AWSPremiumSupport-OnboardWorkloadToIDR - Amazon Systems Manager Automation Runbook Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWSPremiumSupport-OnboardWorkloadToIDR

Description

The AWSPremiumSupport-OnboardWorkloadToIDR runbook helps Amazon Enterprise Support customers onboard a workload for monitoring and critical incident management using Amazon Incident Detection and Response. A workload can be defined as a collection of Amazon resources associated with an Amazon Resource Group or Amazon Service Catalog AppRegistry application. If an Amazon Resource Group or an Amazon Service Catalog AppRegistry application are not specified, the runbook creates a Resource Group on your behalf using tag filters or the Amazon Amazon CloudFormation stack ID whose resources you want included in the group. If you set the parameter CreateApplicationInsights to Yes, then the automation provisions an Amazon CloudWatch Application Insights application using Amazon Amazon CloudFormation. CloudWatch Application Insights sets up recommended metrics and logs for selected application resources using Amazon CloudWatch metrics, Logs, and Events for notifications on detected problems.

Important

This runbook performs the following actions in your account depending on the input parameters provided:

  • Creates a new Amazon Resource Group using Amazon Amazon CloudFormation if ResourceGroupName or AppRegistryApplication are not specified. After the stack is created, the runbook tries to set termination protection.

  • Tags the workload associated Amazon Resource Group, including the aws_idr tag.

  • Creates an Amazon CloudWatch Application Insights Resource group-based application if the CreateApplicationInsights input parameter is set to Yes. After the stack is created, the runbook tries to set termination protection for the stack.

  • Installs the AWSServiceRoleForHealth_EventProcessor service-linked role (SLR) to provision access for alert ingestion to Incident Detection and Response if the InstallServiceLinkedRole input parameter is set to Yes.

  • Creates an Amazon support case with Amazon Incident Detection and Response.

Important

To use this runbook and onboard to Amazon Incident Detection and Response, you require an Amazon Enterprise Support Subscription.

How does it work?

The runbook performs the following high-level steps:

  • Checks if the current Amazon Account Support Plan is Enterprise; otherwise the automation ends.

  • Determines whether to use an existing Amazon Resource Group or create a new one based on the provided parameters.

  • If creating a new Resource Group, generates an Amazon Amazon CloudFormation template and creates the stack with appropriate tags.

  • Tags the Resource Group with the required Amazon Incident Detection and Response tags.

  • Optionally installs the service-linked role for Amazon Incident Detection and Response.

  • Optionally creates an Amazon CloudWatch Application Insights application for enhanced monitoring.

  • Creates an Amazon support case to complete the onboarding process.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

/

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • cloudformation:CreateStack

  • cloudformation:DescribeStackResource

  • cloudformation:DescribeStacks

  • cloudformation:UpdateTerminationProtection

  • iam:CreateServiceLinkedRole

  • resource-groups:CreateGroup

  • resource-groups:GetGroup

  • resource-groups:TagResource

  • servicecatalog-appregistry:GetApplication

  • support:CreateCase

  • support:DescribeSeverityLevels

  • support:DescribeServices

  • support:DescribeSupportLevel

Example Policy: 

{
        "Version": "2012-10-17",		 	 	 
        "Statement": [
            {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateTerminationProtection",
                "iam:CreateServiceLinkedRole",
                "resource-groups:CreateGroup",
                "resource-groups:GetGroup",
                "resource-groups:TagResource",
                "servicecatalog-appregistry:GetApplication",
                "support:CreateCase",
                "support:DescribeSeverityLevels",
                "support:DescribeServices",
                "support:DescribeSupportLevel"
            ],
            "Resource": "*"
            }
        ]
        }

Instructions

Follow these steps to configure the automation:

  1. Navigate to AWSPremiumSupport-OnboardWorkloadToIDR in Systems Manager under Documents.

  2. Select Execute automation.

  3. For the input parameters, enter the following:

    • AutomationAssumeRole (Optional):

      • Description: (Optional) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.

      • Type: AWS::IAM::Role::Arn

    • WorkloadName (Required):

      • Description: (Required) The name of the workload. If ResourceGroupName is not provided, the workload name is used to setup a new Amazon Resource Group with the name IDR-AWS-<WorkloadName>.

      • Type: String

      • Allow Pattern: ^[a-zA-Z0-9_-]{1,128}$

    • WorkloadDescription (Required):

      • Description: (Required) The workload description. Enter a brief description to detail the use cases of this workload. Please include the primary end user and the function of this workload.

      • Type: String

      • Allow Pattern: ^[a-zA-Z0-9.:;,-_&() ]{1,1024}$

    • AppRegistryApplication (Optional):

      • Description: (Optional) The name or ID of the Amazon Service Catalog AppRegistry application. If not provided, you must provide an input for ResourceGroupName.

      • Type: String

      • Allow Pattern: ^$|^[a-zA-Z0-9.-_]{1,128}$

      • Default: ""

    • ResourceGroupName (Optional):

      • Description: (Optional) The name of an existing Amazon Resource Group if AppRegistryApplication is not provided. If you want to create a Resource Group, you must provide an input for TagFilters and optionally ResourceTypeFilters to create a new Amazon Resource Group.

      • Type: String

      • Allow Pattern: ^$|^[a-zA-Z0-9_.-]{1,128}$

      • Default: ""

    • TagFilters (Conditional):

      • Description: (Conditional) The list of key/values (string/list of strings) pairs that are compared to the tags attached to your Amazon resources. This parameter is used to create a new Amazon Resource Group if you do not specify an existing ResourceGroupName or AppRegistryApplication.

      • Type: StringMap

    • ResourceTypeFilters (Conditional):

      • Description: (Conditional) The list of resource types supported by Resource Groups.

      • Type: StringList

      • Max Items: 10

      • Default: AWS::AllSupported

    • InstallServiceLinkedRole (Optional):

      • Description: (Optional) Select Yes to install the AWSServiceRoleForHealth_EventProcessor service-linked role (SLR).

      • Type: String

      • Allowed Values: [Yes,No]

      • Default: No

    • CreateApplicationInsights (Optional):

      • Description: (Optional) Select Yes to create an Amazon CloudWatch Application Insights Resource group-based application.

      • Type: String

      • Allowed Values: [Yes,No]

      • Default: No

    • ComplianceAndRegulatoryRequirements (Required):

      • Description: (Required) Applicable compliance and/or regulatory requirements for this workload and any actions required from Amazon after an incident.

      • Type: String

      • Allow Pattern: ^[a-zA-Z0-9.:;,\\-_&() ]{1,1024}$

    • NonAWSComponents (Optional):

      • Description: (Optional) Detail any on-premise or non-Amazon components for this workload? If so, what are they and what functions do they perform.

      • Type: String

      • Allow Pattern: ^$|^[a-zA-Z0-9.:;,\\-_&() ]{1,1024}$

      • Default: ""

    • UpstreamDownstreamDependencies (Optional):

      • Description: (Optional) Details of any upstream/downstream components not being onboarded, that could affect this workload if experiencing an outage.

      • Type: String

      • Allow Pattern: ^$|^[a-zA-Z0-9.:;,\\-_&() ]{1,1024}$

      • Default: ""

    • FailoverDisasterRecoveryPlan (Optional):

      • Description: (Optional) Provide details of any manual or automated failover/disaster recovery plans at the AZ and regional level.

      • Type: String

      • Allow Pattern: ^$|^[a-zA-Z0-9.:;,\\-_&() ]{1,1024}$

      • Default: ""

    • BridgeDetails (Optional):

      • Description: (Optional) The static incident/crisis management bridge established by your company. If you utilize a non-static bridge, specify your preferred application and Amazon will request these details during an incident.

      • Type: String

      • Allowed Values: [Amazon Chime bridge, Non-Static bridge, Static bridge]

      • Default: Amazon Chime bridge

    • SubscriptionStartDate (Required):

      • Description: (Required) The date in YYYY-MM-DD format that you want to start your Amazon Incident Detection and Response subscription.

      • Type: String

      • Allow Pattern: ^(202[4-9]|20[3-9][0-9])-(0[1-9]|1[0-2])-(0[1-9]|[12][0-9]|3[01])$

  4. Select Execute.

  5. The automation initiates.

  6. The document performs the following steps:

    • CheckAWSSupportPlan:

      Checks if the current Amazon Account Support Plan is Enterprise; otherwise the automation ends.

    • BranchOnResourceGroup:

      Branches the automation on whether an existing Amazon Resource Group was provided. If not provided, the automation creates a new Amazon Resource Group.

    • GetAppRegistryApplication:

      Gets metadata information about the Amazon Service Catalog AppRegistry application if provided.

    • GenerateResourceGroupTemplate:

      Generates an Amazon Amazon CloudFormation template for the Amazon Resource Group with the specified tag filters.

    • CreateResourceGroup:

      Creates a new Amazon Resource Group by using Amazon Amazon CloudFormation.

    • TagResourceGroup:

      Tags the resource group with the Amazon Incident Detection and Response (IDR) required tags.

    • InstallServiceLinkedRole:

      Installs the Amazon Incident Detection and Response (IDR) service-linked role if requested.

    • CreateApplicationInsightsApplication:

      Creates an Amazon CloudWatch Application Insights application if requested.

    • CreateAwsSupportCase:

      Creates an Amazon support case with Amazon Incident Detection and Response.

  7. After completion, review the Outputs section for the detailed results of the execution.

References

Systems Manager Automation