AWS FIS actions reference
This reference describes the common actions in AWS FIS, including information about the
action parameters and the required IAM permissions. You can also list the supported AWS FIS
actions using the AWS FIS console or the list-actions
For more information, see Actions for AWS FIS and How AWS Fault Injection Simulator works with IAM.
Actions
Fault injection actions
AWS FIS supports the following fault injection actions.
Actions
aws:fis:inject-api-internal-error
Runs the AWS FIS action InjectApiInternalError on the target IAM role.
Resource type
-
aws:iam:role
Parameters
duration – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
service – The target AWS API namespace. The supported value is
ec2.percentage – The percentage (1-100) of calls to inject the fault into.
operations – The operations to inject the fault into, separated using commas. For a list of the API actions for the
ec2namespace, see Actions in the Amazon EC2 API Reference.
Permissions
fis:InjectApiInternalError
aws:fis:inject-api-throttle-error
Runs the AWS FIS action InjectApiThrottleError on the target IAM role.
Resource type
-
aws:iam:role
Parameters
duration – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
service – The target AWS API namespace. The supported value is
ec2.percentage – The percentage (1-100) of calls to inject the fault into.
operations – The operations to inject the fault into, separated using commas. For a list of the API actions for the
ec2namespace, see Actions in the Amazon EC2 API Reference.
Permissions
fis:InjectApiThrottleError
aws:fis:inject-api-unavailable-error
Runs the AWS FIS action InjectApiUnavailableError on the target IAM role.
Resource type
-
aws:iam:role
Parameters
duration – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
service – The target AWS API namespace. The supported value is
ec2.percentage – The percentage (1-100) of calls to inject the fault into.
operations – The operations to inject the fault into, separated using commas. For a list of the API actions for the
ec2namespace, see Actions in the Amazon EC2 API Reference.
Permissions
fis:InjectApiUnavailableError
Wait action
AWS FIS supports the following wait action.
aws:fis:wait
Runs the AWS FIS wait action.
Parameters
duration – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
Permissions
None
Amazon CloudWatch actions
AWS FIS supports the following Amazon CloudWatch action.
aws:cloudwatch:assert-alarm-state
Verifies that the specified alarms are in one of the specified alarm states.
Resource type
-
None
Parameters
alarmArns – The ARNs of the alarms, separated by commas. You can specify up to five alarms.
alarmStates – The alarm states, separated by commas. The possible alarm states are
OK,ALARM, andINSUFFICIENT_DATA.
Permissions
cloudwatch:DescribeAlarms
Amazon EBS actions
AWS FIS supports the following Amazon EBS action.
aws:ebs:pause-volume-io
Pauses I/O operations on target EBS volumes. The target volumes must be in the same Availability Zone and must be attached to instances built on the Nitro System. The volumes can't be attached to instances on an Outpost.
To initiate the experiment using the Amazon EC2 console, see Fault testing on Amazon EBS in the Amazon EC2 User Guide.
Resource type
-
aws:ec2:ebs-volume
Parameters
duration – The duration, from one second to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute, PT5S represents five seconds, and PT6H represents six hours. In the AWS FIS console, you enter the number of seconds, minutes, or hours. If the duration is small, such as PT5S, the I/O is paused for the specified duration, but it might take longer for the experiment to complete due to the time it takes to initialize the experiment.
Permissions
ec2:DescribeVolumes
ec2:PauseVolumeIO
Amazon EC2 actions
AWS FIS supports the following Amazon EC2 actions.
Actions
aws:ec2:reboot-instances
Runs the Amazon EC2 API action RebootInstances on the target EC2 instances.
Resource type
-
aws:ec2:instance
Parameters
None
Permissions
ec2:RebootInstances
aws:ec2:send-spot-instance-interruptions
Interrupts the target Spot Instances. Sends a Spot Instance interruption notice to target Spot Instances two minutes before interrupting them. The interruption time is determined by the specified durationBeforeInterruption parameter. Two minutes after the interruption time, the Spot Instances are terminated or stopped, depending on their interruption behavior. A Spot Instance that was stopped by AWS FIS remains stopped until you restart it.
Immediately after the action is executed, the target instance receives an EC2 instance rebalance recommendation. If you specified durationBeforeInterruption, there could be a delay between the rebalance recommendation and the interruption notice.
For more information, see Tutorial: Test Spot Instance interruptions using AWS FIS. Alternatively, to initiate the experiment using the Amazon EC2 console, see Initiate a Spot Instance interruption in the Amazon EC2 User Guide.
Resource type
-
aws:ec2:spot-instance
Parameters
durationBeforeInterruption – The time to wait before interrupting the instance, from 2 to 15 minutes. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT2M represents two minutes. In the AWS FIS console, you enter the number of minutes.
Permissions
ec2:SendSpotInstanceInterruptions
aws:ec2:stop-instances
Runs the Amazon EC2 API action StopInstances on the target EC2 instances.
Resource type
-
aws:ec2:instance
Parameters
startInstancesAfterDuration – Optional. The time to wait before starting the instance, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours. If the instance has an encrypted EBS volume, you must grant AWS FIS permission to the KMS key used to encrypt the volume, or add the experiment role to the KMS key policy.
Permissions
ec2:StopInstancesec2:StartInstanceskms:CreateGrant– Optional. Required with startInstancesAfterDuration to restart instances with encrypted volumes.
aws:ec2:terminate-instances
Runs the Amazon EC2 API action TerminateInstances on the target EC2 instances.
Resource type
-
aws:ec2:instance
Parameters
None
Permissions
ec2:TerminateInstances
Amazon ECS actions
AWS FIS supports the following Amazon ECS actions.
aws:ecs:drain-container-instances
Runs the Amazon ECS API action UpdateContainerInstancesState to drain the specified percentage of underlying Amazon EC2 instances on the target clusters.
Resource type
-
aws:ecs:cluster
Parameters
drainagePercentage – The percentage (1-100).
duration – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
Permissions
ecs:DescribeClustersecs:UpdateContainerInstancesStateecs:ListContainerInstances
aws:ecs:stop-task
Runs the Amazon ECS API action StopTask to stop the target task.
Resource type
-
aws:ecs:task
Parameters
None
Permissions
ecs:DescribeTasksecs:ListTasksecs:StopTask
Amazon EKS actions
AWS FIS supports the following Amazon EKS actions.
aws:eks:inject-kubernetes-custom-resource
Runs a ChaosMesh or Litmus experiment on a single target cluster. You must install ChaosMesh or Litmus on the target cluster.
When you create an experiment template and define a target of type aws:eks:cluster,
you must target this action to a single Amazon Resource Name (ARN). This action doesn't
support defining targets using resource tags, filters, or parameters.
When you install ChaosMesh, you must specify the appropriate container runtime. Starting with Amazon EKS version 1.23, the default runtime changed from Docker to containerd. Starting with version 1.24, Docker was removed.
Resource type
-
aws:eks:cluster
Parameters
kubernetesApiVersion – The API version of the Kubernetes custom resource
. The possible values are chaos-mesh.org/v1alpha1|litmuschaos.io/v1alpha1.kubernetesKind – The Kubernetes custom resource kind. The value depends on the API version.
-
chaos-mesh.org/v1alpha1– The possible values areAWSChaos|DNSChaos|GCPChaos|HTTPChaos|IOChaos|JVMChaos|KernelChaos|NetworkChaos|PhysicalMachineChaos|PodChaos|PodHttpChaos|PodIOChaos|PodNetworkChaos|Schedule|StressChaos|TimeChaos| -
litmuschaos.io/v1alpha1– The possible value isChaosEngine.
-
kubernetesNamespace – The Kubernetes namespace
. kubernetesSpec – The JSON representation of Kubernetes custom resource.
maxDuration – The maximum time allowed for the automation execution to complete, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
Permissions
No AWS Identity and Access Management (IAM) permissions are required for this action. The permissions required to use this action are controlled by Kubernetes using RBAC authorization. For more information, see Using RBAC Authorization
aws:eks:terminate-nodegroup-instances
Runs the Amazon EC2 API action TerminateInstances on the target node group.
Resource type
-
aws:eks:nodegroup
Parameters
instanceTerminationPercentage – The percentage (1-100) of instances to terminate.
Permissions
ec2:DescribeInstancesec2:TerminateInstances
Network actions
AWS FIS supports the following network action.
aws:network:disrupt-connectivity
Denies the specified traffic to the target subnets.
Resource type
-
aws:ec2:subnet
Parameters
scope – The type of traffic to deny. The possible values are:
all– Denies all traffic.availability-zone– Denies intra-VPC traffic to or from subnets in other Availability Zones.dynamodb– Denies traffic to or from DynamoDB.prefix-list– Denies traffic to or from the specified prefix list.s3– Denies traffic to or from Amazon S3.vpc– Denies traffic entering or leaving the VPC.
duration – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
prefixListIdentifier – If the scope is
prefix-list, this is the identifier of the customer managed prefix list. You can specify a name, an ID, or an ARN. The prefix list can have at most 10 entries.
Permissions
ec2:CreateNetworkAcl– Creates the network ACL with the tag managedByFIS=true.ec2:CreateNetworkAclEntry– The network ACL must have the tag managedByFIS=true.ec2:CreateTagsec2:DeleteNetworkAcl– The network ACL must have the tag managedByFIS=true.ec2:DescribeManagedPrefixListsec2:DescribeNetworkAclsec2:DescribeSubnetsec2:DescribeVpcsec2:GetManagedPrefixListEntriesec2:ReplaceNetworkAclAssociation
Amazon RDS actions
AWS FIS supports the following Amazon RDS actions.
aws:rds:failover-db-cluster
Runs the Amazon RDS API action FailoverDBCluster on the target Aurora DB cluster.
Resource type
-
aws:rds:cluster
Parameters
None
Permissions
rds:FailoverDBCluster
aws:rds:reboot-db-instances
Runs the Amazon RDS API action RebootDBInstance on the target DB instance.
Resource type
-
aws:rds:db
Parameters
forceFailover – Optional. If the value is true, and if instances are Multi-AZ, forces failover from one Availability Zone to another. The default is false.
Permissions
rds:RebootDBInstance
Systems Manager actions
AWS FIS supports the following Systems Manager actions.
aws:ssm:send-command
Runs the Systems Manager API action SendCommand on the target EC2 instances. The Systems Manager document (SSM document) defines the actions that Systems Manager performs on your instances. For more information, see Use the aws:ssm:send-command action.
Resource type
-
aws:ec2:instance
Parameters
documentArn – The Amazon Resource Name (ARN) of the document. In the console, this parameter is completed for you if you choose a value from Action type that corresponds to one of the pre-configured AWS FIS SSM documents.
documentVersion – Optional. The version of the document. If empty, the default version runs.
documentParameters – Conditional. The required and optional parameters that the document accepts. The format is a JSON object with keys that are strings and values that are either strings or arrays of strings.
duration – The duration, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
Permissions
ssm:SendCommandssm:ListCommandsssm:CancelCommand
aws:ssm:start-automation-execution
Runs the Systems Manager API action StartAutomationExecution.
Resource type
-
None.
Parameters
documentArn – The Amazon Resource Name (ARN) of the automation document.
documentVersion – Optional. The version of the document. If empty, the default version runs.
documentParameters – Conditional. The required and optional parameters that the document accepts. The format is a JSON object with keys that are strings and values that are either strings or arrays of strings.
maxDuration – The maximum time allowed for the automation execution to complete, from one minute to 12 hours. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours.
Permissions
ssm:GetAutomationExecutionssm:StartAutomationExecutionssm:StopAutomationExecutioniam:PassRole– Optional. Required if the automation document assumes a role.
