AWSConfigRemediation-MoveLambdaToVPC - AWS Systems Manager Automation runbook reference

AWSConfigRemediation-MoveLambdaToVPC

Description

The AWSConfigRemediation-MoveLambdaToVPC runbook moves an AWS Lambda (Lambda) function to an Amazon Virtual Private Cloud (Amazon VPC).

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • FunctionName

    Type: String

    Description: (Required) The name of the Lambda function to move to an Amazon VPC.

  • SecurityGroupIds

    Type: String

    Description: (Required) The security group IDs you want to assign to the elastic network interfaces (ENIs) associated with your Lambda function.

  • SubnetIds

    Type: String

    Description: (Required) The subnet IDs you want to create the elastic network interfaces (ENIs) associated with your Lambda function.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • lambda:GetFunction

  • lambda:GetFunctionConfiguration

  • lambda:UpdateFunctionConfiguration

Document Steps

  • aws:executeAwsApi - Updates the Amazon VPC configuration for the Lambda function you specify in the FunctionName parameter.

  • aws:waitForAwsResourceProperty - Waits for the Lambda function LastUpdateStatus to be successful .

  • aws:executeScript - Verifies the Lambda function Amazon VPC configuration has been successfully updated.