AWSSupport-CollectEKSInstanceLogs
Description
The AWSSupport-CollectEKSInstanceLogs runbook gathers operating
system and Amazon Elastic Kubernetes Service (Amazon EKS) related log files from an Amazon Elastic Compute Cloud (Amazon EC2) instance to
help you troubleshoot common issues. While the automation is gathering the
associated log files, changes are made to the file system structure including the
creation of temporary directories, the copying of log files to the temporary
directories, and compressing the log files into an archive. This activity can result
in increased CPUUtilization on the Amazon EC2 instance. For more information
about CPUUtilization , see Instance metrics in the Amazon CloudWatch User Guide .
If you specify a value for the LogDestination parameter, the
automation evaluates the policy status of the Amazon Simple Storage Service (Amazon S3) bucket you specify. To
help with the security of the logs gathered from your Amazon EC2 instance, if the policy
status isPublic is set to true , or if the access control
list (ACL) grants READ|WRITE permissions to the All Users
Amazon S3 predefined group, the logs are not uploaded. For more information about Amazon S3
predefined groups, see Amazon S3
predefined groups in the Amazon Simple Storage Service User Guide .
Note
This automation requires at least 10 percent of available disk space on the root Amazon Elastic Block Store (Amazon EBS) volume attached to your Amazon EC2 instance. If there is not enough available disk space on the root volume, the automation stops.
Document type
Automation
Owner
Amazon
Platforms
Linux
Parameters
-
AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
-
EKSInstanceId
Type: String
Description: (Required) ID of the Amazon EKS Amazon EC2 instance you want to collect logs from.
-
LogDestination
Type: String
Description: (Optional) The Amazon Simple Storage Service (Amazon S3) bucket in your account to upload the archived logs to.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
use the runbook successfully.
-
ssm:StartAutomationExecution -
ssm:GetAutomationExecution -
ssm:SendCommand
Required IAM permissions for the Amazon EC2 instance profile
The instance profile used by the EKSInstanceId must have the
AmazonSSMManagedInstanceCore Amazon managed policy attached to it.
It also has to be able to access the LogDestination Amazon S3 bucket so that it could upload the
collected logs.
Below is an example of an IAM policy that could be attached to that instance profile:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketPolicyStatus", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::LogDestination/*", "arn:aws:s3:::LogDestination" ] } ] }
If LogDestination uses Amazon KMS encryption, then an additional statement must be added to the
IAM policy, granting access to the Amazon KMS key used in the encryption:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketPolicyStatus", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::LogDestination/*", "arn:aws:s3:::LogDestination" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:REGION:ACCOUNT:key/KMS-KEY-ID" } ] }
Document Steps
-
aws:assertAwsResourceProperty- Confirms the operating system of the value specified in theEKSInstanceIdparameter is Linux. -
aws:runCommand- Gathers operating system and Amazon EKS related log files, compressing them into an archive in the/var/logdirectory. -
aws:branch- Confirms whether a value was specified for theLogDestinationparameter. -
aws:runCommand- Uploads the log archive to the Amazon S3 bucket you specify in theLogDestinationparameter.