`AWSConfigRemediation-RemoveUserPolicies`

Description

The AWSConfigRemediation-RemoveUserPolicies runbook deletes the AWS Identity and Access Management (IAM) inline policies and detaches any managed policies attached to the user you specify.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

AutomationAssumeRole

Type: String

Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
IAMUserID

Type: String

Description: (Required) The ID of the user you want to remove policies from.
PolicyType

Type: String

Valid values: All | Inline | Managed

Default: All

Description: (Required) The type of IAM policies you want to remove from the user.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

ssm:StartAutomationExecution
ssm:GetAutomationExecution
iam:DeleteUserPolicy
iam:DetachUserPolicy
iam:ListAttachedUserPolicies
iam:ListUserPolicies
iam:ListUsers

Document Steps

aws:executeScript - Deletes and detaches IAM policies from the user you specify in the IAMUserID parameter.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWSSupport-GrantPermissionsToIAMUser

AWSConfigRemediation-ReplaceIAMInlinePolicy