boto3aws-ssmamazon-systems-manager

AWS SSM Run Command without keeping in history


I am trying to reset AD password of users using AWS SSM.

The only issue with this approach is that the SSM run command keeps a history of run. This history shows the parameters in clear text, which can be an issue with Security.

Is there any way I could trigger a runCommand without keeping a history ?

Or better, is there a way to delete the histoy ?


Solution

  • It's not possible to run commands without keeping the history. You also can't delete historical executions, see AWS docs here: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-best-practices-delete-resources.htm:

    After a command finishes processing, information about it is stored in the Command history tab. You can't delete information from the Command history tab.

    I would recommend to put the new password in SSM parameter store as a secure string and fetch the secret from SSM parameter store as a command in the script. That's AWS recommendation. https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-param-runcommand.html