Start a conversation Sign in
Start a conversation
  1. CloudFix Support
  2. CloudFix - AWS Account Onboarding and Permissions
  3. Articles

How to Delete CloudFix Runbooks from Your AWS Account or Organization

CloudFix deploys Systems Manager (SSM) runbooks as part of its remediation workflows. If you're offboarding or cleaning up, you can delete these documents manually from an individual AWS account or across your entire AWS Organization.

This guide walks you through both methods.

What You’re Deleting

CloudFix runbooks are stored as SSM Documents with names like:

Cloudfix-Template-VpcIdleNatGateway-staging  
Cloudfix-Template-VPCConsolidateNATGateways-qa  
Cloudfix-Template-FixInstanceProfileForAgents-qa


These are created by CloudFix to automate AWS fixes. They’re safe to delete if you're not using CloudFix or have already removed the related stacks.

Deleting CloudFix Runbooks from a Single AWS Account

To remove all CloudFix SSM documents from a single account:

1. Open a terminal with AWS CLI access to the target account.

2. Run this command:

 for Name in $(aws ssm list-documents \  
  --query "DocumentIdentifiers[].Name" \
  --output text | tr '\t' '\n' | grep '^Cloudfix-'); do
  aws ssm delete-document --name "$Name"
 done



This:

  • Lists all SSM documents in the account
  • Filters for names starting with Cloudfix-
  • Deletes each matching document


 You can preview without deleting by adding echo:



echo aws ssm delete-document --name "$Name"


Deleting CloudFix Runbooks Across an AWS Organization

There’s no native way to delete SSM documents Org-wide in a single command. But you can script it using aws organizations, sts assume-role, and ssm delete-document.

Prerequisites

  • You’re logged in to the management account of your AWS Organization.
  • All member accounts have a role (usually OrganizationAccountAccessRole) you can assume.
  • That role has permissions: ssm:ListDocuments and ssm:DeleteDocument.

Script: Delete CloudFix Runbooks Org-Wide

#!/bin/bash 

ROLE_NAME="OrganizationAccountAccessRole" 

ACCOUNT_IDS=$(aws organizations list-accounts \
  --query "Accounts[?Status=='ACTIVE'].Id" \
  --output text) 

for ACCOUNT_ID in $ACCOUNT_IDS;
 do  echo "🔄 Assuming role in account $ACCOUNT_ID"

   CREDS=$(aws sts assume-role \
    --role-arn "arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}" \
    --role-session-name delete-cloudfix-docs \
    --output json)

  export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | jq -r .Credentials.AccessKeyId)
  export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | jq -r .Credentials.SecretAccessKey)
  export AWS_SESSION_TOKEN=$(echo "$CREDS" | jq -r .Credentials.SessionToken)

 echo "📋 Listing CloudFix documents in $ACCOUNT_ID"   aws ssm list-documents \
    --query "DocumentIdentifiers[].Name" \
    --output text | tr '\t' '\n' | grep '^Cloudfix-' | while read Name; do
      echo "❌ Deleting $Name from $ACCOUNT_ID"
      aws ssm delete-document --name "$Name"
    done   

# Clear credentials before the next account
  unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN 
 done

Why Temporary Credentials Are Needed

Each time you assume a role in a member account using sts assume-role, AWS returns a set of temporary credentials:

  • AccessKeyId
  • SecretAccessKey
  • SessionToken

These are required to authenticate as that account during the session. By exporting them, you're telling the AWS CLI to run subsequent commands (like delete-document) in the context of that assumed role.


Once you’re done with that account, the credentials are cleared so you can repeat the process for the next one.

Troubleshooting

Problem Fix
AccessDenied when assuming role Check if the role exists in target account and allows the Org management account in its trust policy
No documents found Confirm the runbooks haven't already been deleted or deployed to another region
delete-document fails Make sure you're not trying to delete AWS-owned (public) documents


Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Bill Gleeson

  2. Posted

Comments