{"id":17744103,"url":"https://github.com/thomasvincent/aws-ssm-automation-scripts","last_synced_at":"2026-02-11T15:32:13.419Z","repository":{"id":317979141,"uuid":"591606751","full_name":"thomasvincent/aws-ssm-automation-scripts","owner":"thomasvincent","description":"AWS SSM automation documents for patching, compliance, and cost controls","archived":false,"fork":false,"pushed_at":"2026-02-08T11:01:55.000Z","size":141,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-08T17:34:26.173Z","etag":null,"topics":["automation","aws","aws-automation","aws-iam","aws-s3","aws-systems-manager","cloudformation","compliance","cost-optimization","devops","ec2","infrastructure","infrastructure-as-code","lambda","s3","security","ssm"],"latest_commit_sha":null,"homepage":"https://github.com/thomasvincent/aws-ssm-automation-scripts","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thomasvincent.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-01-21T09:01:12.000Z","updated_at":"2026-02-08T10:05:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"341a00f3-ef8f-417b-830d-f1711bbc3ba7","html_url":"https://github.com/thomasvincent/aws-ssm-automation-scripts","commit_stats":null,"previous_names":["thomasvincent/aws-ssm-automation-scripts"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/thomasvincent/aws-ssm-automation-scripts","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2Faws-ssm-automation-scripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2Faws-ssm-automation-scripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2Faws-ssm-automation-scripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2Faws-ssm-automation-scripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thomasvincent","download_url":"https://codeload.github.com/thomasvincent/aws-ssm-automation-scripts/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasvincent%2Faws-ssm-automation-scripts/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29336868,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T14:34:07.188Z","status":"ssl_error","status_checked_at":"2026-02-11T14:34:06.809Z","response_time":97,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","aws","aws-automation","aws-iam","aws-s3","aws-systems-manager","cloudformation","compliance","cost-optimization","devops","ec2","infrastructure","infrastructure-as-code","lambda","s3","security","ssm"],"created_at":"2024-10-26T06:41:57.544Z","updated_at":"2026-02-11T15:32:13.402Z","avatar_url":"https://github.com/thomasvincent.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS SSM Automation Scripts\n\n[![Validate SSM Documents](https://github.com/thomasvincent/aws-ssm-automation-scripts/actions/workflows/validate.yml/badge.svg)](https://github.com/thomasvincent/aws-ssm-automation-scripts/actions/workflows/validate.yml)\n[![Security Scan](https://github.com/thomasvincent/aws-ssm-automation-scripts/actions/workflows/security-scan.yml/badge.svg)](https://github.com/thomasvincent/aws-ssm-automation-scripts/actions/workflows/security-scan.yml)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![GitHub release](https://img.shields.io/github/v/release/thomasvincent/aws-ssm-automation-scripts)](https://github.com/thomasvincent/aws-ssm-automation-scripts/releases)\n[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/thomasvincent/aws-ssm-automation-scripts/graphs/commit-activity)\n\nA comprehensive collection of production-ready AWS Systems Manager (SSM) Automation documents for streamlining AWS operations, security compliance, and cost optimization.\n\n## 🚀 Overview\n\nThis repository provides battle-tested SSM Automation documents that help DevOps teams, system administrators, and cloud engineers automate common AWS management tasks. All scripts follow AWS best practices and are designed to be idempotent, secure, and easily customizable.\n\n### Key Benefits\n\n- **🔄 Automation First**: Reduce manual operations and human error\n- **🔒 Security by Default**: Built-in security best practices and compliance checks\n- **💰 Cost Optimization**: Identify and remediate cost inefficiencies\n- **🌍 Multi-Account Support**: Manage resources across multiple AWS accounts\n- **📊 Comprehensive Logging**: Detailed execution logs and audit trails\n- **🧩 Modular Design**: Reusable components and shared libraries\n\n## 📚 Table of Contents\n\n- [Quick Start](#-quick-start)\n- [Available Automation Scripts](#-available-automation-scripts)\n- [Installation](#-installation)\n- [Usage Examples](#-usage-examples)\n- [Architecture](#-architecture)\n- [Best Practices](#-best-practices)\n- [Development](#-development)\n- [Contributing](#-contributing)\n- [Support](#-support)\n\n## 🎯 Quick Start\n\n```bash\n# 1. Clone the repository\ngit clone https://github.com/thomasvincent/aws-ssm-automation-scripts.git\n\n# 2. Register an SSM document\naws ssm create-document \\\n  --name \"EnableS3Encryption\" \\\n  --document-type \"Automation\" \\\n  --content file://s3_encryption.yaml\n\n# 3. Execute the automation\naws ssm start-automation-execution \\\n  --document-name \"EnableS3Encryption\" \\\n  --parameters '{\"BucketName\":[\"my-bucket\"],\"KMSMasterKey\":[\"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012\"]}'\n```\n\n## 📦 Available Automation Scripts\n\n### CDN \u0026 Content Delivery\n\n#### 📡 CloudFront Distribution Management\n**File**: `cloudfront_distribution_management.yaml`\n\nComprehensive CloudFront distribution lifecycle management including creation, updates, invalidations, and security configuration.\n\n**Key Features**:\n- Create and configure new distributions\n- Update existing distribution settings\n- Perform cache invalidations\n- Configure security policies and geo-restrictions\n- Manage custom headers and behaviors\n\n\u003cdetails\u003e\n\u003csummary\u003eView Parameters\u003c/summary\u003e\n\n- `Operation`: The operation to perform (Create, Update, Invalidate, UpdateSecurityConfig)\n- `DistributionId`: ID of existing distribution (required for updates)\n- `OriginDomainName`: Origin domain name (required for creation)\n- `PriceClass`: CloudFront price class\n- `ViewerCertificateConfig`: SSL/TLS certificate configuration\n- `GeoRestriction`: Geographic access restrictions\n- [See full parameter list in script]\n\n\u003c/details\u003e\n\n### Compute \u0026 Instance Management\n\n#### 🖥️ EC2 Instance Patching\n**File**: `ec2_instance_patching.yaml`\n\nAutomated patching solution for EC2 instances with configurable reboot options and severity filters.\n\n**Key Features**:\n- Selective patching based on severity levels\n- Optional automatic reboot after patching\n- Parallel patching support\n- Detailed patch compliance reporting\n\n\u003cdetails\u003e\n\u003csummary\u003eView Parameters\u003c/summary\u003e\n\n- `InstanceIds`: List of EC2 instance IDs to patch\n- `RebootOption`: Whether to reboot after patching (NoReboot, RebootIfNeeded)\n- `PatchSeverity`: Minimum severity level (Critical, Important, Medium, Low)\n- `AutomationAssumeRole`: IAM role for automation execution\n\n\u003c/details\u003e\n\n### Security \u0026 Compliance\n\n#### 🔐 Security Group Audit\n**File**: `security_group_audit.yaml`\n\nComprehensive security group auditing and automated remediation for compliance.\n\n**Key Features**:\n- Identify overly permissive rules (0.0.0.0/0)\n- Automatic remediation of high-risk ports\n- Compliance reporting\n- Exclusion list support\n- VPC-specific auditing\n\n\u003cdetails\u003e\n\u003csummary\u003eView Parameters\u003c/summary\u003e\n\n- `SecurityGroupIds`: Specific security groups to audit (optional)\n- `VpcIds`: VPCs to audit (optional)\n- `RemediationMode`: Audit or Remediate\n- `RemediateOpenPorts`: Ports to close if open to internet\n- `ExcludedSecurityGroups`: Security groups to exclude\n\n\u003c/details\u003e\n\n#### 🔑 S3 Bucket Encryption\n**File**: `s3_encryption.yaml`\n\nEnable KMS encryption on S3 buckets with verification.\n\n**Key Features**:\n- Apply KMS encryption to existing buckets\n- Verify encryption status\n- Support for customer-managed KMS keys\n- Bucket existence validation\n\n### Cost Optimization\n\n#### 💰 Cost Optimization Recommendations\n**File**: `cost_optimization_recommendations.yaml`\n\nIdentify and report cost optimization opportunities across your AWS infrastructure.\n\n**Key Features**:\n- Identify idle and underutilized resources\n- Generate detailed HTML reports\n- SNS notifications for findings\n- Multi-resource type analysis (EC2, EBS, RDS, etc.)\n- Customizable utilization thresholds\n\n\u003cdetails\u003e\n\u003csummary\u003eView Parameters\u003c/summary\u003e\n\n- `ResourceTypes`: Resources to analyze (EC2, EBS, S3, RDS)\n- `IdleDaysThreshold`: Days of inactivity to consider idle\n- `LowUtilizationThreshold`: CPU threshold for underutilization\n- `GenerateReport`: Generate HTML report\n- `ReportS3Bucket`: S3 bucket for reports\n\n\u003c/details\u003e\n\n#### 💰 Cost Savings Remediation\n**File**: `cost_savings_remediation.yaml`\n\nSafely remediate common sources of AWS cost waste with tag-aware targeting and DryRun-first execution.\n\n**Key Features**:\n- Stop EC2 instances with consistently low CPU utilization\n- Delete unattached EBS volumes (optional pre-delete snapshot)\n- Release unused Elastic IPs\n- Delete idle ALB/NLB with no traffic and no registered targets\n- Stop non–Multi-AZ RDS DB instances with low CPU\n- Global DryRun control and SNS summary notification\n\n\u003cdetails\u003e\n\u003csummary\u003eView Parameters\u003c/summary\u003e\n\n- `Actions`: Operations to perform (StopIdleEC2, DeleteUnattachedEBS, ReleaseUnusedEIPs, CleanupIdleELB, StopIdleRDS)\n- `TargetTags`: Tag key/value map resources must match (e.g., `{Environment: Development}`)\n- `IdleDaysThreshold`: Window to evaluate idleness (default 30)\n- `LowUtilizationThreshold`: CPU percentage threshold for underutilization (default 10)\n- `SnapshotBeforeDelete`: For EBS, create a snapshot before deletion (default true)\n- `DryRun`: Report-only mode (default true)\n- `NotificationTopicArn`: Optional SNS topic for a summary notification\n\n\u003c/details\u003e\n\n**Usage**\n\n```bash\naws ssm start-automation-execution \\\n  --document-name \"CostSavingsRemediation\" \\\n  --parameters '{\n    \"Actions\":[\"StopIdleEC2\",\"DeleteUnattachedEBS\",\"ReleaseUnusedEIPs\",\"CleanupIdleELB\",\"StopIdleRDS\"],\n    \"TargetTags\":{\"Environment\":\"Development\"},\n    \"IdleDaysThreshold\":[\"30\"],\n    \"LowUtilizationThreshold\":[\"10\"],\n    \"SnapshotBeforeDelete\":[\"true\"],\n    \"DryRun\":[\"true\"]\n  }'\n```\n\n##### Scheduled execution (EventBridge example)\nA CloudFormation example to run this nightly is in `examples/eventbridge/cost_savings_eventbridge.yaml`.\n\nDeploy:\n\n```bash\naws cloudformation deploy \\\n  --stack-name cost-savings-schedule \\\n  --template-file examples/eventbridge/cost_savings_eventbridge.yaml \\\n  --parameter-overrides \\\n    DocumentName=CostSavingsRemediation \\\n    AutomationAssumeRoleArn=arn:aws:iam::111122223333:role/SSM-Automation-Execution-Role \\\n    ScheduleExpression='cron(0 9 * * ? *)' \\\n    IdleDaysThreshold=30 \\\n    LowUtilizationThreshold=10 \\\n    SnapshotBeforeDelete=true \\\n    DryRun=true\n```\n\nNote: The EventBridge rule assumes a role that can `ssm:StartAutomationExecution` on the runbook and `iam:PassRole` for the `AutomationAssumeRole` you provide.\n\n##### Terraform schedule example\nA Terraform variant is available in `examples/terraform/cost_savings_schedule`.\n\n```bash\ncd examples/terraform/cost_savings_schedule\nterraform init\nterraform apply -auto-approve \\\n  -var=\"document_name=CostSavingsRemediation\" \\\n  -var=\"automation_assume_role_arn=arn:aws:iam::111122223333:role/SSM-Automation-Execution-Role\" \\\n  -var=\"schedule_expression=cron(0 9 * * ? *)\" \\\n  -var=\"idle_days_threshold=30\" \\\n  -var=\"low_utilization_threshold=10\" \\\n  -var=\"snapshot_before_delete=true\" \\\n  -var=\"dry_run=true\"\n```\n\n### IAM \u0026 Access Management\n\n#### 👤 Attach Policies to Role\n**File**: `attach_policies_to_role.yaml`\n\nStreamline IAM role configuration by attaching multiple policies.\n\n**Key Features**:\n- Attach AWS managed policies\n- Attach customer managed policies\n- Bulk policy attachment\n- Validation and error handling\n\n### Lambda Functions\n\n#### ⚡ Lambda Function Management\n**File**: `lambda_function_management.yaml`\n\nComplete Lambda function lifecycle management.\n\n**Key Features**:\n- Create new functions from S3 packages\n- Update function code and configuration\n- Manage aliases and versions\n- Configure environment variables\n- Set reserved concurrent executions\n\n\u003cdetails\u003e\n\u003csummary\u003eView Parameters\u003c/summary\u003e\n\n- `Operation`: Operation type (Create, Update, Delete, AddAlias)\n- `FunctionName`: Lambda function name\n- `S3Bucket`: Deployment package bucket\n- `S3Key`: Deployment package key\n- `Handler`: Function handler\n- `Runtime`: Lambda runtime\n- `MemorySize`: Memory allocation (MB)\n- `Timeout`: Execution timeout (seconds)\n\n\u003c/details\u003e\n\n### Maintenance \u0026 Operations\n\n#### 🔧 Maintenance Window Setup\n**File**: `maintenance_window_setup.yaml`\n\nCreate and configure SSM Maintenance Windows for scheduled operations.\n\n**Key Features**:\n- Flexible scheduling with cron expressions\n- Target registration (instances or tags)\n- Task configuration\n- Service role management\n\n### Multi-Account Management\n\n#### 🌐 Cross-Account Resource Management\n**File**: `cross_account_resource_management.yaml`\n\nManage resources across multiple AWS accounts from a central location.\n\n**Key Features**:\n- Assume role across accounts\n- Parallel account processing\n- Multi-region support\n- Comprehensive error handling\n- SNS notifications\n\n\u003cdetails\u003e\n\u003csummary\u003eView Parameters\u003c/summary\u003e\n\n- `Operation`: Cross-account operation type\n- `TargetAccounts`: List of AWS account IDs\n- `TargetRegions`: AWS regions to target\n- `CrossAccountRoleName`: Role name to assume\n- `MaxConcurrentAccounts`: Parallel execution limit\n\n\u003c/details\u003e\n\n### Resource Management\n\n#### 🏗️ Create and Tag Resources\n**File**: `create_and_tag_resources.yaml`\n\nStandardized resource creation with consistent tagging strategy.\n\n**Key Features**:\n- Support multiple resource types\n- Enforce tagging standards\n- Cost center allocation\n- Environment classification\n- Department and project tracking\n\n## 🛠️ Shared Python Modules\n\nThe repository includes reusable Python modules in `shared/python/`:\n\n### aws_helpers.py\n- General AWS utility functions\n- Logging configuration\n- Tag creation and management\n- Parameter validation\n- Error handling utilities\n\n### config_manager.py\n- Configuration from SSM Parameter Store\n- S3-based configuration management\n- Environment-specific settings\n- Dynamic configuration updates\n\n### security_helpers.py\n- Security group analysis\n- Encryption status checks\n- Compliance validation\n- Security best practices enforcement\n\n## 📥 Installation\n\n### Method 1: Direct AWS Registration\n\n```bash\n# Register all documents at once\nfor file in *.yaml; do\n  name=$(basename \"$file\" .yaml)\n  aws ssm create-document \\\n    --name \"$name\" \\\n    --document-type \"Automation\" \\\n    --content \"file://$file\"\ndone\n```\n\n### Method 2: Using AWS CloudFormation\n\n```yaml\nResources:\n  S3EncryptionDocument:\n    Type: AWS::SSM::Document\n    Properties:\n      Name: EnableS3Encryption\n      DocumentType: Automation\n      Content: !Sub |\n        ${file(s3_encryption.yaml)}\n```\n\n### Method 3: Terraform\n\n```hcl\nresource \"aws_ssm_document\" \"s3_encryption\" {\n  name          = \"EnableS3Encryption\"\n  document_type = \"Automation\"\n  content       = file(\"${path.module}/s3_encryption.yaml\")\n}\n```\n\n## 📖 Usage Examples\n\n### Example 1: Enable S3 Bucket Encryption\n\n```bash\naws ssm start-automation-execution \\\n  --document-name \"s3_encryption\" \\\n  --parameters '{\n    \"BucketName\": [\"my-data-bucket\"],\n    \"KMSMasterKey\": [\"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012\"]\n  }'\n```\n\n### Example 2: Patch EC2 Instances\n\n```bash\naws ssm start-automation-execution \\\n  --document-name \"ec2_instance_patching\" \\\n  --parameters '{\n    \"InstanceIds\": [\"i-1234567890abcdef0\", \"i-0987654321fedcba0\"],\n    \"RebootOption\": [\"RebootIfNeeded\"],\n    \"PatchSeverity\": [\"Critical\"]\n  }'\n```\n\n### Example 3: Audit Security Groups\n\n```bash\naws ssm start-automation-execution \\\n  --document-name \"security_group_audit\" \\\n  --parameters '{\n    \"RemediationMode\": [\"Audit\"],\n    \"RemediateOpenPorts\": [\"22\", \"3389\", \"3306\"],\n    \"VpcIds\": [\"vpc-12345678\"]\n  }'\n```\n\n### Example 4: Cross-Account Operations\n\n```bash\naws ssm start-automation-execution \\\n  --document-name \"cross_account_resource_management\" \\\n  --parameters '{\n    \"Operation\": [\"TagResources\"],\n    \"TargetAccounts\": [\"111111111111\", \"222222222222\"],\n    \"CrossAccountRoleName\": [\"SSMCrossAccountRole\"],\n    \"TagKey\": [\"Environment\"],\n    \"TagValue\": [\"Production\"]\n  }'\n```\n\n## 🏗️ Architecture\n\n### Document Structure\n\n```\naws-ssm-automation-scripts/\n├── *.yaml                    # SSM Automation documents\n├── shared/                   # Shared modules\n│   └── python/              # Python helper modules\n│       ├── aws_helpers.py\n│       ├── config_manager.py\n│       └── security_helpers.py\n├── .github/                 # GitHub Actions workflows\n│   └── workflows/\n│       ├── validate.yml     # Document validation\n│       ├── security-scan.yml # Security scanning\n│       └── release.yml      # Automated releases\n└── tests/                   # Test scripts (if applicable)\n```\n\n### Execution Flow\n\n```mermaid\ngraph TD\n    A[User/Application] --\u003e|Initiates| B[SSM Automation]\n    B --\u003e C{Document Type}\n    C --\u003e|EC2| D[Instance Operations]\n    C --\u003e|S3| E[Bucket Operations]\n    C --\u003e|Security| F[Compliance Checks]\n    C --\u003e|Cross-Account| G[Assume Role]\n    G --\u003e H[Target Account Operations]\n    D --\u003e I[Logging/Reporting]\n    E --\u003e I\n    F --\u003e I\n    H --\u003e I\n    I --\u003e J[CloudWatch Logs]\n    I --\u003e K[S3 Reports]\n    I --\u003e L[SNS Notifications]\n```\n\n## ✅ Best Practices\n\n### 1. IAM Permissions\n\nAlways use least privilege principles:\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"ssm:StartAutomationExecution\",\n        \"ssm:GetAutomationExecution\"\n      ],\n      \"Resource\": \"*\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"iam:PassRole\",\n      \"Resource\": \"arn:aws:iam::*:role/SSMAutomationRole\"\n    }\n  ]\n}\n```\n\n### 2. Error Handling\n\nAll documents include proper error handling:\n- `onFailure` actions (Abort, Continue)\n- Retry logic where appropriate\n- Detailed error logging\n\n### 3. Tagging Strategy\n\nImplement consistent tagging:\n```yaml\nTags:\n  Environment: Production\n  Department: DevOps\n  Project: Infrastructure\n  Owner: team@example.com\n  CostCenter: CC-12345\n```\n\n### 4. Testing\n\nTest in non-production first:\n1. Use sandbox/development accounts\n2. Target test resources\n3. Review execution logs\n4. Validate results\n\n## 🔧 Development\n\n### Creating New Documents\n\n1. Use the template structure:\n```yaml\n---\ndescription: Clear description of what this document does\nschemaVersion: '0.3'\nassumeRole: '{{ AutomationAssumeRole }}'\nparameters:\n  # Define all parameters\nmainSteps:\n  # Define automation steps\n```\n\n2. Follow naming conventions:\n   - Use snake_case for file names\n   - Use PascalCase for parameters\n   - Use camelCase for step names\n\n3. Include comprehensive documentation\n\n### Testing Locally\n\n```bash\n# Validate YAML syntax\npython -c \"import yaml; yaml.safe_load(open('document.yaml'))\"\n\n# Test with dry-run (if supported)\naws ssm start-automation-execution \\\n  --document-name \"TestDocument\" \\\n  --parameters '{\"DryRun\":[\"true\"]}'\n```\n\n## 🤝 Contributing\n\nWe welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details.\n\n### How to Contribute\n\n1. Fork the repository\n2. Create a feature branch (`git checkout -b feature/amazing-automation`)\n3. Commit your changes (`git commit -m 'Add amazing automation'`)\n4. Push to the branch (`git push origin feature/amazing-automation`)\n5. Open a Pull Request\n\n### Contribution Guidelines\n\n- Follow existing document structure\n- Include comprehensive parameter descriptions\n- Add usage examples to README\n- Ensure all YAML is valid\n- Test thoroughly before submitting\n\n## 🔄 CI/CD Pipeline\n\n### Automated Workflows\n\n- **Validation**: All YAML documents are validated on push\n- **Security Scanning**: CodeQL scans for security issues\n- **Automated Testing**: Integration tests in sandbox environment\n- **Release Management**: Semantic versioning with automated releases\n- **Dependency Updates**: Dependabot keeps dependencies current\n\n### Release Process\n\nReleases follow semantic versioning (MAJOR.MINOR.PATCH):\n\n- **MAJOR**: Breaking changes to document parameters\n- **MINOR**: New documents or features\n- **PATCH**: Bug fixes and minor improvements\n\n## 📊 Monitoring \u0026 Logging\n\n### CloudWatch Integration\n\nAll executions are logged to CloudWatch:\n```\n/aws/ssm/automation/{document-name}/{execution-id}\n```\n\n### Metrics to Monitor\n\n- Execution success/failure rates\n- Average execution duration\n- Resource modification counts\n- Cost optimization savings\n\n## 🆘 Support\n\n### Documentation\n- [AWS SSM Documentation](https://docs.aws.amazon.com/systems-manager/)\n- [Automation Document Reference](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html)\n\n### Getting Help\n- **Issues**: [GitHub Issues](https://github.com/thomasvincent/aws-ssm-automation-scripts/issues)\n- **Discussions**: [GitHub Discussions](https://github.com/thomasvincent/aws-ssm-automation-scripts/discussions)\n- **Security Issues**: See [SECURITY.md](SECURITY.md)\n\n## 📄 License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## 👏 Acknowledgments\n\n- AWS Systems Manager team for the automation framework\n- Contributors and users of these scripts\n- Open source community for inspiration and best practices\n\n## 🗺️ Roadmap\n\n- [ ] AWS Organizations integration\n- [ ] Cost optimization automation workflows\n- [ ] Disaster recovery automation\n- [ ] Compliance reporting dashboards\n- [ ] Integration with AWS Config rules\n- [ ] Slack/Teams notifications\n- [ ] Terraform module wrapper\n- [ ] Enhanced cross-region support\n\n---\n\n**Made with ❤️ by the DevOps community**\n\nFor commercial support or custom automation development, please contact [Thomas Vincent](https://github.com/thomasvincent).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthomasvincent%2Faws-ssm-automation-scripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthomasvincent%2Faws-ssm-automation-scripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthomasvincent%2Faws-ssm-automation-scripts/lists"}