AWSConfigRemediation-ReplaceIAMInlinePolicy
Description
The AWSConfigRemediation-ReplaceIAMInlinePolicy runbook replaces an
inline Amazon Identity and Access Management (IAM) policy with a replicated managed IAM policy. For an
inline policy attached to a user, group, or role, the inline policy
permissions are cloned into a managed IAM policy. The managed IAM policy is
added to the resource, and the inline policy is removed. Amazon Config must be enabled in the
Amazon Web Services Region where you run this automation.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$
Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
InlinePolicyName
Type: StringList
Description: (Required) The inline IAM policy you want to replace.
-
ResourceId
Type: String
Description: (Required) The ID of the IAM user, group, or role whose inline policy you want to replace.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
successfully use the runbook.
-
ssm:StartAutomationExecution -
ssm:GetAutomationExecution -
iam:AttachGroupPolicy -
iam:AttachRolePolicy -
iam:AttachUserPolicy -
iam:CreatePolicy -
iam:CreatePolicyVersion -
iam:DeleteGroupPolicy -
iam:DeleteRolePolicy -
iam:DeleteUserPolicy -
iam:GetGroupPolicy -
iam:GetRolePolicy -
iam:GetUserPolicy -
iam:ListGroupPolicies -
iam:ListRolePolicies -
iam:ListUserPolicies
Document Steps
-
aws:executeScript- Replace the inline IAM policy with an Amazon replicated policy on the resource that you specify.