I am trying to reset AD password of users using AWS SSM.
The only issue with this approach is that the SSM run command keeps a history of run. This history shows the parameters in clear text, which can be an issue with Security.
Is there any way I could trigger a runCommand without keeping a history ?
Or better, is there a way to delete the histoy ?
It's not possible to run commands without keeping the history. You also can't delete historical executions, see AWS docs here: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-best-practices-delete-resources.htm:
After a command finishes processing, information about it is stored in the Command history tab. You can't delete information from the Command history tab.
I would recommend to put the new password in SSM parameter store as a secure string and fetch the secret from SSM parameter store as a command in the script. That's AWS recommendation. https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-param-runcommand.html