AWSConfigRemediation-RemoveUserPolicies - AWS Systems Manager Automation runbook reference



The AWSConfigRemediation-RemoveUserPolicies runbook deletes the AWS Identity and Access Management (IAM) inline policies and detaches any managed policies attached to the user you specify.

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • IAMUserID

    Type: String

    Description: (Required) The ID of the user you want to remove policies from.

  • PolicyType

    Type: String

    Valid values: All | Inline | Managed

    Default: All

    Description: (Required) The type of IAM policies you want to remove from the user.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • iam:DeleteUserPolicy

  • iam:DetachUserPolicy

  • iam:ListAttachedUserPolicies

  • iam:ListUserPolicies

  • iam:ListUsers

Document Steps

  • aws:executeScript - Deletes and detaches IAM policies from the user you specify in the IAMUserID parameter.