AWS-SSM-RemediationAutomation-ExecutionRolePolicy - AWS Política gestionada

Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.

AWS-SSM-RemediationAutomation-ExecutionRolePolicy

Descripción: Proporciona permisos para solucionar problemas relacionados con los SSM servicios mediante la ejecución de las actividades definidas en los documentos de automatización, que se utilizan principalmente para ejecutar los documentos de automatización en una configuración de cuenta o región de destino mediante la corrección del estado de SSM los servicios en todos los nodos.

AWS-SSM-RemediationAutomation-ExecutionRolePolicy es una política administrada por AWS.

Uso de la política

Puede asociar AWS-SSM-RemediationAutomation-ExecutionRolePolicy a los usuarios, grupos y roles.

Información de la política

  • Tipo: política gestionada AWS

  • Hora de creación: 16 de noviembre de 2024, 00:17 UTC

  • Hora editada: 16 de noviembre de 2024, 00:17 UTC

  • ARN: arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-ExecutionRolePolicy

Versión de la política

Versión de la política: v1 (predeterminado)

La versión predeterminada de la política define qué permisos tendrá. Cuando un usuario o un rol con la política solicita el acceso a un AWS recurso, AWS comprueba la versión predeterminada de la política para determinar si permite la solicitud.

JSONdocumento de política

{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AllowReadOnlyAccessSSMResource", "Effect" : "Allow", "Action" : [ "ssm:GetAutomationExecution", "ssm:DescribeAutomationExecutions", "ssm:DescribeAutomationStepExecutions" ], "Resource" : "*" }, { "Sid" : "AllowReadOnlyAccessEC2Resource", "Effect" : "Allow", "Action" : [ "ec2:DescribeVpcAttribute", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeSecurityGroups" ], "Resource" : "*" }, { "Sid" : "AllowCreateVpcEndpointForTaggedSecurityGroup", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowCreateVpcEndpoint", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Sid" : "RestrictCreateVpcEndpointForSSMService", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:vpc-endpoint/*" ], "Condition" : { "StringLike" : { "ec2:VpceServiceName" : [ "com.amazonaws.*.ssm", "com.amazonaws.*.ssmmessages", "com.amazonaws.*.ec2messages" ] }, "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingVPCEndpoints::VPCE" : "VPCEndpoint" } } }, { "Sid" : "RestrictCreateVpcEndpointWithTag", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:vpc-endpoint/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingVPCEndpoints::VPCE" : "VPCEndpoint", "ec2:CreateAction" : [ "CreateVpcEndpoint" ] } } }, { "Sid" : "AllowModifyVpcAttributeForDns", "Effect" : "Allow", "Action" : [ "ec2:ModifyVpcAttribute" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*" ], "Condition" : { "StringEquals" : { "ec2:Attribute" : [ "EnableDnsSupport", "EnableDnsHostnames" ] } } }, { "Sid" : "AllowSecurityGroupRuleUpdate", "Effect" : "Allow", "Action" : [ "ec2:AuthorizeSecurityGroupEgress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid" : "AllowSecurityGroupRuleUpdateForTaggedResource", "Effect" : "Allow", "Action" : [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowSecurityGroupRuleUpdateWithTag", "Effect" : "Allow", "Action" : [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::SG::Rule" : "HTTPSAccess" } } }, { "Sid" : "AllowSecurityGroupRuleUpdateTagRule", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::SG::Rule" : "HTTPSAccess", "ec2:CreateAction" : [ "AuthorizeSecurityGroupEgress", "AuthorizeSecurityGroupIngress" ] } } }, { "Sid" : "AllowCreateSecurityGroupForVPCEndpoint", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*" ] }, { "Sid" : "AllowCreateSecurityGroupWithTag", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowTagCreationForSecurityGroupTags", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup", "ec2:CreateAction" : [ "CreateSecurityGroup" ] } } }, { "Sid" : "AllowExecuteSSMAutomation", "Effect" : "Allow", "Action" : [ "ssm:StartAutomationExecution" ], "Resource" : [ "arn:aws:ssm:*:*:automation-definition/AWS-OrchestrateUnmanagedEC2Actions:*", "arn:aws:ssm:*:*:automation-definition/AWS-RemediateSSMAgent*:*" ] }, { "Sid" : "AllowKMSOperations", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "arn:aws:kms:*:*:key/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManagerManaged" : "true" }, "ArnLike" : { "kms:EncryptionContext:aws:s3:arn" : "arn:aws:s3:::do-not-delete-ssm-diagnosis-*" }, "StringLike" : { "kms:ViaService" : "s3.*.amazonaws.com" }, "Bool" : { "aws:ViaAWSService" : "true" } } }, { "Sid" : "AllowPassRoleOnSelfToSsm", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : "arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole*", "Condition" : { "StringEquals" : { "iam:PassedToService" : "ssm.amazonaws.com" } } } ] }

Más información