Controlling access to auto-approval runbook workflows - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Controlling access to auto-approval runbook workflows

In each change template created for your organization or account, you can specify whether change requests created from that template can run as auto-approved change requests, meaning that they run automatically without a review step (with the exception of change freeze events).

However, you might want to prevent certain users, groups, or Amazon Identity and Access Management (IAM) roles from running auto-approved change requests even if a change template allows it. You can do this through the use of the ssm:AutoApprove condition key for the StartChangeRequestExecution operation in an IAM policy assigned to the user, group, or IAM role.

You can add the following policy as an inline policy, where the condition is specified as false, to prevent users from running auto-approvable change requests.

{
    "Version": "2012-10-17",
    "Statement": [
            {
            "Effect": "Allow",
            "Action": "ssm:StartChangeRequestExecution",
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "ssm:AutoApprove": "false"
                }
            }
        }
    ]
}

For information about specifying inline policies, see Inline policies and Adding and removing IAM identity permissions in the IAM User Guide.

For more information about condition keys for Systems Manager policies, see Condition keys for Systems Manager.