How do I resolve the "Action needed" status of my Route 53 Resolver endpoint?

3 minute read
0

My Amazon Route 53 Resolver endpoint is in "Action needed" status.

Resolution

You see "Action needed" after you try to add or remove an endpoint IP address

Verify if your AWS Identity and Access Management (IAM) user or role has the required permissions to add or remove endpoint IP addresses.

Adding an IP address

When you add an IP address to an inbound or outbound Resolver endpoint, the following actions occur:

  • Route 53 makes an AssociateResolverEndpointIpAddress API call.
  • For each IP address that you specify, the Resolver automatically creates a VPC elastic network interface.

The IAM role or user must have permissions to perform the ec2:CreateNetworkInterface and ec2:DescribeNetworkInterfaces actions. If these permissions aren't present, then the creation fails and the status changes to Action needed.

Removing an IP address

When you remove an IP address from an inbound or outbound Resolver endpoint, the following actions occur:

The IAM role or user must have permissions to perform the ec2:DeleteNetworkInterface and ec2:DescribeNetworkInterfaces actions. If these permissions aren't present, then the deletion fails and the status changes to Action needed.

IAM permissions

Be sure that the IAM user or role has the following permissions to add or remove IP addresses from Route 53 Resolver endpoints:

Review AWS CloudTrail logs for more details about the denied action. The following example is a CloudTrail event for the AssociateResolverEndpointIpAddress API call when the IAM user or role is missing permissions:

"responseElements": {  
  "resolverEndpoint": {  
    "id": "rslvr-in-aaaaaaaaaaaaaaaaa",  
    "creatorRequestId": "AWSConsole.82.1579676363636",  
    "arn": "arn:aws:route53resolver:us-east-1:111111111111:resolver-endpoint/rslvr-in-11111111111111111",  
    "name": "aaa",  
    "securityGroupIds": [  
      "sg-11111111111111111"  
    ],  
    "direction": "INBOUND",  
    "ipAddressCount": 4,  
    "hostVPCId": "vpc-11111111",  
    "status": "ACTION_NEEDED",  
    "statusMessage": "1 IP address(es) failed to be created. Please remove them from the ResolverEndpoint.",  
    "creationTime": "2020-01-22T06:59:25.990Z",  
    "modificationTime": "2020-01-22T06:59:25.990Z"  
  }  
}

To further check missing IAM permissions, review your CloudTrail logs for other events before or after the AssociateResolverEndpointIpAddress event. For example, if the IAM user or role is missing the CreateNetworkInterface permission, then the CloudTrail event for CreateNetworkInterface looks like the following example:

"eventSource": "ec2.amazonaws.com",
"eventName": "CreateNetworkInterface",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation."

You see "Action needed", but you didn't try to add or remove an endpoint IP address, or you have the right IAM permissions

This means that the endpoint is unhealthy and Resolver can't automatically recover it. Common causes for this issue include the following cases:

  • Deletion of one or more of the network interfaces that are associated with the endpoint
  • Inability to create the network interface

To resolve the problem, check each IP address that you associated with the endpoint. For each unavailable IP address, add another IP address. Then, delete the unavailable IP address.

Note: An endpoint must always include at least two IP addresses.

AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago