aws:approve – Pause an automation for manual approval - AWS Systems Manager

aws:approve – Pause an automation for manual approval

Temporarily pauses an automation until designated principals either approve or reject the action. After the required number of approvals is reached, the automation resumes. You can insert the approval step any place in the mainSteps section of your runbook.


This action doesn't support multi-account and Region automations. The default timeout for this action is 7 days (604800 seconds) and the maximum value is 30 days (2592000 seconds). You can limit or extend the timeout by specifying the timeoutSeconds parameter for an aws:approve step. If the automation step reaches the timeout value before receiving all required approval decisions, then the step and the automation stop running and return a status of Timed Out.

In the following example, the aws:approve action temporarily pauses the automation until one approver either accepts or rejects the automation. Upon approval, the automation runs a simple PowerShell command.

--- description: RunInstancesDemo1 schemaVersion: '0.3' assumeRole: "{{ assumeRole }}" parameters: assumeRole: type: String message: type: String mainSteps: - name: approve action: aws:approve timeoutSeconds: 1000 onFailure: Abort inputs: NotificationArn: arn:aws:sns:us-east-2:12345678901:AutomationApproval Message: "{{ message }}" MinRequiredApprovals: 1 Approvers: - arn:aws:iam::12345678901:user/AWS-User-1 - name: run action: aws:runCommand inputs: InstanceIds: - i-1a2b3c4d5e6f7g DocumentName: AWS-RunPowerShellScript Parameters: commands: - date
{ "description":"RunInstancesDemo1", "schemaVersion":"0.3", "assumeRole":"{{ assumeRole }}", "parameters":{ "assumeRole":{ "type":"String" }, "message":{ "type":"String" } }, "mainSteps":[ { "name":"approve", "action":"aws:approve", "timeoutSeconds":1000, "onFailure":"Abort", "inputs":{ "NotificationArn":"arn:aws:sns:us-east-2:12345678901:AutomationApproval", "Message":"{{ message }}", "MinRequiredApprovals":1, "Approvers":[ "arn:aws:iam::12345678901:user/AWS-User-1" ] } }, { "name":"run", "action":"aws:runCommand", "inputs":{ "InstanceIds":[ "i-1a2b3c4d5e6f7g" ], "DocumentName":"AWS-RunPowerShellScript", "Parameters":{ "commands":[ "date" ] } } } ] }

You can approve or deny Automations that are waiting for approval in the console.

To approve or deny waiting Automations
  1. Open the AWS Systems Manager console at

  2. In the navigation pane, choose Automation.

  3. Choose the option next to an Automation with a status of Waiting.

    Accessing the Approve/Deny Automation page
  4. Choose Approve/Deny.

  5. Review the details of the Automation.

  6. Choose either Approve or Deny, type an optional comment, and then choose Submit.

Input example

NotificationArn: arn:aws:sns:us-west-1:12345678901:Automation-ApprovalRequest Message: Please approve this step of the Automation. MinRequiredApprovals: 3 Approvers: - IamUser1 - IamUser2 - arn:aws:iam::12345678901:user/IamUser3 - arn:aws:iam::12345678901:role/IamRole
{ "NotificationArn":"arn:aws:sns:us-west-1:12345678901:Automation-ApprovalRequest", "Message":"Please approve this step of the Automation.", "MinRequiredApprovals":3, "Approvers":[ "IamUser1", "IamUser2", "arn:aws:iam::12345678901:user/IamUser3", "arn:aws:iam::12345678901:role/IamRole" ] }

The Amazon Resource Name (ARN of an Amazon Simple Notification Service (Amazon SNS) topic for Automation approvals. When you specify an aws:approve step in a runbook, Automation sends a message to this topic letting principals know that they must either approve or reject an Automation step. The title of the Amazon SNS topic must be prefixed with "Automation".

Type: String

Required: No


The information you want to include in the Amazon SNS topic when the approval request is sent. The maximum message length is 4096 characters.

Type: String

Required: No


The minimum number of approvals required to resume the automation. If you don't specify a value, the system defaults to one. The value for this parameter must be a positive number. The value for this parameter can't exceed the number of approvers defined by the Approvers parameter.

Type: Integer

Required: No


A list of AWS authenticated principals who are able to either approve or reject the action. The maximum number of approvers is 10. You can specify principals by using any of the following formats:

  • A user name

  • A user ARN

  • An IAM role ARN

  • An IAM assume role ARN

Type: StringList

Required: Yes


This input is only used for Change Manager templates. A list of AWS authenticated principals who are able to either approve or reject the action, the type of IAM principal, and the minimum number of approvers. The following is an example:

schemaVersion: "0.3" emergencyChange: false autoApprovable: false mainSteps: - name: ApproveAction1 action: aws:approve timeoutSeconds: 604800 inputs: Message: Please approve this change request MinRequiredApprovals: 3 EnhancedApprovals: Approvers: - approver: John Stiles type: IamUser minRequiredApprovals: 0 - approver: Ana Carolina Silva type: IamUser minRequiredApprovals: 0 - approver: GroupOfThree type: IamGroup minRequiredApprovals: 0 - approver: RoleOfTen type: IamRole minRequiredApprovals: 0

Type: StringList

Required: Yes



The approval status of the step. The status can be one of the following: Approved, Rejected, or Waiting. Waiting means that Automation is waiting for input from approvers.

Type: String


A JSON map that includes the approval decision of each approver.

Type: MapList