AWS-SSM-RemediationAutomation-ExecutionRolePolicy - AWS Policy gestita

Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.

AWS-SSM-RemediationAutomation-ExecutionRolePolicy

Descrizione: fornisce le autorizzazioni per la risoluzione dei problemi relativi ai SSM servizi eseguendo le attività definite nei documenti di automazione, utilizzate principalmente per eseguire i documenti di automazione in una configurazione di account/regione di destinazione ripristinando l'integrità SSM dei servizi su tutti i nodi.

AWS-SSM-RemediationAutomation-ExecutionRolePolicyè una politica gestita.AWS

Utilizzo di questa politica

Puoi collegarti AWS-SSM-RemediationAutomation-ExecutionRolePolicy ai tuoi utenti, gruppi e ruoli.

Dettagli della politica

  • Tipo: politica AWS gestita

  • Ora di creazione: 16 novembre 2024, 00:17 UTC

  • Ora modificata: 16 novembre 2024, 00:17 UTC

  • ARN: arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-ExecutionRolePolicy

Versione della politica

Versione della politica: v1 (default) (predefinito)

La versione predefinita della politica è la versione che definisce le autorizzazioni per la politica. Quando un utente o un ruolo con la politica effettua una richiesta di accesso a una AWS risorsa, AWS controlla la versione predefinita della politica per determinare se consentire la richiesta.

JSONdocumento di policy

{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AllowReadOnlyAccessSSMResource", "Effect" : "Allow", "Action" : [ "ssm:GetAutomationExecution", "ssm:DescribeAutomationExecutions", "ssm:DescribeAutomationStepExecutions" ], "Resource" : "*" }, { "Sid" : "AllowReadOnlyAccessEC2Resource", "Effect" : "Allow", "Action" : [ "ec2:DescribeVpcAttribute", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeSecurityGroups" ], "Resource" : "*" }, { "Sid" : "AllowCreateVpcEndpointForTaggedSecurityGroup", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowCreateVpcEndpoint", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Sid" : "RestrictCreateVpcEndpointForSSMService", "Effect" : "Allow", "Action" : [ "ec2:CreateVpcEndpoint" ], "Resource" : [ "arn:aws:ec2:*:*:vpc-endpoint/*" ], "Condition" : { "StringLike" : { "ec2:VpceServiceName" : [ "com.amazonaws.*.ssm", "com.amazonaws.*.ssmmessages", "com.amazonaws.*.ec2messages" ] }, "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingVPCEndpoints::VPCE" : "VPCEndpoint" } } }, { "Sid" : "RestrictCreateVpcEndpointWithTag", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:vpc-endpoint/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingVPCEndpoints::VPCE" : "VPCEndpoint", "ec2:CreateAction" : [ "CreateVpcEndpoint" ] } } }, { "Sid" : "AllowModifyVpcAttributeForDns", "Effect" : "Allow", "Action" : [ "ec2:ModifyVpcAttribute" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*" ], "Condition" : { "StringEquals" : { "ec2:Attribute" : [ "EnableDnsSupport", "EnableDnsHostnames" ] } } }, { "Sid" : "AllowSecurityGroupRuleUpdate", "Effect" : "Allow", "Action" : [ "ec2:AuthorizeSecurityGroupEgress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid" : "AllowSecurityGroupRuleUpdateForTaggedResource", "Effect" : "Allow", "Action" : [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowSecurityGroupRuleUpdateWithTag", "Effect" : "Allow", "Action" : [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::SG::Rule" : "HTTPSAccess" } } }, { "Sid" : "AllowSecurityGroupRuleUpdateTagRule", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::SG::Rule" : "HTTPSAccess", "ec2:CreateAction" : [ "AuthorizeSecurityGroupEgress", "AuthorizeSecurityGroupIngress" ] } } }, { "Sid" : "AllowCreateSecurityGroupForVPCEndpoint", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*" ] }, { "Sid" : "AllowCreateSecurityGroupWithTag", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup" } } }, { "Sid" : "AllowTagCreationForSecurityGroupTags", "Effect" : "Allow", "Action" : "ec2:CreateTags", "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup", "ec2:CreateAction" : [ "CreateSecurityGroup" ] } } }, { "Sid" : "AllowExecuteSSMAutomation", "Effect" : "Allow", "Action" : [ "ssm:StartAutomationExecution" ], "Resource" : [ "arn:aws:ssm:*:*:automation-definition/AWS-OrchestrateUnmanagedEC2Actions:*", "arn:aws:ssm:*:*:automation-definition/AWS-RemediateSSMAgent*:*" ] }, { "Sid" : "AllowKMSOperations", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "arn:aws:kms:*:*:key/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/SystemsManagerManaged" : "true" }, "ArnLike" : { "kms:EncryptionContext:aws:s3:arn" : "arn:aws:s3:::do-not-delete-ssm-diagnosis-*" }, "StringLike" : { "kms:ViaService" : "s3.*.amazonaws.com" }, "Bool" : { "aws:ViaAWSService" : "true" } } }, { "Sid" : "AllowPassRoleOnSelfToSsm", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : "arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole*", "Condition" : { "StringEquals" : { "iam:PassedToService" : "ssm.amazonaws.com" } } } ] }

Ulteriori informazioni