AWSConfigRemediation-MoveLambdaToVPC - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-MoveLambdaToVPC runbook moves an Amazon Lambda (Lambda) function to an Amazon Virtual Private Cloud (Amazon VPC).

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • FunctionName

    Type: String

    Description: (Required) The name of the Lambda function to move to an Amazon VPC.

  • SecurityGroupIds

    Type: String

    Description: (Required) The security group IDs you want to assign to the elastic network interfaces (ENIs) associated with your Lambda function.

  • SubnetIds

    Type: String

    Description: (Required) The subnet IDs you want to create the elastic network interfaces (ENIs) associated with your Lambda function.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • lambda:GetFunction

  • lambda:GetFunctionConfiguration

  • lambda:UpdateFunctionConfiguration

Document Steps

  • aws:executeAwsApi - Updates the Amazon VPC configuration for the Lambda function you specify in the FunctionName parameter.

  • aws:waitForAwsResourceProperty - Waits for the Lambda function LastUpdateStatus to be successful .

  • aws:executeScript - Verifies the Lambda function Amazon VPC configuration has been successfully updated.