AWS Ops Automator
AWS Ops Automator

Solution Components

Included Actions

The AWS Ops Automator includes a set of actions that you can use to configure automated tasks. An action consists of metadata that specifies which resources and properties to select from AWS services, the aggregation level of the selected resources, the permissions required to access and modify that resource, and the code that implements the action logic. An action can be used in multiple tasks.

To execute an action, you must launch the specific task-configuration template. This creates a new task that defines the time interval or resource event that triggers the action, the action parameters that define how the task should be performed, the tags that determine which resources will receive the actions, and the accounts and regions where the resources are located. For more information about the task-configuration templates included with this solution, see Appendix A.

Role and Task Templates

When you deploy the AWS Ops Automator, the solution automatically creates an Amazon Simple Storage Service (Amazon S3) bucket in the primary account that contains two types of AWS CloudFormation templates for each action.

One template (role) is located in the Roles folder and creates the AWS Identity and Access Management (IAM) roles necessary to perform the action in secondary accounts. You can review and modify permissions in the role template before you launch the stack. The solution also includes a single template that configures all IAM roles necessary to perform all solution actions. Use this template if you want to configure tasks for all actions.

The other template (task-configuration) is located in the Configuration folder and creates a task based on parameters you define. You can use these templates as a framework for your own custom actions. For more information about the task-configuration templates, see Appendix A.

If you delete the AWS Ops Automator stack in the primary account, all task stacks and configurations will be deleted.

Task Execution Across Accounts

To perform tasks on resources in secondary accounts, you must launch the applicable role template in each secondary account after you launch the solution template in the primary account. When the role stack is launched, it creates a cross-account role Amazon Resource Name (ARN). When you launch the task-configuration template in the primary account, you enter the appropriate cross-account role ARN(s) in the applicable template parameter to allow the AWS Ops Automator to perform the specified task in those accounts.

Customers who want to perform tasks on resources in a large number of secondary accounts can upload a list of cross-account role ARNs to the solution’s Amazon S3 bucket. For more information, see Appendix B.


The AWS Ops Automator is designed to accommodate task processing for a large number of resources. By default, this solution enables Auto Scaling for its Amazon DynamoDB tables to provide sufficient read and write capacity to store tracking and configuration data for each resource it manages. The primary solution template includes a Lambda size (MB) parameter, which allows you to increase the memory of the main AWS Ops Automator Lambda function. If you plan to process tasks for a large number of resources, or if you encounter issues completing tasks for a large number of resources, we recommend you increase this value. See Appendix G for detailed information.

Daily Backups

The AWS Ops Automator creates a daily backup of the Amazon DynamoDB configuration table. Configuration backup files are stored in the Backups folder in the solution’s Amazon S3 bucket. The solution’s primary template includes a parameter where you define the retention period for these backup files.

Logging and Notifications

The AWS Ops Automator leverages Amazon CloudWatch Logs for logging. The solution logs which AWS Lambda function handled each event; when each task was executed; which tasks were executed; the state of executed tasks; whether each task completed; which resources were selected for each task; the execution time of the next task; and debugging, warning, and error messages. For more information, see Appendix E.

Warning and error messages are also published to a solution-created Amazon Simple Notification Service (Amazon SNS) topic which sends messages to a subscribed email address (see Subscribe to a Topic in the Amazon SNS Developer Guide). You can find the name of the Amazon SNS topic in the Outputs tab of the primary solution stack.