AWSConfigRemediation-RemovePrincipalStarFromS3BucketPolicy
Description
The AWSConfigRemediation-RemovePrincipalStarFromS3BucketPolicy
runbook removes principal policy statements that have wildcards ( Principal:
*
or Principal: "AWS": *
) for Allow
actions
from your Amazon Simple Storage Service (Amazon S3) bucket policy. Policy statements with conditions are also
removed.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
BucketName
Type: String
Description: (Required) The name of the Amazon S3 bucket whose policy you want to modify.
Required IAM permissions
The AutomationAssumeRole
parameter requires the following actions to
use the runbook successfully.
-
ssm:StartAutomationExecution
-
ssm:GetAutomationExecution
-
s3:DeleteBucketPolicy
-
s3:GetBucketPolicy
-
s3:PutBucketPolicy
Document Steps
-
aws:executeScript
- Modifies the bucket policy and verifies principal policy statements with wildcards have been removed from the Amazon S3 bucket you specify in theBucketName
parameter.