aws.ssm-document¶
Filters¶
cross-account¶
Filter SSM documents which have cross account permissions
- example:
policies:
- name: ssm-cross-account
resource: ssm-document
filters:
- type: cross-account
whitelist: [xxxxxxxxxxxx]
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ssm:DescribeDocumentPermission
Actions¶
delete¶
Delete SSM documents. Set force flag to True to force delete on documents that are shared across accounts. This will remove those shared accounts, and then delete the document. Otherwise, delete will fail and raise InvalidDocumentOperation exception if a document is shared with other accounts. Default value for force is False.
- example:
policies:
- name: ssm-delete-documents
resource: ssm-document
filters:
- type: cross-account
whitelist: [xxxxxxxxxxxx]
actions:
- type: delete
force: True
properties:
force:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - ssm:DeleteDocument, ssm:ModifyDocumentPermission
set-sharing¶
Edit list of accounts that share permissions on an SSM document. Pass in a list of account IDs to the ‘add’ or ‘remove’ fields to edit document sharing permissions. Set ‘remove’ to ‘matched’ to automatically remove any external accounts on a document (use in conjunction with the cross-account filter).
- example:
policies:
- name: ssm-set-sharing
resource: ssm-document
filters:
- type: cross-account
whitelist: [xxxxxxxxxxxx]
actions:
- type: set-sharing
add: [yyyyyyyyyy]
remove: matched
properties:
add:
items:
type: string
type: array
remove:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- set-sharing
required:
- type
Permissions - ssm:ModifyDocumentPermission