AWS-SSM-RemediationAutomation-ExecutionRolePolicy - AWS Managed Policy

AWS-SSM-RemediationAutomation-ExecutionRolePolicy

Description: Provides permissions for Remediating issues with SSM services by executing activities defined within Automation Documents, primarily used for running the Automation documents in a target account/region setup by remediating SSM services health across all nodes.

AWS-SSM-RemediationAutomation-ExecutionRolePolicy is an AWS managed policy.

Using this policy

You can attach AWS-SSM-RemediationAutomation-ExecutionRolePolicy to your users, groups, and roles.

Policy details

  • Type: AWS managed policy

  • Creation time: November 16, 2024, 00:17 UTC

  • Edited time: November 16, 2024, 00:17 UTC

  • ARN: arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-ExecutionRolePolicy

Policy version

Policy version: v1 (default)

The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.

JSON policy document

{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AllowReadOnlyAccessSSMResource", "Effect" : "Allow", "Action" : [ "ssm:GetAutomationExecution", "ssm:DescribeAutomationExecutions", "ssm:DescribeAutomationStepExecutions" ], "Resource" : "*" }, { "Sid" : "AllowReadOnlyAccessEC2Resource", "Effect" : "Allow", "Action" : [ "ec2:DescribeVpcAttribute", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeSecurityGroups" ], "Resource" : "*" }, { "Sid" : "AllowCreateVpcEndpointForTaggedSecurityGroup", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowCreateVpcEndpoint", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Sid" : "RestrictCreateVpcEndpointForSSMService", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:vpc-endpoint/*" ], "Condition" : { "StringLike" : { "ec2:VpceServiceName" : [ "com.amazonaws.*.ssm", "com.amazonaws.*.ssmmessages", "com.amazonaws.*.ec2messages" ] }, "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingVPCEndpoints::VPCE" : "VPCEndpoint" } } }, { "Sid" : "RestrictCreateVpcEndpointWithTag", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:vpc-endpoint/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingVPCEndpoints::VPCE" : "VPCEndpoint", "ec2:CreateAction" : [ "CreateVpcEndpoint" ] } } }, { "Sid" : "AllowModifyVpcAttributeForDns", "Effect" : "Allow", "Action" : [ "ec2:ModifyVpcAttribute" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*" ], "Condition" : { "StringEquals" : { "ec2:Attribute" : [ "EnableDnsSupport", "EnableDnsHostnames" ] } } }, { "Sid" : "AllowSecurityGroupRuleUpdate", "Effect" : "Allow", "Action" : [ "ec2:AuthorizeSecurityGroupEgress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid" : "AllowSecurityGroupRuleUpdateForTaggedResource", "Effect" : "Allow", "Action" : [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowSecurityGroupRuleUpdateWithTag", "Effect" : "Allow", "Action" : [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::SG::Rule" : "HTTPSAccess" } } }, { "Sid" : "AllowSecurityGroupRuleUpdateTagRule", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::SG::Rule" : "HTTPSAccess", "ec2:CreateAction" : [ "AuthorizeSecurityGroupEgress", "AuthorizeSecurityGroupIngress" ] } } }, { "Sid" : "AllowCreateSecurityGroupForVPCEndpoint", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*" ] }, { "Sid" : "AllowCreateSecurityGroupWithTag", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowTagCreationForSecurityGroupTags", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup", "ec2:CreateAction" : [ "CreateSecurityGroup" ] } } }, { "Sid" : "AllowExecuteSSMAutomation", "Effect" : "Allow", "Action" : [ "ssm:StartAutomationExecution" ], "Resource" : [ "arn:aws:ssm:*:*:automation-definition/AWS-OrchestrateUnmanagedEC2Actions:*", "arn:aws:ssm:*:*:automation-definition/AWS-RemediateSSMAgent*:*" ] }, { "Sid" : "AllowKMSOperations", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "arn:aws:kms:*:*:key/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManagerManaged" : "true" }, "ArnLike" : { "kms:EncryptionContext:aws:s3:arn" : "arn:aws:s3:::do-not-delete-ssm-diagnosis-*" }, "StringLike" : { "kms:ViaService" : "s3.*.amazonaws.com" }, "Bool" : { "aws:ViaAWSService" : "true" } } }, { "Sid" : "AllowPassRoleOnSelfToSsm", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : "arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole*", "Condition" : { "StringEquals" : { "iam:PassedToService" : "ssm.amazonaws.com" } } } ] }

Learn more