Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
# AWS-SSM-RemediationAutomation-ExecutionRolePolicy
**Descripción**: Proporciona permisos para solucionar problemas con los servicios de SSM mediante la ejecución de las actividades definidas en los documentos de automatización, que se utilizan principalmente para ejecutar los documentos de automatización en una account/region configuración de destino mediante la corrección del estado de los servicios de SSM en todos los nodos.
`AWS-SSM-RemediationAutomation-ExecutionRolePolicy` es una [política administrada de AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies).
## Uso de la política
Puede asociar `AWS-SSM-RemediationAutomation-ExecutionRolePolicy` a los usuarios, grupos y roles.
## Información de la política
+ **Tipo: política gestionada** AWS
+ **Hora de creación**: 16 de noviembre de 2024 a las 00:17 UTC
+ **Hora editada:** 12 de febrero de 2026 a las 17:58 UTC
+ **ARN**: `arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-ExecutionRolePolicy`
## Versión de la política
**Versión de la política:** v4 (predeterminada)
La versión predeterminada de la política define qué permisos tendrá. Cuando un usuario o un rol con la política solicita el acceso a un AWS recurso, AWS comprueba la versión predeterminada de la política para determinar si permite la solicitud.
## Documento de política JSON
```
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AllowReadOnlyAccessSSMResource",
"Effect" : "Allow",
"Action" : [
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions"
],
"Resource" : "*"
},
{
"Sid" : "AllowReadOnlyAccessEC2Resource",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeVpcAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeSecurityGroups"
],
"Resource" : "*"
},
{
"Sid" : "AllowCreateVpcEndpointForTaggedSecurityGroup",
"Effect" : "Allow",
"Action" : [
"ec2:CreateVpcEndpoint"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup"
}
}
},
{
"Sid" : "AllowCreateVpcEndpoint",
"Effect" : "Allow",
"Action" : [
"ec2:CreateVpcEndpoint"
],
"Resource" : [
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:subnet/*"
]
},
{
"Sid" : "RestrictCreateVpcEndpointForSSMService",
"Effect" : "Allow",
"Action" : [
"ec2:CreateVpcEndpoint"
],
"Resource" : [
"arn:aws:ec2:*:*:vpc-endpoint/*"
],
"Condition" : {
"StringLike" : {
"ec2:VpceServiceName" : [
"com.amazonaws.*.ssm",
"com.amazonaws.*.ssmmessages",
"com.amazonaws.*.ec2messages"
]
},
"StringEquals" : {
"aws:RequestTag/SystemsManager::FindingNetworkingVPCEndpoints::VPCE" : "VPCEndpoint"
}
}
},
{
"Sid" : "RestrictCreateVpcEndpointWithTag",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : [
"arn:aws:ec2:*:*:vpc-endpoint/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/SystemsManager::FindingNetworkingVPCEndpoints::VPCE" : "VPCEndpoint",
"ec2:CreateAction" : [
"CreateVpcEndpoint"
]
}
}
},
{
"Sid" : "AllowModifyVpcAttributeForDns",
"Effect" : "Allow",
"Action" : [
"ec2:ModifyVpcAttribute"
],
"Resource" : [
"arn:aws:ec2:*:*:vpc/*"
],
"Condition" : {
"StringEquals" : {
"ec2:Attribute" : [
"EnableDnsSupport",
"EnableDnsHostnames"
]
}
}
},
{
"Sid" : "AllowSecurityGroupRuleUpdate",
"Effect" : "Allow",
"Action" : [
"ec2:AuthorizeSecurityGroupEgress"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Sid" : "AllowSecurityGroupRuleUpdateForTaggedResource",
"Effect" : "Allow",
"Action" : [
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup"
}
}
},
{
"Sid" : "AllowSecurityGroupRuleUpdateWithTag",
"Effect" : "Allow",
"Action" : [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group-rule/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::SG::Rule" : "HTTPSAccess"
}
}
},
{
"Sid" : "AllowSecurityGroupRuleUpdateTagRule",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : [
"arn:aws:ec2:*:*:security-group-rule/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::SG::Rule" : "HTTPSAccess",
"ec2:CreateAction" : [
"AuthorizeSecurityGroupEgress",
"AuthorizeSecurityGroupIngress"
]
}
}
},
{
"Sid" : "AllowCreateSecurityGroupForVPCEndpoint",
"Effect" : "Allow",
"Action" : [
"ec2:CreateSecurityGroup"
],
"Resource" : [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid" : "AllowCreateSecurityGroupWithTag",
"Effect" : "Allow",
"Action" : [
"ec2:CreateSecurityGroup"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup"
}
}
},
{
"Sid" : "AllowTagCreationForSecurityGroupTags",
"Effect" : "Allow",
"Action" : "ec2:CreateTags",
"Resource" : [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/SystemsManager::FindingNetworkingSecurityGroups::VPCE::SG" : "VPCEndpointSecurityGroup",
"ec2:CreateAction" : [
"CreateSecurityGroup"
]
}
}
},
{
"Sid" : "AllowExecuteSSMAutomation",
"Effect" : "Allow",
"Action" : [
"ssm:StartAutomationExecution"
],
"Resource" : [
"arn:aws:ssm:*:*:document/AWS-OrchestrateUnmanagedEC2Actions",
"arn:aws:ssm:*:*:document/AWS-RemediateSSMAgent*",
"arn:aws:ssm:*:*:automation-execution/*",
"arn:aws:ssm:*:*:automation-definition/AWS-OrchestrateUnmanagedEC2Actions:*",
"arn:aws:ssm:*:*:automation-definition/AWS-RemediateSSMAgent*:*"
]
},
{
"Sid" : "AllowKMSOperations",
"Effect" : "Allow",
"Action" : [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource" : "arn:aws:kms:*:*:key/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/SystemsManagerManaged" : "true"
},
"ArnLike" : {
"kms:EncryptionContext:aws:s3:arn" : "arn:aws:s3:::do-not-delete-ssm-diagnosis-*"
},
"StringLike" : {
"kms:ViaService" : "s3.*.amazonaws.com"
},
"Bool" : {
"aws:ViaAWSService" : "true"
}
}
},
{
"Sid" : "AllowPassRoleOnSelfToSsm",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : "arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "ssm.amazonaws.com"
}
}
}
]
}
```
## Más información
+ [Cree un conjunto de permisos mediante políticas AWS administradas en el Centro de identidades de IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html)
+ [Adición y eliminación de permisos de identidad de IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)
+ [Conozca el control de versiones de las políticas de IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html)
+ [Comience con las políticas AWS administradas y avance hacia los permisos con privilegios mínimos](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)