Skip to content

Commit

Permalink
[Improvement] ec2/* - Remove SSM AWS-RunPatchBaseline hourly invocati…
Browse files Browse the repository at this point in the history 
…on to reduce spam because of uncompliant instances (you can still use the MaintenanceWindowSchedule parameter for patching)
  • Loading branch information
@michaelwittig
michaelwittig committed Oct 20, 2023
1 parent 4bced71 commit dc4c3c1
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 26 deletions.
14 changes: 1 addition & 13 deletions ec2/al2-mutable-private.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1136,9 +1136,7 @@ Resources:
- !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:managed-instance-inventory/${VirtualMachine}'
- Effect: Allow
Action: 'ssm:UpdateInstanceAssociationStatus'
Resource:
- !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/${VirtualMachine}'
- !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:association/${AssociationRunPatchBaselineScan}'
Resource: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/${VirtualMachine}'
IAMPolicySSHAccess:
Type: 'AWS::IAM::Policy'
Condition: HasIAMUserSSHAccess
Expand Down Expand Up @@ -1542,16 +1540,6 @@ Resources:
Operation: [Install]
TaskType: 'RUN_COMMAND'
WindowId: !Ref MaintenanceWindow
AssociationRunPatchBaselineScan:
Type: 'AWS::SSM::Association'
Properties:
Name: 'AWS-RunPatchBaseline'
Parameters:
Operation: [Scan]
ScheduleExpression: 'rate(1 hour)'
Targets:
- Key: InstanceIds
Values: [!Ref VirtualMachine]
BackupVault: # cannot be deleted with data
Condition: HasBackupRetentionPeriod
Type: 'AWS::Backup::BackupVault'
Expand Down
14 changes: 1 addition & 13 deletions ec2/al2-mutable-public.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1145,9 +1145,7 @@ Resources:
- !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:managed-instance-inventory/${VirtualMachine}'
- Effect: Allow
Action: 'ssm:UpdateInstanceAssociationStatus'
Resource:
- !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/${VirtualMachine}'
- !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:association/${AssociationRunPatchBaselineScan}'
Resource: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/${VirtualMachine}'
IAMPolicySSHAccess:
Type: 'AWS::IAM::Policy'
Condition: HasIAMUserSSHAccess
Expand Down Expand Up @@ -1552,16 +1550,6 @@ Resources:
Operation: [Install]
TaskType: 'RUN_COMMAND'
WindowId: !Ref MaintenanceWindow
AssociationRunPatchBaselineScan:
Type: 'AWS::SSM::Association'
Properties:
Name: 'AWS-RunPatchBaseline'
Parameters:
Operation: [Scan]
ScheduleExpression: 'rate(1 hour)'
Targets:
- Key: InstanceIds
Values: [!Ref VirtualMachine]
BackupVault: # cannot be deleted with data
Condition: HasBackupRetentionPeriod
Type: 'AWS::Backup::BackupVault'
Expand Down

0 comments on commit dc4c3c1

Please sign in to comment.