AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy - AWS Managed Policy

AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy

Description: Provides permissions for operational accounts to Remediate unmanaged nodes by providing Organisation specific permissions required by SSM automation to pull the list of member accounts within a root of an Organisation to trigger cross-account cross-region execution by allowing assuming Execution roles in target account/region.

AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy is an AWS managed policy.

Using this policy

You can attach AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy to your users, groups, and roles.

Policy details

  • Type: AWS managed policy

  • Creation time: November 16, 2024, 00:25 UTC

  • Edited time: November 16, 2024, 00:25 UTC

  • ARN: arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy

Policy version

Policy version: v1 (default)

The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.

JSON policy document

{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AllowReadOnlyAccessOrganization", "Effect" : "Allow", "Action" : [ "organizations:ListRoots", "organizations:ListChildren" ], "Resource" : "*" }, { "Sid" : "AllowAssumeRemediationExecutionRoleWithinOrg", "Effect" : "Allow", "Action" : "sts:AssumeRole", "Resource" : "arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole*", "Condition" : { "StringEquals" : { "aws:ResourceOrgId" : "${aws:PrincipalOrgId}" } } } ] }

Learn more