aws.ssm-document

Filters

cross-account

Filter SSM documents which have cross account permissions

example

policies:
  - name: ssm-cross-account
    resource: ssm-document
    filters:
      - type: cross-account
        whitelist: [xxxxxxxxxxxx]
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - ssm:DescribeDocumentPermission

Actions

delete

Delete SSM documents. Set force flag to True to force delete on documents that are shared across accounts. This will remove those shared accounts, and then delete the document. Otherwise, delete will fail and raise InvalidDocumentOperation exception if a document is shared with other accounts. Default value for force is False.

example

policies:
  - name: ssm-delete-documents
    resource: ssm-document
    filters:
      - type: cross-account
        whitelist: [xxxxxxxxxxxx]
    actions:
      - type: delete
        force: True
properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - ssm:DeleteDocument, ssm:ModifyDocumentPermission

set-sharing

Edit list of accounts that share permissions on an SSM document. Pass in a list of account IDs to the ‘add’ or ‘remove’ fields to edit document sharing permissions. Set ‘remove’ to ‘matched’ to automatically remove any external accounts on a document (use in conjunction with the cross-account filter).

example

policies:
  - name: ssm-set-sharing
    resource: ssm-document
    filters:
      - type: cross-account
        whitelist: [xxxxxxxxxxxx]
    actions:
      - type: set-sharing
        add: [yyyyyyyyyy]
        remove: matched
properties:
  add:
    items:
      type: string
    type: array
  remove:
    oneOf:
    - enum:
      - matched
    - items:
        type: string
      type: array
  type:
    enum:
    - set-sharing
required:
- type

Permissions - ssm:ModifyDocumentPermission