`AWSConfigRemediation-ReplaceIAMInlinePolicy`

Description

The AWSConfigRemediation-ReplaceIAMInlinePolicy runbook replaces an inline AWS Identity and Access Management (IAM) policy with a replicated managed IAM policy. For an inline policy attached to a user, group, or role, the inline policy permissions are cloned into a managed IAM policy. The managed IAM policy is added to the resource, and the inline policy is removed. AWS Config must be enabled in the AWS Region where you run this automation.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

AutomationAssumeRole

Type: String

Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
InlinePolicyName

Type: StringList

Description: (Required) The inline IAM policy you want to replace.
ResourceId

Type: String

Description: (Required) The ID of the IAM user, group, or role whose inline policy you want to replace.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

ssm:StartAutomationExecution
ssm:GetAutomationExecution
iam:AttachGroupPolicy
iam:AttachRolePolicy
iam:AttachUserPolicy
iam:CreatePolicy
iam:CreatePolicyVersion
iam:DeleteGroupPolicy
iam:DeleteRolePolicy
iam:DeleteUserPolicy
iam:GetGroupPolicy
iam:GetRolePolicy
iam:GetUserPolicy
iam:ListGroupPolicies
iam:ListRolePolicies
iam:ListUserPolicies

Document Steps

aws:executeScript - Replace the inline IAM policy with an AWS replicated policy on the resource that you specify.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWSConfigRemediation-RemoveUserPolicies

AWSConfigRemediation-RevokeUnusedIAMUserCredentials