[Improvement] ec2/* - Remove SSM AWS-RunPatchBaseline hourly invocati…

…on to reduce spam because of uncompliant instances (you can still use the MaintenanceWindowSchedule parameter for patching) (#716)
widdix · Nov 1, 2023 · 7394934 · 7394934
1 parent eb5363f
commit 7394934
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 26 deletions.
diff --git a/ec2/al2-mutable-private.yaml b/ec2/al2-mutable-private.yaml
@@ -1136,9 +1136,7 @@ Resources:
           - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:managed-instance-inventory/${VirtualMachine}'
         - Effect: Allow
           Action: 'ssm:UpdateInstanceAssociationStatus'
-          Resource:
-          - !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/${VirtualMachine}'
-          - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:association/${AssociationRunPatchBaselineScan}'
+          Resource: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/${VirtualMachine}'
   IAMPolicySSHAccess:
     Type: 'AWS::IAM::Policy'
     Condition: HasIAMUserSSHAccess
@@ -1542,16 +1540,6 @@ Resources:
             Operation: [Install]
       TaskType: 'RUN_COMMAND'
       WindowId: !Ref MaintenanceWindow
-  AssociationRunPatchBaselineScan:
-    Type: 'AWS::SSM::Association'
-    Properties:
-      Name: 'AWS-RunPatchBaseline'
-      Parameters:
-        Operation: [Scan]
-      ScheduleExpression: 'rate(1 hour)'
-      Targets:
-      - Key: InstanceIds
-        Values: [!Ref VirtualMachine]
   BackupVault: # cannot be deleted with data
     Condition: HasBackupRetentionPeriod
     Type: 'AWS::Backup::BackupVault'

diff --git a/ec2/al2-mutable-public.yaml b/ec2/al2-mutable-public.yaml
@@ -1145,9 +1145,7 @@ Resources:
           - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:managed-instance-inventory/${VirtualMachine}'
         - Effect: Allow
           Action: 'ssm:UpdateInstanceAssociationStatus'
-          Resource:
-          - !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/${VirtualMachine}'
-          - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:association/${AssociationRunPatchBaselineScan}'
+          Resource: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/${VirtualMachine}'
   IAMPolicySSHAccess:
     Type: 'AWS::IAM::Policy'
     Condition: HasIAMUserSSHAccess
@@ -1552,16 +1550,6 @@ Resources:
             Operation: [Install]
       TaskType: 'RUN_COMMAND'
       WindowId: !Ref MaintenanceWindow
-  AssociationRunPatchBaselineScan:
-    Type: 'AWS::SSM::Association'
-    Properties:
-      Name: 'AWS-RunPatchBaseline'
-      Parameters:
-        Operation: [Scan]
-      ScheduleExpression: 'rate(1 hour)'
-      Targets:
-      - Key: InstanceIds
-        Values: [!Ref VirtualMachine]
   BackupVault: # cannot be deleted with data
     Condition: HasBackupRetentionPeriod
     Type: 'AWS::Backup::BackupVault'