AWSConfigRemediation-ReplaceIAMInlinePolicy
Description
The AWSConfigRemediation-ReplaceIAMInlinePolicy runbook replaces an
inline Amazon Identity and Access Management (IAM) policy with a replicated managed IAM policy. For an
inline policy attached to a user, group, or role, the inline policy permissions are
cloned into a managed IAM policy. The managed IAM policy is added to the
resource, and the inline policy is removed. Amazon Config must be enabled in the Amazon Web Services Region
where you run this automation.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
InlinePolicyName
Type: StringList
Description: (Required) The inline IAM policy you want to replace.
-
ResourceId
Type: String
Description: (Required) The ID of the IAM user, group, or role whose inline policy you want to replace.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
use the runbook successfully.
-
ssm:StartAutomationExecution -
ssm:GetAutomationExecution -
iam:AttachGroupPolicy -
iam:AttachRolePolicy -
iam:AttachUserPolicy -
iam:CreatePolicy -
iam:CreatePolicyVersion -
iam:DeleteGroupPolicy -
iam:DeleteRolePolicy -
iam:DeleteUserPolicy -
iam:GetGroupPolicy -
iam:GetRolePolicy -
iam:GetUserPolicy -
iam:ListGroupPolicies -
iam:ListRolePolicies -
iam:ListUserPolicies
Document Steps
-
aws:executeScript- Replace the inline IAM policy with an Amazon replicated policy on the resource that you specify.