AWS SSM Run Command without keeping in history

Question

I am trying to reset AD password of users using AWS SSM.

The only issue with this approach is that the SSM run command keeps a history of run. This history shows the parameters in clear text, which can be an issue with Security.

Is there any way I could trigger a runCommand without keeping a history ?

Or better, is there a way to delete the histoy ?

Answer 1

It's not possible to run commands without keeping the history. You also can't delete historical executions, see AWS docs here: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-best-practices-delete-resources.htm:

After a command finishes processing, information about it is stored in the Command history tab. You can't delete information from the Command history tab.

I would recommend to put the new password in SSM parameter store as a secure string and fetch the secret from SSM parameter store as a command in the script. That's AWS recommendation. https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-param-runcommand.html