How do I resolve the "Action needed" status of my Route 53 Resolver endpoint?

Resolution

You noticed the "Action needed" status after trying to add or remove an endpoint IP address

Verify whether your AWS Identity and Access Management (IAM) user or role has the required permissions to add or remove endpoint IP addresses.

When adding an IP address to an inbound or outbound Resolver endpoint:

• An AssociateResolverEndpointIpAddress API call is made.
• For each IP address that you specify, Resolver automatically creates a VPC elastic network interface.
• The IAM role or user must have permissions to perform the "ec2:CreateNetworkInterface" and "ec2:DescribeNetworkInterfaces" actions. If these aren't present, then the creation fails and the status changes to "Action needed".

When removing an IP address from an inbound or outbound Resolver endpoint:

• A DisassociateResolverEndpointIpAddress API call is made.
• The network interface associated with the IP address must be deleted by performing a "ec2:DeleteNetworkInterface" call.
• The IAM role or user must have permissions to perform the "ec2:DeleteNetworkInterface" and "ec2:DescribeNetworkInterfaces" actions. If these aren't present, then the deletion fails and the status changes to "Action needed".

Be sure that the IAM user or role has the following permissions to add or remove IP addresses from Route 53 Resolver endpoints:

• ec2:DescribeNetworkInterfaces
• ec2:DescribeAvailabilityZones
• ec2:CreateNetworkInterface
• ec2:DeleteNetworkInterface
• ec2:DescribeSubnets

Review AWS CloudTrail logs for more details about the denied action. The following is an example of a CloudTrail event for the "AssociateResolverEndpointIpAddress" call when the IAM user or role is missing permissions.

"responseElements": {
        "resolverEndpoint": {
            "id": "rslvr-in-aaaaaaaaaaaaaaaaa",
            "creatorRequestId": "AWSConsole.82.1579676363636",
            "arn": "arn:aws:route53resolver:us-east-1:111111111111:resolver-endpoint/rslvr-in-11111111111111111",
            "name": "aaa",
            "securityGroupIds": [
                "sg-11111111111111111"
            ],
            "direction": "INBOUND",
            "ipAddressCount": 4,
            "hostVPCId": "vpc-11111111",
            "status": "ACTION_NEEDED",
            "statusMessage": "1 IP address(es) failed to be created. Please remove them from the ResolverEndpoint.",
            "creationTime": "2020-01-22T06:59:25.990Z",
            "modificationTime": "2020-01-22T06:59:25.990Z"
        }
    }

You can also review CloudTrail logs for other events before or after the "AssociateResolverEndpointIpAddress" event to verify the missing IAM permission. For example, if the IAM user or role is missing the "CreateNetworkInterface" permission, the CloudTrail event for "CreateNetworkInterface" is as follows:

"eventSource": "ec2.amazonaws.com",
"eventName": "CreateNetworkInterface",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation."

You noticed the "Action needed" status but you haven't tried to add or remove an endpoint IP address or you have the right IAM permissions

This means that the endpoint is unhealthy and Resolver can't automatically recover it. Common causes for this issue include:

• Deletion of one or more of the network interfaces associated with the endpoint.
• Inability to create the network interface.

To resolve the problem, check each IP address that you associated with the endpoint. For each unavailable IP address, add another IP address. Then, delete the unavailable IP address.

Note: An endpoint must always include at least two IP addresses.