Controlling access to auto-approval runbook workflows
In each change template created for your organization or account, you can specify whether change requests created from that template can run as auto-approved change requests, meaning that they run automatically without a review step (with the exception of change freeze events).
However, you might want to prevent certain users, groups, or Amazon Identity and Access Management (IAM)
roles from running auto-approved change requests even if a change template allows
it. You can do this through the use of the ssm:AutoApprove
condition
key for the StartChangeRequestExecution
operation in an IAM policy
assigned to the user, group, or IAM role.
You can add the following policy as an inline policy, where the condition is
specified as false
, to prevent users from running auto-approvable
change requests.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:StartChangeRequestExecution", "Resource": "*", "Condition": { "BoolIfExists": { "ssm:AutoApprove": "false" } } } ] }
For information about specifying inline policies, see Inline policies and Adding and removing IAM identity permissions in the IAM User Guide.
For more information about condition keys for Systems Manager policies, see Condition keys for Systems Manager.