AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
Description: Provides permissions for operational accounts to Remediate unmanaged nodes by providing Organisation specific permissions required by SSM automation to pull the list of member accounts within a root of an Organisation to trigger cross-account cross-region execution by allowing assuming Execution roles in target account/region.
AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
is an AWS managed policy.
Using this policy
You can attach AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
to your users, groups, and roles.
Policy details
-
Type: AWS managed policy
-
Creation time: November 16, 2024, 00:25 UTC
-
Edited time: November 16, 2024, 00:25 UTC
-
ARN:
arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
Policy version
Policy version: v1 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AllowReadOnlyAccessOrganization", "Effect" : "Allow", "Action" : [ "organizations:ListRoots", "organizations:ListChildren" ], "Resource" : "*" }, { "Sid" : "AllowAssumeRemediationExecutionRoleWithinOrg", "Effect" : "Allow", "Action" : "sts:AssumeRole", "Resource" : "arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole*", "Condition" : { "StringEquals" : { "aws:ResourceOrgId" : "${aws:PrincipalOrgId}" } } } ] }