AWS
|
1 Troubleshooting Commands
Contributed by jon-funk
Codecollection:
Runs an ad-hoc user-provided command, and if the provided command outputs a non-empty string to stdout then an issue is generated with a configurable title and content.
User commands should filter expected/healthy content (eg: with grep) and only output found errors.
Tasks:
Tasks:
- TASK_TITLE
Source Code
Runs an ad-hoc user-provided command, and if the provided command outputs a non-empty string to stdout then a health score of 0 (unhealthy) is pushed, otherwise if there is no output, indicating no issues, then a 1 is pushed.
User commands should filter expected/healthy content (eg: with grep) and only output found errors.
Tasks:
Tasks:
- ${TASK_TITLE}
This taskset runs a user provided awscli command and adds the output to the report. Command line tools like jq are available.
Tasks:
Tasks:
- TASK_TITLE
This sli runs a user provided awscli command and pushes the metric. The supplied command must result in distinct single metric. Command line tools like jq are available.
Tasks:
Tasks:
- ${TASK_TITLE}
Generates a report on S3 buckets in an Account that are insecure or unhealthy.
Tasks:
Tasks:
- List S3 Buckets With Public Access in AWS Account `AWS_ACCOUNT_NAME`
Discoverable
Counts the number of S3 buckets in an Account that are insecure or unhealthy.
Tasks:
Tasks:
- Count S3 Buckets With Public Access in AWS Account `${AWS_ACCOUNT_NAME}`
Check for AWS EBS resources by identifying unattached volumes, unused snapshots, and unencrypted volumes.
Tasks:
Tasks:
- List Unattached EBS Volumes in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
- List Unencrypted EBS Volumes in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
- List Unused EBS Snapshots in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
Counts the number of EBS resources by identifying unattached volumes, unused and aged snapshots, and unencrypted volumes.
Tasks:
Tasks:
- Check Unattached EBS Volumes in `${AWS_REGION}`
- Check Unencrypted EBS Volumes in `${AWS_REGION}`
- Check Unused EBS Snapshots in `${AWS_REGION}`
- Generate EBS Score
Check for EC2 instances that are stale or stopped
Tasks:
Tasks:
- List stale AWS EC2 instances in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
- List stopped AWS EC2 instances in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
- List invalid AWS Auto Scaling Groups in AWS Region AWS_REGION in AWS account AWS_ACCOUNT_ID
Count the number of EC2 instances that are stale or stopped
Tasks:
Tasks:
- Check for stale AWS EC2 instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for stopped AWS EC2 instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for invalid AWS Auto Scaling Groups in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Generate Health Score
List publicly accessible security groups, unused EIPs, unused ELBs, and VPCs with flow logs disabled
Tasks:
Tasks:
- List Publicly Accessible Security Groups in AWS account `AWS_ACCOUNT_ID`
- List unused Elastic IPs in AWS account `AWS_ACCOUNT_ID`
- List unused ELBs in AWS account `AWS_ACCOUNT_ID`
- List VPCs with Flow Logs Disabled in AWS account `AWS_ACCOUNT_ID`
Count publicly accessible security groups, unused EIPs, unused ELBs, and VPCs with flow logs disabled
Tasks:
Tasks:
- Check for publicly accessible security groups in AWS account `${AWS_ACCOUNT_ID}`
- Check for unused Elastic IPs in AWS account `${AWS_ACCOUNT_ID}`
- Check for unused ELBs in AWS account `${AWS_ACCOUNT_ID}`
- Check for VPCs with Flow Logs disabled in AWS account `${AWS_ACCOUNT_ID}`
- Generate Health Score
List AWS RDS instances that are unencrypted, publicly accessible, or have backups disabled.
Tasks:
Tasks:
- List Unencrypted RDS Instances in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Publicly Accessible RDS Instances in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List RDS Instances with Backups Disabled in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
Check AWS RDS instances that are unencrypted, publicly accessible, or have backups disabled.
Tasks:
Tasks:
- Check for unencrypted RDS instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for publicly accessible RDS instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for disabled backup RDS instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Generate Health Score
List AWS ACM certificates that are unused, Expiring, or expired and failed status.
Tasks:
Tasks:
- List Unused ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Expiring ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Expired ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Failed Status ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Pending Validation ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
Count AWS ACM certificates that are unused, Expiring, or expired and failed status.
Tasks:
Tasks:
- Check for unused ACM certificates in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for Expiring ACM certificates in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for expired ACM certificates in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for Failed Status ACM Certificates in AWS Region `${AWS_REGION}` in AWS Account `${AWS_ACCOUNT_ID}`
- Check for Pending Validation ACM Certificates in AWS Region `${AWS_REGION}` in AWS Account `${AWS_ACCOUNT_ID}`
- Generate Health Score
Check AWS Monitoring Configuration Health
Tasks:
Tasks:
- List CloudWatch Log Groups Without Retention Period in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- Check CloudTrail Configuration in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- Check for CloudTrail integration with CloudWatch Logs in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
Check AWS Monitoring Configuration Health
Tasks:
Tasks:
- Check CloudWatch Log Groups Without Retention Period in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check if CloudTrail exists and is configured for multi-region in AWS Region `${AWS_REGION}` in AWS Account `${AWS_ACCOUNT_ID}`
- Check CloudTrail Without CloudWatch Logs in AWS Region `${AWS_REGION}` in AWS Account `${AWS_ACCOUNT_ID}`
- Generate Health Score
Retrieve the result of an AWS CloudWatch Metrics Insights query.
Tasks:
Tasks:
- Running CloudWatch Metric Query And Pushing The Result
Retrieve all recently created AWS accounts.
Tasks:
Tasks:
- Get The Recently Created AWS Accounts
Performs a suite of security checks against a set of AWS EC2 instances.
Checks include untagged instances, dangling volumes, open routes.
Tasks:
Tasks:
- Check For Untagged instances
- Check For Dangling Volumes
- Check For Open Routes
- Check For Overused Instances
- Check For Underused Instances
- Check For Underused Volumes
- Check For Overused Volumes
Monitors AWS cost and usage data for the latest billing period.
Accepts one tag for continuous monitoring.
Tasks:
Tasks:
- Get All Billing Sliced By Tags
Retrieve binary result from an AWS CloudWatch Insights query.
Pushes 0 (success) if logs are found (activity) or 1 if no logs were found in the time window.
Tasks:
Tasks:
- Running CloudWatch Log Query And Pushing 1 If No Results Found
Creates a report of AWS line item costs filtered to a list of tagged resources
Tasks:
Tasks:
- Get All Billing Sliced By Tags
Retrieve aggregate results from multiple AWS Cloudwatch Metrics Insights queries ran against tagged resources.
This codebundle fetches a list of instance IDs filtered by tags, and uses them
to run a set of AWS metric queries against the CloudWatch metrics insights API
and pushes an aggregated/transformed value provided by the API as a metric.
Tasks:
Tasks:
- Run CloudWatch Metric Query Across Set Of IDs And Push Metric
Retrieve the number of detected AWS CloudFormation stack events over a given history
Tasks:
Tasks:
- Fetch CloudFormation Stack Events
Identify stale AWS S3 buckets, based on last modified object timestamp.
Tasks:
Tasks:
- Create Report For Stale Buckets
Triage and troubleshoot performance and usage of an AWS EC2 instance
Tasks:
Tasks:
- Get Max VM CPU Utilization In Last 3 Hours
- Get Lowest VM CPU Credits In Last 3 Hours
- Get Max VM CPU Credit Usage In Last 3 hours
- Get Max VM Memory Utilization In Last 3 Hours
- Get Max VM Volume Usage In Last 3 Hours
Triage and troubleshoot various issues with AWS CloudFormation
Tasks:
Tasks:
- Get All Recent Stack Events
Retrieve number of results from an AWS CloudWatch Insights query.
Tasks:
Tasks:
- Running CloudWatch Log Query And Pushing The Count Of Results
Creates a URL to a AWS CloudWatch metrics dashboard with a running query.
Tasks:
Tasks:
- Get CloudWatch MetricQuery Insights URL
Scans for AWS Lambda invocation errors
Tasks:
Tasks:
- List Lambda Versions and Runtimes in AWS Region `AWS_REGION`
- Analyze AWS Lambda Invocation Errors in Region `AWS_REGION`
- Monitor AWS Lambda Performance Metrics in AWS Region `AWS_REGION`
Monitor AWS Lambda Invocation Errors
Tasks:
Tasks:
- Analyze AWS Lambda Invocation Errors in Region `${AWS_REGION}`
Generates a report for S3 buckets in a AWS region
Tasks:
Tasks:
- Check AWS S3 Bucket Storage Utilization
Queries a node group within a EKS cluster to check if the nodegroup has degraded service, indicating ongoing reboots or other issues.
Tasks:
Tasks:
- Check EKS Nodegroup Status in `EKS_CLUSTER_NAME`
Raises Issues
Queries AWS CloudWatch for a list of EC2 instances with a high amount of resource utilization, raising issues when overutilized instances are found.
Tasks:
Tasks:
- Check For Overutilized Ec2 Instances
Checks the health status of EKS and/or Fargate clusters in the given AWS region.
Tasks:
Tasks:
- Check EKS Fargate Cluster Health Status in AWS Region `AWS_REGION`
- Check Amazon EKS Cluster Health Status in AWS Region `AWS_REGION`
- Monitor EKS Cluster Health in AWS Region `AWS_REGION`
Monitors the status of EKS / Fargate in the given AWS region.
Tasks:
Tasks:
- Check Amazon EKS Cluster Health Status in AWS Region `${AWS_REGION}`
This taskset performs comprehensive DNS health monitoring and validation tasks.
Includes DNS zone record validation, broken DNS resolution detection,
forward lookup zone testing, external resolution validation, and latency monitoring.
Provides detailed issue reporting with severity levels and actionable next steps.
Supports multiple FQDNs, zones, and generic DNS monitoring scenarios.
Tasks:
Tasks:
- Check DNS Zone Records
- Detect Broken Record Resolution
- Test Forward Lookup Zones
- External Resolution Validation
- DNS Latency Check
This SLI measures DNS health metrics including resolution success rates,
latency measurements, DNS zone health, and external DNS resolver availability.
Provides binary scoring (0/1) for each metric and calculates an overall DNS health score.
Supports multiple FQDNs, DNS zones, forward lookup zones, and external resolver testing.
Tasks:
Tasks:
- DNS Resolution Success Rate
- DNS Query Latency
- DNS Zone Health
- External DNS Resolver Availability
- Generate DNS Health Score
Checks the health status of Elasticache redis in the given region.
Tasks:
Tasks:
- Scan AWS Elasticache Redis Status in AWS Region `AWS_REGION`
Monitors the health status of elasticache redis in the AWS region.
Tasks:
Tasks:
- Scan ElastiCaches in AWS Region `${AWS_REGION}`