AWSConfigRemediation-RemovePrincipalStarFromS3BucketPolicy - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-RemovePrincipalStarFromS3BucketPolicy runbook removes principal policy statements that have wildcards ( Principal: * or Principal: "AWS": * ) for Allow actions from your Amazon Simple Storage Service (Amazon S3) bucket policy. Policy statements with conditions are also removed.

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • BucketName

    Type: String

    Description: (Required) The name of the Amazon S3 bucket whose policy you want to modify.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • s3:DeleteBucketPolicy

  • s3:GetBucketPolicy

  • s3:PutBucketPolicy

Document Steps

  • aws:executeScript - Modifies the bucket policy and verifies principal policy statements with wildcards have been removed from the Amazon S3 bucket you specify in the BucketName parameter.