Latency-Sources
  + AWSFIS-Run-Network-Packet-Loss
  + AWSFIS-Run-Network-Packet-Loss-Sources

## Rollback scripts
<a name="fis-ssm-docs-rollback"></a>

AWS FIS SSM documents automatically create rollback scripts as a safety mechanism to restore system state after fault injection experiments. These scripts ensure that injected faults are removed, even if the action fails or is terminated unexpectedly.

### Rollback script creation
<a name="fis-ssm-rollback-creation"></a>

Rollback scripts are created automatically when fault injection experiments begin.

**Creation details**
+ **Location** – Scripts are created in the `/var/lib/amazon/ssm/` directory.
+ **Naming pattern** – `FAULT_NAME-FAULT_IDENTIFIER-Rollback.sh` where *FAULT\$1IDENTIFIER* is a randomly generated 32-character string
+ **Timing** – Created at the beginning of each fault injection experiment, before fault injection starts.
+ **Content** – Contains all necessary environment variables and commands to reverse the specific fault.

For example, a network latency experiment might create a rollback script at `/var/lib/amazon/ssm/NetworkLatency-abc123-Rollback.sh`.

### Rollback logging
<a name="fis-ssm-rollback-logging"></a>

Rollback scripts implement dual logging to capture all rollback activities for troubleshooting and audit purposes.

**Log file locations**  
When a rollback script executes, it creates logs in two locations:
+ **Temporary files** – `/tmp/aws-fis-rollback-TIMESTAMP-PID.log`
+ **System logs** – Sent to syslog with facility `local0.info`

**Log file naming**  
Temporary log files use the following naming convention:

```
/tmp/aws-fis-rollback-YYYY-MM-DDTHH:MM:SSZ-PID.log
```

Where *YYYY-MM-DDTHH:MM:SSZ* is the UTC timestamp and *PID* is the process ID of the rollback script.

**Syslog configuration**  
Rollback logs are sent to syslog with the following configuration:
+ **Tag** – `aws-fis-rollback`
+ **Priority** – `local0.info`
+ **Format** – `[YYYY-MM-DDTHH:MM:SSZ] log_message`

**To view rollback logs**  
Use the following command to view all rollback logs from the systemd journal:

```
sudo journalctl -t aws-fis-rollback
```

## Troubleshooting
<a name="fis-ssm-docs-troubleshooting"></a>

Use the following procedure to troubleshoot issues.

**To troubleshoot issues with SSM documents**

1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Node Management**, **Run Command**.

1. On the **Command history** tab, use the filters to locate the run of the document.

1. Choose the ID of the command to open its details page.

1. Choose the ID of the instance. Review the output and errors for each step.

# Use the AWS FIS aws:ecs:task actions
<a name="ecs-task-actions"></a>

 You can use the **aws:ecs:task** actions to inject faults into your Amazon ECS tasks. Amazon EC2 and Fargate capacity types are supported. 

 These actions use [ AWS Systems Manager (SSM) documents](actions-ssm-agent.html#fis-ssm-docs) to inject faults. To use `aws:ecs:task` actions, you will need to add a container with an SSM Agent to your Amazon Elastic Container Service (Amazon ECS) task definition. The container runs an [AWS FIS defined script](#ecs-task-reference) that registers the Amazon ECS task as Managed Instance in the SSM service. Additionally, the script retrieves task metadata to add tags to the Managed Instance. The setup will allow AWS FIS to resolve the target task. This paragraph refers to the **Setup** in the diagram below. 

 When you run an AWS FIS experiment targeting `aws:ecs:task`, AWS FIS maps the target Amazon ECS tasks you specify in an AWS FIS experiment template to a set of SSM managed instances using a resource tag, `ECS_TASK_ARN`. The tag value is the ARN of the associated Amazon ECS task where the SSM documents should be executed. This paragraph refers to the **Fault Injection** in the diagram below. 

 The following diagram exemplifies the setup and fault injection on a task with one existing container. 

![\[Diagram showing Amazon ECS task fault injection setup with SSM agent container\]](http://docs.aws.amazon.com/fis/latest/userguide/images/ecs-actions.png)


## Actions
<a name="supported-ecs-task-actions"></a>
+ [aws:ecs:task-cpu-stress](fis-actions-reference.md#task-cpu-stress)
+ [aws:ecs:task-io-stress](fis-actions-reference.md#task-io-stress)
+ [aws:ecs:task-kill-process](fis-actions-reference.md#task-kill-process)
+ [aws:ecs:task-network-blackhole-port](fis-actions-reference.md#task-network-blackhole-port)
+ [aws:ecs:task-network-latency](fis-actions-reference.md#task-network-latency)
+ [aws:ecs:task-network-packet-loss](fis-actions-reference.md#task-network-packet-loss)

## Limitations
<a name="ecs-task-limitations"></a>
+ The following actions cannot run in parallel:
  + aws:ecs:task-network-blackhole-port
  + aws:ecs:task-network-latency
  + aws:ecs:task-network-packet-loss
+ If you enabled Amazon ECS Exec, you must disable it before you can use these actions.
+ The SSM document execution might have Status Cancelled even if the experiment has State Completed. When executing Amazon ECS actions, the customer-provided duration is used both for the action duration in the experiment and the Amazon EC2 Systems Manager (SSM) document duration. After the action is initiated, it takes some time for the SSM document to start running. Consequently, by the time the specified action duration is reached, the SSM document may still have a few seconds remaining to complete its execution. When the experiment action duration is reached, the action is stopped, and the SSM document execution is cancelled. The fault injection was successful. 

## Requirements
<a name="ecs-task-requirements"></a>
+ Add the following permissions to the AWS FIS [experiment role](getting-started-iam-service-role.md):
  + `ecs:DescribeTasks`
  + `ssm:SendCommand`
  + `ssm:ListCommands`
  + `ssm:CancelCommand`
+ Add the following permissions to the Amazon ECS [task IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html):
  + `ssm:CreateActivation`
  + `ssm:AddTagsToResource`
  + `iam:PassRole`

  Note that you can specify the ARN of the managed instance role as the resource for `iam:PassRole`.
+ Create an Amazon ECS [task execution IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) and add the [AmazonECSTaskExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonECSTaskExecutionRolePolicy.html) managed policy.
+ In the task definition, set the environment variable `MANAGED_INSTANCE_ROLE_NAME` to the name of the [ managed instance role](https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-service-role.html). This is the role that will be attached to the tasks registered as managed instances in SSM.
+ Add the following permissions to the managed instance role:
  + `ssm:DeleteActivation`
  + `ssm:DeregisterManagedInstance`
+ Add the [AmazonSSMManagedInstanceCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) managed policy to the managed instance role.
+ Add an SSM agent container to the Amazon ECS task definition. The command script registers Amazon ECS tasks as managed instances.

  ```
  {
      "name": "amazon-ssm-agent",
      "image": "public.ecr.aws/amazon-ssm-agent/amazon-ssm-agent:latest",
      "cpu": 0,
      "links": [],
      "portMappings": [],
      "essential": false,
      "entryPoint": [],
      "command": [
          "/bin/bash",
          "-c",
          "set -e; dnf upgrade -y; dnf install jq procps awscli -y; term_handler() { echo \"Deleting SSM activation $ACTIVATION_ID\"; if ! aws ssm delete-activation --activation-id $ACTIVATION_ID --region $ECS_TASK_REGION; then echo \"SSM activation $ACTIVATION_ID failed to be deleted\" 1>&2; fi; MANAGED_INSTANCE_ID=$(jq -e -r .ManagedInstanceID /var/lib/amazon/ssm/registration); echo \"Deregistering SSM Managed Instance $MANAGED_INSTANCE_ID\"; if ! aws ssm deregister-managed-instance --instance-id $MANAGED_INSTANCE_ID --region $ECS_TASK_REGION; then echo \"SSM Managed Instance $MANAGED_INSTANCE_ID failed to be deregistered\" 1>&2; fi; kill -SIGTERM $SSM_AGENT_PID; }; trap term_handler SIGTERM SIGINT; if [[ -z $MANAGED_INSTANCE_ROLE_NAME ]]; then echo \"Environment variable MANAGED_INSTANCE_ROLE_NAME not set, exiting\" 1>&2; exit 1; fi; if ! ps ax | grep amazon-ssm-agent | grep -v grep > /dev/null; then if [[ -n $ECS_CONTAINER_METADATA_URI_V4 ]] ; then echo \"Found ECS Container Metadata, running activation with metadata\"; TASK_METADATA=$(curl \"${ECS_CONTAINER_METADATA_URI_V4}/task\"); ECS_TASK_AVAILABILITY_ZONE=$(echo $TASK_METADATA | jq -e -r '.AvailabilityZone'); ECS_TASK_ARN=$(echo $TASK_METADATA | jq -e -r '.TaskARN'); ECS_TASK_REGION=$(echo $ECS_TASK_AVAILABILITY_ZONE | sed 's/.$//'); ECS_TASK_AVAILABILITY_ZONE_REGEX='^(af|ap|ca|cn|eu|me|sa|us|us-gov)-(central|north|(north(east|west))|south|south(east|west)|east|west)-[0-9]{1}[a-z]{1}$'; if ! [[ $ECS_TASK_AVAILABILITY_ZONE =~ $ECS_TASK_AVAILABILITY_ZONE_REGEX ]]; then echo \"Error extracting Availability Zone from ECS Container Metadata, exiting\" 1>&2; exit 1; fi; ECS_TASK_ARN_REGEX='^arn:(aws|aws-cn|aws-us-gov):ecs:[a-z0-9-]+:[0-9]{12}:task/[a-zA-Z0-9_-]+/[a-zA-Z0-9]+$'; if ! [[ $ECS_TASK_ARN =~ $ECS_TASK_ARN_REGEX ]]; then echo \"Error extracting Task ARN from ECS Container Metadata, exiting\" 1>&2; exit 1; fi; CREATE_ACTIVATION_OUTPUT=$(aws ssm create-activation --iam-role $MANAGED_INSTANCE_ROLE_NAME --tags Key=ECS_TASK_AVAILABILITY_ZONE,Value=$ECS_TASK_AVAILABILITY_ZONE Key=ECS_TASK_ARN,Value=$ECS_TASK_ARN Key=FAULT_INJECTION_SIDECAR,Value=true --region $ECS_TASK_REGION); ACTIVATION_CODE=$(echo $CREATE_ACTIVATION_OUTPUT | jq -e -r .ActivationCode); ACTIVATION_ID=$(echo $CREATE_ACTIVATION_OUTPUT | jq -e -r .ActivationId); if ! amazon-ssm-agent -register -code $ACTIVATION_CODE -id $ACTIVATION_ID -region $ECS_TASK_REGION; then echo \"Failed to register with AWS Systems Manager (SSM), exiting\" 1>&2; exit 1; fi; amazon-ssm-agent & SSM_AGENT_PID=$!; wait $SSM_AGENT_PID; else echo \"ECS Container Metadata not found, exiting\" 1>&2; exit 1; fi; else echo \"SSM agent is already running, exiting\" 1>&2; exit 1; fi"
      ],
      "environment": [
          {
              "name": "MANAGED_INSTANCE_ROLE_NAME",
              "value": "SSMManagedInstanceRole"
          }
      ],
      "environmentFiles": [],
      "mountPoints": [],
      "volumesFrom": [],
      "secrets": [],
      "dnsServers": [],
      "dnsSearchDomains": [],
      "extraHosts": [],
      "dockerSecurityOptions": [],
      "dockerLabels": {},
      "ulimits": [],
      "logConfiguration": {},
      "systemControls": []
  }
  ```

  For a more readable version of the script, see [Reference version of the script](#ecs-task-reference).
+  Enable the Amazon ECS Fault Injection APIs, by setting the `enableFaultInjection` field in the Amazon ECS task definition: 

  ```
  "enableFaultInjection": true,
  ```
+ When using the `aws:ecs:task-network-blackhole-port`,`aws:ecs:task-network-latency`, or `aws:ecs:task-network-packet-loss` actions on Fargate tasks, the action must have the `useEcsFaultInjectionEndpoints` parameter set to `true`. 
+ When using the `aws:ecs:task-kill-process`, `aws:ecs:task-network-blackhole-port`, `aws:ecs:task-network-latency`, or `aws:ecs:task-network-packet-loss` actions, the Amazon ECS task definition must have `pidMode` set to `task`.
+ When using the `aws:ecs:task-network-blackhole-port`, `aws:ecs:task-network-latency`, or `aws:ecs:task-network-packet-loss` actions on tasks with EC2 launch type, the [networking option in the task definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html) must be set to `awsvpc` or `host`. 

## Reference version of the script
<a name="ecs-task-reference"></a>

The following is a more readable version of the script in the Requirements section, for your reference.

```
#!/usr/bin/env bash

# This is the activation script used to register ECS tasks as Managed Instances in SSM
# The script retrieves information form the ECS task metadata endpoint to add three tags to the Managed Instance
#  - ECS_TASK_AVAILABILITY_ZONE: To allow customers to target Managed Instances / Tasks in a specific Availability Zone
#  - ECS_TASK_ARN: To allow customers to target Managed Instances / Tasks by using the Task ARN
#  - FAULT_INJECTION_SIDECAR: To make it clear that the tasks were registered as managed instance for fault injection purposes. Value is always 'true'.
# The script will leave the SSM Agent running in the background
# When the container running this script receives a SIGTERM or SIGINT signal, it will do the following cleanup:
#  - Delete SSM activation
#  - Deregister SSM managed instance

set -e # stop execution instantly as a query exits while having a non-zero

dnf upgrade -y
dnf install jq procps awscli -y

term_handler() {
  echo "Deleting SSM activation $ACTIVATION_ID"
  if ! aws ssm delete-activation --activation-id $ACTIVATION_ID --region $ECS_TASK_REGION; then
    echo "SSM activation $ACTIVATION_ID failed to be deleted" 1>&2
  fi

  MANAGED_INSTANCE_ID=$(jq -e -r .ManagedInstanceID /var/lib/amazon/ssm/registration)
  echo "Deregistering SSM Managed Instance $MANAGED_INSTANCE_ID"
  if ! aws ssm deregister-managed-instance --instance-id $MANAGED_INSTANCE_ID --region $ECS_TASK_REGION; then
    echo "SSM Managed Instance $MANAGED_INSTANCE_ID failed to be deregistered" 1>&2
  fi

  kill -SIGTERM $SSM_AGENT_PID
}
trap term_handler SIGTERM SIGINT

# check if the required IAM role is provided
if [[ -z $MANAGED_INSTANCE_ROLE_NAME ]] ; then
  echo "Environment variable MANAGED_INSTANCE_ROLE_NAME not set, exiting" 1>&2
  exit 1
fi

# check if the agent is already running (it will be if ECS Exec is enabled)
if ! ps ax | grep amazon-ssm-agent | grep -v grep > /dev/null; then

  # check if ECS Container Metadata is available
  if [[ -n $ECS_CONTAINER_METADATA_URI_V4 ]] ; then

    # Retrieve info from ECS task metadata endpoint
    echo "Found ECS Container Metadata, running activation with metadata"
    TASK_METADATA=$(curl "${ECS_CONTAINER_METADATA_URI_V4}/task")
    ECS_TASK_AVAILABILITY_ZONE=$(echo $TASK_METADATA | jq -e -r '.AvailabilityZone')
    ECS_TASK_ARN=$(echo $TASK_METADATA | jq -e -r '.TaskARN')
    ECS_TASK_REGION=$(echo $ECS_TASK_AVAILABILITY_ZONE | sed 's/.$//')

    # validate ECS_TASK_AVAILABILITY_ZONE
    ECS_TASK_AVAILABILITY_ZONE_REGEX='^(af|ap|ca|cn|eu|me|sa|us|us-gov)-(central|north|(north(east|west))|south|south(east|west)|east|west)-[0-9]{1}[a-z]{1}$'
    if ! [[ $ECS_TASK_AVAILABILITY_ZONE =~ $ECS_TASK_AVAILABILITY_ZONE_REGEX ]] ; then
      echo "Error extracting Availability Zone from ECS Container Metadata, exiting" 1>&2
      exit 1
    fi

    # validate ECS_TASK_ARN
    ECS_TASK_ARN_REGEX='^arn:(aws|aws-cn|aws-us-gov):ecs:[a-z0-9-]+:[0-9]{12}:task/[a-zA-Z0-9_-]+/[a-zA-Z0-9]+$'
    if ! [[ $ECS_TASK_ARN =~ $ECS_TASK_ARN_REGEX ]] ; then
      echo "Error extracting Task ARN from ECS Container Metadata, exiting" 1>&2
      exit 1
    fi

    # Create activation tagging with Availability Zone and Task ARN
    CREATE_ACTIVATION_OUTPUT=$(aws ssm create-activation \
      --iam-role $MANAGED_INSTANCE_ROLE_NAME \
      --tags Key=ECS_TASK_AVAILABILITY_ZONE,Value=$ECS_TASK_AVAILABILITY_ZONE Key=ECS_TASK_ARN,Value=$ECS_TASK_ARN Key=FAULT_INJECTION_SIDECAR,Value=true \
      --region $ECS_TASK_REGION)

    ACTIVATION_CODE=$(echo $CREATE_ACTIVATION_OUTPUT | jq -e -r .ActivationCode)
    ACTIVATION_ID=$(echo $CREATE_ACTIVATION_OUTPUT | jq -e -r .ActivationId)

    # Register with AWS Systems Manager (SSM)
    if ! amazon-ssm-agent -register -code $ACTIVATION_CODE -id $ACTIVATION_ID -region $ECS_TASK_REGION; then
      echo "Failed to register with AWS Systems Manager (SSM), exiting" 1>&2
      exit 1
    fi

    # the agent needs to run in the background, otherwise the trapped signal
    # won't execute the attached function until this process finishes
    amazon-ssm-agent &
    SSM_AGENT_PID=$!

    # need to keep the script alive, otherwise the container will terminate
    wait $SSM_AGENT_PID

  else
    echo "ECS Container Metadata not found, exiting" 1>&2
    exit 1
  fi

else
  echo "SSM agent is already running, exiting" 1>&2
  exit 1
fi
```

## Example experiment template
<a name="example-ecs-task-experiment-template"></a>

The following is an example experiment template for the [aws:ecs:task-cpu-stress](fis-actions-reference.md#task-cpu-stress) action.

```
{
    "description": "Run CPU stress on the target ECS tasks",
    "targets": {
        "myTasks": {
            "resourceType": "aws:ecs:task",
            "resourceArns": [
                "arn:aws:ecs:us-east-1:111122223333:task/my-cluster/09821742c0e24250b187dfed8EXAMPLE"
            ],
            "selectionMode": "ALL"
        }
    },
    "actions": {
        "EcsTask-cpu-stress": {
            "actionId": "aws:ecs:task-cpu-stress",
            "parameters": {
                "duration": "PT1M"
            },
            "targets": {
                "Tasks": "myTasks"
            }
        }
    },
    "stopConditions": [
        {
            "source": "none",
        }
    ],
    "roleArn": "arn:aws:iam::111122223333:role/fis-experiment-role",
    "tags": {}
}
```

# Use the AWS FIS aws:eks:pod actions
<a name="eks-pod-actions"></a>

 You can use the **aws:eks:pod** actions to inject faults into the Kubernetes Pods running in your EKS clusters. 

 When an action is initiated, FIS retrieves the [FIS Pod container image](eks-pod-actions.html#eks-pod-container-images). This image is then used to create a Pod in the targeted EKS cluster. The newly-created Pod is responsible for injecting, controlling and monitoring the fault. For all FIS EKS actions, except for [aws:eks:pod-delete](fis-actions-reference.html#pod-delete), the fault injection is achieved through the use of [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/), a Kubernetes feature that allows for the creation of temporary containers within an existing Pod. The ephemeral container is started in the same namespace as the target container and executes the desired fault injection tasks. If no target container is specified, the first container in the Pod specification is selected as target. 

![\[Fault Injection Service workflow in EKS cluster, showing pod creation and fault injection process.\]](http://docs.aws.amazon.com/fis/latest/userguide/images/eks-actions.png)


1.  FIS creates the FIS Pod in the target cluster specified in the experiment template. 

1.  The FIS Pod creates an ephemeral container in the Target Pod in the same namespace as target container. 

1.  The ephemeral container injects faults in the namespace of the target container. 

1.  The FIS Pod controls and monitors the fault injection of the ephemeral container and FIS controls and monitors the FIS Pod. 

 Upon experiment completion or if an error occurs, the ephemeral container and the FIS Pod are removed. 

## Actions
<a name="supported-eks-pod-actions"></a>
+ [aws:eks:pod-cpu-stress](fis-actions-reference.md#pod-cpu-stress)
+ [aws:eks:pod-delete](fis-actions-reference.md#pod-delete)
+ [aws:eks:pod-io-stress](fis-actions-reference.md#pod-io-stress)
+ [aws:eks:pod-memory-stress](fis-actions-reference.md#pod-memory-stress)
+ [aws:eks:pod-network-blackhole-port](fis-actions-reference.md#pod-network-blackhole-port)
+ [aws:eks:pod-network-latency](fis-actions-reference.md#pod-network-latency)
+ [aws:eks:pod-network-packet-loss](fis-actions-reference.md#pod-network-packet-loss)

## Limitations
<a name="eks-pod-limitations"></a>
+ The following actions do not work with AWS Fargate:
  + aws:eks:pod-network-blackhole-port
  + aws:eks:pod-network-latency
  + aws:eks:pod-network-packet-loss
+ The following actions do not support the `bridge` [network mode](https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/networking-networkmode.html):
  + aws:eks:pod-network-blackhole-port
  + aws:eks:pod-network-latency
  + aws:eks:pod-network-packet-loss
+ The following actions require root permissions within the ephemeral container.
  + aws:eks:pod-network-blackhole-port
  + aws:eks:pod-network-latency
  + aws:eks:pod-network-packet-loss

  The ephemeral container will inherit its permissions from the security context of the target Pod. If you need to run the containers in the Pod as non-root user, you can set separate security contexts for the containers in the target Pod.
+ You can't identify targets of type **aws:eks:pod** in your experiment template using resource ARNs or resource tags. You must identify targets using the required resource parameters.
+ The actions aws:eks:pod-network-latency and aws:eks:pod-network-packet-loss should not be run in parallel and target the same Pod. Depending on the value of the `maxErrors` parameter you specify, the action may end in completed or in failed state:
  + If `maxErrorsPercent` is 0 (default), the action will end in failed state.
  + Otherwise, the failure will add up to the `maxErrorsPercent` budget. If the number of failed injections do not reach the provided `maxErrors`, the action will end up in completed state.
  + You can identify these failures from the logs of the injected ephemeral container in the target Pod. It will fail with `Exit Code: 16`.
+ The action aws:eks:pod-network-blackhole-port should not be run in parallel with other actions that target the same Pod and use the same `trafficType`. Parallel actions using different traffic types are supported.
+ FIS can only monitor the status of fault injection when the `securityContext` of the target Pods is set to `readOnlyRootFilesystem: false`. Without this configuration, all EKS Pod actions will fail.

## Requirements
<a name="eks-pod-requirements"></a>
+ Install the AWS CLI on your computer. This is needed only if you'll use the AWS CLI to create IAM roles. For more information, see [Installing or updating the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
+ Install **kubectl** on your computer. This is needed only to interact with the EKS cluster to configure or monitor the target application. For more information, see [https://kubernetes.io/docs/tasks/tools/](https://kubernetes.io/docs/tasks/tools/).
+ The minimum supported version of EKS is 1.23.

## Create an experiment role
<a name="create-experiment-role-eks-pod"></a>

 To run an experiment, you need to configure an IAM role for the experiment. For more information, see [IAM roles for AWS FIS experiments](getting-started-iam-service-role.md). The required permissions for this role depend on the action you're using. Refer to the [AWS FIS actions that target `aws:eks:pod`](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html#eks-actions-reference) to find the necessary permissions for your action. 

## Configure the Kubernetes service account
<a name="configure-service-account"></a>

Configure a Kubernetes service account to run experiments with targets in the specified Kubernetes namespace. In the following example, the service account is *myserviceaccount* and the namespace is *default*. Note that default is one of the standard Kubernetes namespaces.

**To configure your Kubernetes service account**

1. Create a file named `rbac.yaml` and add the following.

   ```
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     namespace: default
     name: myserviceaccount
   
   ---
   kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     namespace: default
     name: role-experiments
   rules:
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: [ "get", "create", "patch", "delete"]
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["create", "list", "get", "delete", "deletecollection"]
   - apiGroups: [""]
     resources: ["pods/ephemeralcontainers"]
     verbs: ["update"]
   - apiGroups: [""]
     resources: ["pods/exec"]
     verbs: ["create"]
   - apiGroups: ["apps"]
     resources: ["deployments"]
     verbs: ["get"]
   
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: bind-role-experiments
     namespace: default
   subjects:
   - kind: ServiceAccount
     name: myserviceaccount
     namespace: default
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: fis-experiment
   roleRef:
     kind: Role
     name: role-experiments
     apiGroup: rbac.authorization.k8s.io
   ```

1. Run the following command.

   ```
   kubectl apply -f rbac.yaml
   ```

## Grant IAM users and roles access to Kubernetes APIs
<a name="grant-k8s-access"></a>

Follow the steps explained in [ Associate IAM Identities with Kubernetes Permissions ](https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#authentication-modes) in the **EKS** documentation.

### Option 1: Create access entries
<a name="grant-k8s-access-option-1"></a>

We recommend using **Access Entries**. You can use the following command to create an Access Entry which associates the IAM role with the Kubernetes user *fis-experiment*. For more information, see [ Grant IAM users access to Kubernetes with EKS access entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html).

```
aws eks create-access-entry \
                 --principal-arn arn:aws:iam::123456789012:role/fis-experiment-role \
                 --username fis-experiment \
                 --cluster-name my-cluster
```

**Important**  
In order to leverage access entries, the authentication mode of the EKS cluster must be configured to either the `API_AND_CONFIG_MAP` or `API` mode.

### Option 2: Add entries to the aws-auth ConfigMap
<a name="grant-k8s-access-option-2"></a>

You can also use the following command to create an identity mapping. For more information, see [Manage IAM users and roles](https://eksctl.io/usage/iam-identity-mappings/) in the **eksctl** documentation.

```
eksctl create iamidentitymapping \
                 --arn arn:aws:iam::123456789012:role/fis-experiment-role \
                 --username fis-experiment \
                 --cluster my-cluster
```

**Important**  
Leveraging the eksctl toolkit to configure identity mappings will result in the creation of entries within the `aws-auth` ConfigMap. It is important to note that these generated entries do not support the inclusion of a path component. Consequently, the ARN provided as input must not contain a path segment (e.g., `arn:aws:iam::123456789012:role/service-role/fis-experiment-role`).

## Pod container images
<a name="eks-pod-container-images"></a>

The Pod container images provided by AWS FIS are hosted in Amazon ECR. When you reference an image from Amazon ECR, you must use the full image URI.

The Pod container image is also available in the [AWS ECR Public Gallery](https://gallery.ecr.aws/aws-fis/aws-fis-pod).


| AWS Region | Image URI | 
| --- | --- | 
| US East (Ohio) | 051821878176.dkr.ecr.us-east-2.amazonaws.com/aws-fis-pod:0.1 | 
| US East (N. Virginia) | 731367659002.dkr.ecr.us-east-1.amazonaws.com/aws-fis-pod:0.1 | 
| US West (N. California) | 080694859247.dkr.ecr.us-west-1.amazonaws.com/aws-fis-pod:0.1 | 
| US West (Oregon) | 864386544765.dkr.ecr.us-west-2.amazonaws.com/aws-fis-pod:0.1 | 
| Africa (Cape Town) | 056821267933.dkr.ecr.af-south-1.amazonaws.com/aws-fis-pod:0.1 | 
| Asia Pacific (Hong Kong) | 246405402639.dkr.ecr.ap-east-1.amazonaws.com/aws-fis-pod:0.1 | 
| Asia Pacific (Mumbai) | 524781661239.dkr.ecr.ap-south-1.amazonaws.com/aws-fis-pod:0.1 | 
| Asia Pacific (Osaka) | 148336246925.dkr.ecr.ap-northeast-3.amazonaws.com/aws-fis-pod:0.1 | 
| Asia Pacific (Seoul) | 526524659354.dkr.ecr.ap-northeast-2.amazonaws.com/aws-fis-pod:0.1 | 
| Asia Pacific (Singapore) | 316401638346.dkr.ecr.ap-southeast-1.amazonaws.com/aws-fis-pod:0.1 | 
| Asia Pacific (Sydney) | 488104106298.dkr.ecr.ap-southeast-2.amazonaws.com/aws-fis-pod:0.1 | 
| Asia Pacific (Tokyo) | 635234321696.dkr.ecr.ap-northeast-1.amazonaws.com/aws-fis-pod:0.1 | 
| Canada (Central) | 490658072207.dkr.ecr.ca-central-1.amazonaws.com/aws-fis-pod:0.1 | 
| Europe (Frankfurt) | 713827034473.dkr.ecr.eu-central-1.amazonaws.com/aws-fis-pod:0.1 | 
| Europe (Ireland) | 205866052826.dkr.ecr.eu-west-1.amazonaws.com/aws-fis-pod:0.1 | 
| Europe (London) | 327424803546.dkr.ecr.eu-west-2.amazonaws.com/aws-fis-pod:0.1 | 
| Europe (Milan) | 478809367036.dkr.ecr.eu-south-1.amazonaws.com/aws-fis-pod:0.1 | 
| Europe (Paris) | 154605889247.dkr.ecr.eu-west-3.amazonaws.com/aws-fis-pod:0.1 | 
| Europe (Spain) | 395402409451.dkr.ecr.eu-south-2.amazonaws.com/aws-fis-pod:0.1 | 
| Europe (Stockholm) | 263175118295.dkr.ecr.eu-north-1.amazonaws.com/aws-fis-pod:0.1 | 
| Europe (Zurich) | 604225987275.dkr.ecr.eu-central-2.amazonaws.com/aws-fis-pod:0.1 | 
| Middle East (Bahrain) | 065825543785.dkr.ecr.me-south-1.amazonaws.com/aws-fis-pod:0.1 | 
| Middle East (UAE) | 438374459301.dkr.ecr.me-central-1.amazonaws.com/aws-fis-pod:0.1 | 
| South America (São Paulo) | 767113787785.dkr.ecr.sa-east-1.amazonaws.com/aws-fis-pod:0.1 | 
| AWS GovCloud (US-East) | 246533647532.dkr.ecr.us-gov-east-1.amazonaws.com/aws-fis-pod:0.1 | 
| AWS GovCloud (US-West) | 246529956514.dkr.ecr.us-gov-west-1.amazonaws.com/aws-fis-pod:0.1 | 

## Example experiment template
<a name="example-eks-pod-experiment-template"></a>

The following is an example experiment template for the [aws:eks:pod-network-latency](fis-actions-reference.md#pod-network-latency) action.

```
{
    "description": "Add latency and jitter to the network interface for the target EKS Pods",
    "targets": {
        "myPods": {
            "resourceType": "aws:eks:pod",
            "parameters": {
                "clusterIdentifier": "mycluster",
                "namespace": "default",
                "selectorType": "labelSelector",
                "selectorValue": "mylabel=mytarget"
            },
            "selectionMode": "COUNT(3)"
        }
    },
    "actions": {
        "EksPod-latency": {
            "actionId": "aws:eks:pod-network-latency",
            "description": "Add latency",
            "parameters": {
                "kubernetesServiceAccount": "myserviceaccount",
                "duration": "PT5M",
                "delayMilliseconds": "200",
                "jitterMilliseconds": "10",
                "sources": "0.0.0.0/0"
            },
            "targets": {
                "Pods": "myPods"
            }
        }
    },
    "stopConditions": [
        {
            "source": "none",
        }
    ],
    "roleArn": "arn:aws:iam::111122223333:role/fis-experiment-role",
    "tags": {
        "Name": "EksPodNetworkLatency"
    }
}
```

# Use the AWS FIS aws:lambda:function actions
<a name="use-lambda-actions"></a>

You can use the **aws:lambda:function** actions to inject faults into invocations of your AWS Lambda functions.

These actions use an AWS FIS managed extension to inject faults. To use **aws:lambda:function** actions, you will need to attach the extension as a layer to your Lambda functions and configure an Amazon S3 bucket to communicate between AWS FIS and the extension.

When you run an AWS FIS experiment targeting **aws:lambda:function**, AWS FIS reads the Amazon S3 configuration from your Lambda function and writes fault injection information to the specified Amazon S3 location, as shown in the diagram below.

![\[Diagram showing the configuration of the AWS Fault Injection Service Lambda extension.\]](http://docs.aws.amazon.com/fis/latest/userguide/images/Serverless-config-distro-3.png)


## Actions
<a name="supported-lambda-actions"></a>
+ [aws:lambda:invocation-add-delay](fis-actions-reference.md#invocation-add-delay)
+ [aws:lambda:invocation-error](fis-actions-reference.md#invocation-error)
+ [aws:lambda:invocation-http-integration-response](fis-actions-reference.md#invocation-http-integration-response)

## Limitations
<a name="lambda-limitations"></a>
+ The AWS FIS Lambda extension cannot be used with functions that use response streaming. Even when no faults are applied, the AWS FIS Lambda extension will suppress streaming configurations. For more information, see [Response streaming for Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-response-streaming.html) in the *AWS Lambda user guide*.

## Prerequisites
<a name="lambda-prerequisites"></a>

Before using AWS FIS Lambda actions, ensure that you have completed these one-time tasks:
+ **Create an Amazon S3 bucket in the region you plan to start an experiment from** ‐ You can use a single Amazon S3 bucket for multiple experiments and share the bucket between multiple AWS accounts. However, you must have a separate bucket for each AWS Region.
+ **Create an IAM policy to grant read access for the Lambda extension to the Amazon S3 bucket** ‐ In the following template, replace `my-config-distribution-bucket` with the name of the Amazon S3 bucket you created above and `FisConfigs` with the name of a folder in your Amazon S3 bucket you want to use.

------
#### [ JSON ]

****  

  ```
  {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowListingConfigLocation",
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::my-config-distribution-bucket"],
            "Condition": {
                "StringLike": {
                    "s3:prefix": ["FisConfigs/*"]
                }
            }
        },
        {
            "Sid": "AllowReadingObjectFromConfigLocation",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": ["arn:aws:s3:::my-config-distribution-bucket/FisConfigs/*"]
        }
    ]
  }
  ```

------
+ **Create an IAM policy to grant write access for the AWS FIS experiment to the Amazon S3 bucket** ‐ In the following template, replace `my-config-distribution-bucket` with the name of the Amazon S3 bucket you created above and `FisConfigs` with the name of a folder in your Amazon S3 bucket you want to use.

------
#### [ JSON ]

****  

  ```
  {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowFisToWriteAndDeleteFaultConfigurations",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::my-config-distribution-bucket/FisConfigs/*"
        },
        {
            "Sid": "AllowFisToInspectLambdaFunctions",
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowFisToDoTagLookups",
            "Effect": "Allow",
            "Action": [
                "tag:GetResources"
            ],
            "Resource": "*"
        }
    ]
  }
  ```

------

## Configure Lambda functions
<a name="configure-lambda-functions"></a>

Follow the steps below for every Lambda function that you want to impact:

1. Attach the Amazon S3 read access policy created above to the Lambda function.

1. Attach the AWS FIS extension as a layer to the function. For more information on the layer ARNs, see [Available versions of the AWS FIS extension for Lambda](actions-lambda-extension-arns.md). 

1. Set the `AWS_FIS_CONFIGURATION_LOCATION` variable to the ARN of the Amazon S3 configuration folder, for example `arn:aws:s3:::my-config-distribution-bucket/FisConfigs/`.

1. Set the `AWS_LAMBDA_EXEC_WRAPPER` variable to `/opt/aws-fis/bootstrap`.

## Configure an AWS FIS experiment
<a name="configure-fis-experiment-lambda-actions"></a>

Before running your experiment, ensure that you have attached the Amazon S3 write access policy that you created in the prerequisites to the experiment roles that will use AWS FIS Lambda actions. For more information on how to set up an AWS FIS experiment, see [Managing AWS FIS experiment templatesManaging your AWS FIS experiments](experiments.md).

## Logging
<a name="lambda-actions-logging"></a>

The AWS FIS Lambda extension writes logs to the console and CloudWatch logs. Logging can be configured using the `AWS_FIS_LOG_LEVEL` variable. Supported values are `INFO`, `WARN`, and `ERROR`. Logs will be written in the log format configured for your Lambda function.

The following is an example of a log in text format:

```
2024-08-09T18:51:38.599984Z INFO AWS FIS EXTENSION - extension enabled 1.0.1
```

The following is an example of a log in JSON format:

```
{
  "timestamp": "2024-10-08T17:15:36.953905Z",
  "level": "INFO",
  "fields": {
    "message": "AWS FIS EXTENSION - adding 5000 milliseconds of latency to function invocation",
    "requestId":"0608bf70-908f-4a17-bbfe-3782cd783d8b"
  }
}
```

The emitted logs can be used with Amazon CloudWatch metric filters to generate custom metrics. For more information on metric filters, see [Creating metrics from log events using filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/MonitoringLogData.html) in the *Amazon CloudWatch Logs user guide*.

### Using CloudWatch Embedded Metric Format (EMF)
<a name="lambda-actions-emf-metrics"></a>

You can configure the AWS FIS Lambda extension to emit EMF logs by setting the `AWS_FIS_EXTENSION_METRICS` variable to `all`. By default, the extension does not emit EMF logs, and `AWS_FIS_EXTENSION_METRICS` defaults to `none`. EMF logs are published in the `aws-fis-extension namespace` on the CloudWatch console.

Within the `aws-fis-extension` namespace, you can select certain metrics to be displayed in a graph. The example below shows some of the available metrics in the `aws-fis-extension` namespace.

![\[Example graph of output EMF metrics in the CloudWatch dashboard.\]](http://docs.aws.amazon.com/fis/latest/userguide/images/emf-metrics-graph.png)


## Advanced topics
<a name="lambda-actions-advanced-topics"></a>

This section provides additional information on how AWS FIS works with the Lambda extension and special use cases.

**Topics**
+ [

### Understanding polling
](#understanding-polling)
+ [

### Understanding concurrency
](#understanding-concurrency)
+ [

### Understanding invocation percentage
](#understanding-invocation-percentage)
+ [

### Special considerations for SnapStart
](#considerations-for-snapshot)
+ [

### Special considerations for fast infrequent functions
](#considerations-for-fast-infrequent-functions)
+ [

### Configuring multiple extensions using Lambda Runtime API proxy
](#configuring-multiple-extensions)
+ [

### Using AWS FIS with container runtimes
](#container-runtimes)
+ [

### AWS FIS Lambda environment variables
](#fis-extension-environment-variables)

### Understanding polling
<a name="understanding-polling"></a>

You may notice a ramp-up period of up to 60s before faults begin to affect all invocations. This is because the Lambda extension polls for configuration information infrequently while waiting for an experiment to start. You can adjust the polling interval by setting the `AWS_FIS_SLOW_POLL_INTERVAL_SECONDS` environment variable (default 60s). A lower value will poll more often but incur greater performance impact and cost. You may also notice a ramp-down period of up to 20s after the fault has been injected. This is because the extension polls more frequently while experiments are running.

### Understanding concurrency
<a name="understanding-concurrency"></a>

You may target the same Lambda functions with multiple actions concurrently. If the actions are all different from each other, then all actions will be applied. For example, you can add an initial delay before returning an error. If two identical or conflicting actions are applied to the same function, then only the action with the earliest start date will be applied. 

 The figure below shows two conflicting actions, **aws:lambda:invocation-error** and **aws:lambda:invocation-http-integration-response**, overlapping. Initially, **aws:lambda:invocation-error** ramps up at 11:38 and runs for 2 minutes. Then, **aws:lambda:invocation-http-integration-response** attempts to start at 11:39, but does not come into effect until 11:40 after the first action has concluded. To maintain experiment timing, **aws:lambda:invocation-http-integration-response** still finishes at the originally intended time of 11:41. 

![\[Graphs showing error and response code percentages for x86 and arm during overlapping actions.\]](http://docs.aws.amazon.com/fis/latest/userguide/images/understanding-concurrency.png)


### Understanding invocation percentage
<a name="understanding-invocation-percentage"></a>

The AWS Fault Injection Service Lambda actions use an **aws:lambda:function** target which allows you to select one or more AWS Lambda function ARNs. Using these ARNs, the AWS Fault Injection Service Lambda actions can inject faults in every invocation of the selected Lambda function. To allow you to inject faults into only a fraction of invocations, each action allows you to specify an `invocationPercentage` parameter with values from 0 to 100. Using the `invocationPercentage` parameter, you can ensure that actions are concurrent even for invocation percentages below 100%. 

### Special considerations for SnapStart
<a name="considerations-for-snapshot"></a>

AWS Lambda functions with SnapStart enabled will have a higher likelihood of waiting the full duration of `AWS_FIS_SLOW_POLL_INTERVAL_SECONDS` before picking up the first fault configuration, even if an experiment is already running. This is because Lambda SnapStart uses a single snapshot as the initial state for multiple execution environments and persists temporary storage. For the AWS Fault Injection Service Lambda extension it will persist polling frequency and skip the initial configuration check on initialization of the execution environment. For more information on Lambda SnapStart, see [Improving startup performance with Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) in the *AWS Lambda user guide.* 

### Special considerations for fast infrequent functions
<a name="considerations-for-fast-infrequent-functions"></a>

If your Lambda function runs for less than the average poll duration of 70 milliseconds then the polling thread may need multiple invocations to obtain fault configurations. If the function runs infrequently, for example once every 15 minutes, then the poll will never be completed. To ensure the polling thread can finish, set the `AWS_FIS_POLL_MAX_WAIT_MILLISECONDS` parameter. The extension will wait up to the duration that you set for an in-flight poll to finish before starting the function. Note that this will increase the billed function duration and lead to an additional delay on some invocations.

### Configuring multiple extensions using Lambda Runtime API proxy
<a name="configuring-multiple-extensions"></a>

The Lambda extension uses the AWS Lambda Runtime API proxy to intercept function invocations before they reach the runtime. It does this by exposing a proxy for the AWS Lambda Runtime API to the runtime and advertising its location in the `AWS_LAMBDA_RUNTIME_API` variable. 

The following diagram shows the configuration for a single extension using the Lambda Runtime API proxy:

![\[The default configuration.\]](http://docs.aws.amazon.com/fis/latest/userguide/images/Proxy-1.png)


To use the AWS FIS Lambda extension with another extension using the AWS Lambda Runtime API proxy pattern, you will need to chain the proxies using a custom bootstrap script. The AWS FIS Lambda extension accepts the following environment variables:
+ `AWS_FIS_PROXY_RUNTIME_API_ENDPOINT` ‐ Takes a string in the form `127.0.0.1:9876` representing the local IP and listener port for the AWS Lambda Runtime API. This could be the original value of `AWS_LAMBDA_RUNTIME_API` or the location of another proxy.
+ `AWS_FIS_PROXY_LISTENER_PORT` ‐ Takes a port number on which the AWS FIS extension should start its own proxy, by default `9100`.

With these settings you can chain the AWS FIS extension with another extension using the Lambda Runtime API proxy in two different orders.

![\[Two chained extensions using the Lambda API proxy.\]](http://docs.aws.amazon.com/fis/latest/userguide/images/lambda-runtime-api-proxy.png)


For more information on the AWS Lambda Runtime API proxy, see [ Enhancing runtime security and governance with the AWS Lambda Runtime API proxy extension](https://aws.amazon.com/blogs/compute/enhancing-runtime-security-and-governance-with-the-aws-lambda-runtime-api-proxy-extension/) and [Using the Lambda runtime API for custom runtimes](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html) in the *AWS Lambda user guide*.

### Using AWS FIS with container runtimes
<a name="container-runtimes"></a>

For AWS Lambda functions using container images that accept the `AWS_LAMBDA_RUNTIME_API` environment variable, you can package the AWS FIS Lambda extension into your container image by following the steps below:

1. Determine the ARN of the layer from which to extract the extension. For more information on how to find the ARN, see [Configure Lambda functions](#configure-lambda-functions).

1. Use the AWS Command Line Interface (CLI) to request details about the extension `aws lambda get-layer-version-by-arn --arn fis-extension-arn`. The response will contain a `Location` field containing a pre-signed URL from which you can download the FIS extension as a ZIP file.

1. Unzip the content of the extension into `/opt` of your Docker filesystem. The following is an example Dockerfile based on the NodeJS Lambda runtime:

   ```
   # extension installation #
   FROM amazon/aws-lambda-nodejs:12 AS builder
   COPY extension.zip extension.zip
   RUN yum install -y unzip
   RUN mkdir -p /opt
   RUN unzip extension.zip -d /opt
   RUN rm -f extension.zip
   FROM amazon/aws-lambda-nodejs:12
   WORKDIR /opt
   COPY --from=builder /opt .
   # extension installation finished #
   # JS example. Modify as required by your runtime
   WORKDIR ${LAMBDA_TASK_ROOT}
   COPY index.js package.json .
   RUN npm install
   CMD [ "index.handler" ]
   ```

For more information on container images, see [Create a Lambda function using a container image](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html) in the *AWS Lambda user guide*.

### AWS FIS Lambda environment variables
<a name="fis-extension-environment-variables"></a>

The following is a list of environment variables for the AWS FIS Lambda extension
+ `AWS_FIS_CONFIGURATION_LOCATION` ‐ Required. Location where AWS FIS will write active fault configurations and the extension will read fault configurations. The locations should be in Amazon S3 ARN format including a bucket and path. For example, `arn:aws:s3:::my-fis-config-bucket/FisConfigs/`.
+ `AWS_LAMBDA_EXEC_WRAPPER` ‐ Required. Location of the AWS Lambda [wrapper script](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-modify.html#runtime-wrapper) used to configure the AWS FIS Lambda extension. This should be set to the `/opt/aws-fis/bootstrap` script that is included with the extension.
+ `AWS_FIS_LOG_LEVEL` ‐ Optional. Log level for messages emitted by AWS FIS Lambda extension. Supported values are `INFO`, `WARN`, and `ERROR`. If not set, AWS FIS extension will default to `INFO`.
+ `AWS_FIS_EXTENSION_METRICS` ‐ Optional. Possible values are `all` and `none`. If set to `all` the extension will emit EMF metrics under the `aws-fis-extension namespace`.
+ `AWS_FIS_SLOW_POLL_INTERVAL_SECONDS` ‐ Optional. If set will override the polling interval (in seconds) while the extension is not injecting faults and waiting for a fault configuration to be added to configuration location. Defaults to `60`.
+ `AWS_FIS_PROXY_RUNTIME_API_ENDPOINT` ‐ Optional. If set will override the value of `AWS_LAMBDA_RUNTIME_API` to define where the AWS FIS extension interacts with the AWS Lambda runtime API to control function invocation. Expects IP:PORT, for example, `127.0.0.1:9000`. For more information on `AWS_LAMBDA_RUNTIME_API`, see [Using the Lambda runtime API for custom runtimes ](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html) in the *AWS Lambda user guide.*
+ `AWS_FIS_PROXY_LISTENER_PORT` ‐ Optional. Defines the port on which the AWS FIS Lambda extension exposes an AWS Lambda runtime API proxy that can be used by another extension or the runtime. Defaults to `9100`.
+ `AWS_FIS_POLL_MAX_WAIT_MILLISECONDS` ‐ Optional. If set to non-zero value, this variable defines the number of milliseconds the extension will wait for an in-flight async poll to finish before evaluating fault configurations and starting the invocation of the runtime. Defaults to `0`.

# Available versions of the AWS FIS extension for Lambda
<a name="actions-lambda-extension-arns"></a>

This section includes information about the AWS FIS Lambda extension versions. The extension supports Lambda functions developed for the x86-64 and ARM64 (Graviton2) platforms. Your Lambda function must be configured to use the specific Amazon Resource Name (ARN) for the AWS Region where it is currently hosted. You can view AWS Region and ARN details below.

**Topics**
+ [

## AWS FIS Lambda extension release notes
](#extension-release-notes)
+ [

## Access Guide for Lambda Extension ARNs
](#extension-arns-access-guide)
+ [

## Finding your Lambda extension version number
](#extension-version-find)

## AWS FIS Lambda extension release notes
<a name="extension-release-notes"></a>

The following table describes changes made to recent versions of the AWS FIS Lambda extension


| Version | Launch date | Notes | 
| --- | --- | --- | 
|  1.0.0  |  2024-10-29  |  Initial release  | 

## Access Guide for Lambda Extension ARNs
<a name="extension-arns-access-guide"></a>

You must have at least one parameter in your AWS account and AWS Region before you can search for public parameters using the console. To discover public parameters, see [Discovering public parameters in Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-finding-public-parameters.html). 

### Console Access:
<a name="extension-arns-access-guide.console-access"></a>

1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Parameter Store**.

1. Choose the **Public parameters** tab.

1. Choose the **Select a service** dropdown. From the dropdown options, choose `fis`.

1. (Optional) Filter the parameters you selected by entering more information into the search bar. For arm64 architectures, filter parameters by entering *"arm64"*. For x86\$164 architectures, filter parameters by entering *"x86\$164"*.

1. Choose the public parameter you want to use.

1. From the parameter details, locate the ARN value. Copy the ARN to use in configuring layer extensions on your target Lambda functions.

### AWS CLI Access:
<a name="extension-arns-access-guide.cli-access"></a>

#### SSM Parameter Names
<a name="extension-arns-access-guide.cli-access.ssm-parameter-names"></a>

The following SSM parameter names are available for different architectures:

1. arm64: `/aws/service/fis/lambda-extension/AWS-FIS-extension-arm64/1.x.x`

1. x86\$164: `/aws/service/fis/lambda-extension/AWS-FIS-extension-x86_64/1.x.x`

#### AWS CLI Command Format
<a name="extension-arns-access-guide.cli-access.cli-command-format"></a>

To retrieve the extension ARNs, use the following AWS CLI command format where *parameterName* is the name for the architecture and *region* is the target AWS Region:

```
aws ssm get-parameter --name parameterName --region region
```

#### Example Usage
<a name="extension-arns-access-guide.cli-access.example-usage"></a>

```
aws ssm get-parameter --name /aws/service/fis/lambda-extension/AWS-FIS-extension-x86_64/1.x.x --region ap-southeast-2
```

#### Response Format
<a name="extension-arns-access-guide.cli-access.response-format"></a>

The command returns a JSON object containing the parameter details like the following. The ARN of the Lambda layer is included in the *Value* field of the *Parameter* object. Copy the ARN to use in configuring layer extensions on your target Lambda functions.

```
 {
     "Parameter":
        {
             "Name": "/aws/service/fis/lambda-extension/AWS-FIS-extension-x86_64/1.x.x",
             "Type": "String",
             "Value": "arn:aws:lambda:ap-southeast-2:211125361907:layer:aws-fis-extension-x86_64:9",
             "Version": 1,
             "LastModifiedDate": "2025-01-02T15:13:54.465000-05:00",
             "ARN": "arn:aws:ssm:ap-southeast-2::parameter/aws/service/fis/lambda-extension/AWS-FIS-extension-x86_64/1.x.x",
             "DataType": "text"
        }
 }
```

### Programmatic Access:
<a name="extension-arns-access-guide.programmatic-access"></a>

Retrieve these public parameters programmatically when building or configuring your Lambda functions using Infrastructure as Code (IaC). This approach helps maintain your Lambda functions with the latest layer version ARN without requiring manual code updates that would be necessary if the AWS FIS extension layer ARN were hardcoded. The following resources show how to retrieve public parameters using common IaC platforms:
+ [Get public parameters using the AWS SDK](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html)
+ [Get public parameters from AWS Systems Manager Parameter Store using the AWS CDK](https://docs.aws.amazon.com/cdk/v2/guide/get-ssm-value.html)
+ [Get public parameters using Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter)

## Finding your Lambda extension version number
<a name="extension-version-find"></a>

Use the following procedure to locate the version number of your currently configured AWS FIS Lambda extension.

1. Open the AWS Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/).

1. Choose the Lambda function where you want to add the `AWS-FIS-Extension` layer.

1. In the **Layers** section, choose **Edit**.

1. In the **Edit layers** section, choose **Add a layer**.

1. In the **Choose a layer** section, choose **Specify an ARN**.

1. Enter the ARN for the AWS FIS extension layer that corresponds to your AWS Region and architecture. You can find the ARN using the console, AWS CLI, or programmatic access methods described in the preceding sections.

1. Choose **Verify** to confirm the layer ARN is valid, then choose **Add**.

1. Use the **Test** tab to test the function.

1. After the test completes, view the log output. Locate the AWS FIS Lambda extension version in the **Details of the Execution** section.