SSM Automation Document deployed to management account to execute SSM Run Command Document within each managed location (account + region pair).
- Configure Automation multi-account IAM roles: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation-multiple-accounts-and-regions.html
AWS-SystemsManager-AutomationAdministrationRole
should be deployed to management accountAWS-SystemsManager-AutomationExecutionRole
should be deployed to all managed accounts
- Deploy Automation document via Cfn Stack to management account
- Deploy Command document via Cfn StackSet to all managed accounts + regions
- Execute SSM automation in management account to run command document against all matched target instances in all managed accounts + regions:
aws ssm start-automation-execution \
--region us-east-1 \
--document-name "MyAutomation" \
--document-version "\$LATEST" \
--parameters '{"AutomationAssumeRole":["arn:aws:iam::<management-acct>:role/AWS-SystemsManager-AutomationAdministrationRole"]}' \
--target-locations '[{"Accounts":["ou-ab12-abcd1234"],
"Regions":["us-east-1","us-west-2"],
"ExecutionRoleName":"AWS-SystemsManager-AutomationExecutionRole",
"TargetLocationMaxErrors":"1",
"TargetLocationMaxConcurrency":"5"},
{"Accounts":["ou-cd34-cdef3456"],
"Regions":["us-east-1","us-west-2"],
"ExecutionRoleName":"AWS-SystemsManager-AutomationExecutionRole",
"TargetLocationMaxErrors":"1",
"TargetLocationMaxConcurrency":"5"}]'
The Command Document could be expanded to perform different tasks on an instance using different actions ("plugins"): https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html