aws.ssm-document

Filters

cross-account

Filter SSM documents which have cross account permissions

example:

policies:
  - name: ssm-cross-account
    resource: ssm-document
    filters:
      - type: cross-account
        whitelist: [xxxxxxxxxxxx]
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - ssm:DescribeDocumentPermission

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

delete

Delete SSM documents. Set force flag to True to force delete on documents that are shared across accounts. This will remove those shared accounts, and then delete the document. Otherwise, delete will fail and raise InvalidDocumentOperation exception if a document is shared with other accounts. Default value for force is False.

example:

policies:
  - name: ssm-delete-documents
    resource: ssm-document
    filters:
      - type: cross-account
        whitelist: [xxxxxxxxxxxx]
    actions:
      - type: delete
        force: True
properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - ssm:DeleteDocument, ssm:ModifyDocumentPermission

set-sharing

Edit list of accounts that share permissions on an SSM document. Pass in a list of account IDs to the ‘add’ or ‘remove’ fields to edit document sharing permissions. Set ‘remove’ to ‘matched’ to automatically remove any external accounts on a document (use in conjunction with the cross-account filter).

example:

policies:
  - name: ssm-set-sharing
    resource: ssm-document
    filters:
      - type: cross-account
        whitelist: [xxxxxxxxxxxx]
    actions:
      - type: set-sharing
        add: [yyyyyyyyyy]
        remove: matched
properties:
  add:
    items:
      type: string
    type: array
  remove:
    oneOf:
    - enum:
      - matched
    - items:
        type: string
      type: array
  type:
    enum:
    - set-sharing
required:
- type

Permissions - ssm:ModifyDocumentPermission