Automation

What is Automation?

Automation simplifies common maintenance and deployment tasks using predefined or custom runbooks (Automation documents).

Runbooks: Step-by-step workflows in YAML/JSON

Multi-Step: Complex orchestration with branching

Approval Gates: Manual approval steps via SNS

Event-Driven: Trigger via EventBridge, Config, CloudWatch

Common Use Cases

AMI Management

Create, update, and delete AMIs automatically

Instance Management

Start, stop, resize, terminate EC2 instances

Auto-Remediation

Automatically fix security and compliance issues

Disaster Recovery

Automate backup and restore procedures

Action Steps

aws:executeScript
aws:runCommand
aws:createImage
aws:changeInstanceState
aws:copyImage

Control Flow

aws:branch
aws:sleep
aws:waitForAwsResourceProperty
aws:loop
aws:pause

Approval

aws:approve
SNS notification
Manual approval
Timeout configuration
Approval URL

Integration

aws:invokeLambdaFunction
aws:executeAwsApi
aws:createStack
aws:deleteStack
EventBridge triggers

Runbook Example

                            schemaVersion: '0.3'

                            description: Create AMI and notify

                            parameters:

                              InstanceId:

                                type: String

                            mainSteps:

                              - name: createImage

                                action: 'aws:createImage'

                                inputs:

                                  InstanceId: '{{ InstanceId }}'

                                  ImageName: 'MyAMI-{{ global:DATE_TIME }}'

                              - name: notifySuccess

                                action: 'aws:executeAwsApi'

                                inputs:

                                  Service: sns

                                  Api: Publish

                                  TopicArn: 'arn:aws:sns:us-east-1:123456789012:MyTopic'

Execution Modes

Simple: Execute once on specified targets

Rate Control: Control concurrency and error thresholds

Multi-Account: Execute across multiple AWS accounts

Multi-Region: Execute across multiple regions

Triggers

EventBridge: Schedule or event-based triggers

AWS Config: Remediate non-compliant resources

CloudWatch Alarms: Respond to metric thresholds

Manual: Console, CLI, or API invocation

Pre-built

AWS-UpdateLinuxAmi
AWS-UpdateWindowsAmi
AWS-CreateSnapshot
AWS-RestartEC2Instance
AWS-PatchInstanceWithRollback

Security

AWS-DisablePublicAccessForSecurityGroup
AWS-EnableS3BucketEncryption
AWS-ConfigureS3BucketLogging
AWS-DetachEBSVolume

Database

AWS-CreateRdsSnapshot
AWS-DeleteRdsSnapshot
AWS-RestoreFromRdsSnapshot
AWS-ModifyRDSInstance

CloudFormation

AWS-CreateStack
AWS-DeleteStack
AWS-UpdateStack
AWS-ExecuteChangeSet

Monitoring

Execution status tracking
Step-level output
CloudWatch Logs integration
EventBridge notifications

Pricing

$0.002 per step execution
First 100,000 steps free/month
Additional AWS service charges
No charge for failed steps

Limits

100 concurrent executions
500 documents per account
1,000 steps per document
48 hours max duration

Best Practices

Design

Keep runbooks modular and reusable
Use parameters for flexibility
Implement error handling
Add descriptive comments

Security

Use IAM roles with least privilege
Implement approval gates for critical actions
Log all executions
Encrypt sensitive parameters

Testing

Test in non-production first
Use rate control for safety
Monitor execution metrics
Version control your runbooks

Exam Strategy Tip

Remember: Automation uses runbooks (Automation documents) for workflows. Supports approval gates for manual intervention. Can be triggered by EventBridge, Config, CloudWatch for automated remediation. Pricing: $0.002 per step execution. Supports multi-account and multi-region execution.

Back to Parameter Store Next: Inventory & Compliance