AWSSupport-ConfigureTrafficMirroring - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSSupport-ConfigureTrafficMirroring runbook configures traffic mirroring to help you troubleshoot connectivity issues between a load balancer and Amazon Elastic Compute Cloud (Amazon EC2) instances. Traffic mirroring copies inbound and outbound traffic from the network interfaces that are attached to your instances. To configure traffic mirroring, this runbook creates the required targets, filters, and sessions. By default, the runbook configures mirroring for all inbound and outbound traffic for all protocols except Amazon DNS. If you want to mirror traffic from specific sources and destinations, you can modify the inbound and outbound rules after the automation completes.

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • SourceENI

    Type: String

    Description: (Required) The elastic network interface you want to configure traffic mirroring for.

  • Target

    Type: String

    Description: (Required) The destination for the mirrored traffic. You must specify the ID of a network interface, a Network Load Balancer, or a Gateway Load Balancer endpoint. If you specify a Network Load Balancer, there must be UDP listeners on port 4789.

  • SessionNumber

    Type: String

    Valid values: 1-32766

    Description: (Required) The number of the mirror session you want to use.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.

  • ec2:CreateTrafficMirrorTarget

  • ec2:CreateTrafficMirrorFilter

  • ec2:CreateTrafficMirrorFilterRule

  • ec2:CreateTrafficMirrorSession

  • ec2:DeleteTrafficMirrorSession

  • ec2:DeleteTrafficMirrorFilter

  • ec2:DeleteTrafficMirrorSession

  • ec2:DeleteTrafficMirrorFilterRule

  • iam:ListRoles

  • ssm:GetAutomationExecution

  • ssm:StartAutomationExecution

Document Steps

  • aws:executeScript - Runs a script to create a target.

  • aws:executeAwsApi - Creates a filter rule.

  • aws:executeAwsApi - Creates a mirror filter rule for all inbound traffic.

  • aws:executeAwsApi - Creates a mirror filter rule for all outbound traffic.

  • aws:executeAwsApi - Creates a traffic mirror session.

  • aws:executeAwsApi - Deletes the filter if filter or session creation fails.

  • aws:executeAwsApi - Deletes the target if filter or session creation fails.