Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

System Manager output to s3 bucket

0

I have a maintenance window setup in System Manager that I'm trying to write output to a S3 bucket in same account. But nothing is showing up. Here's the policy I had in place. I'm assuming its not correct, so what do I need to have instead?

{

"Sid": "AWSSSMWrite",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws-us-gov:iam::<acct#>:root"

},

"Action": "s3:PutObject",

"Resource": "arn:aws-us-gov:s3:::prod-ssm/Patching/*",

"Condition": {

"StringEquals": {

"s3:x-amz-acl": "bucket-owner-full-control"

}

}

}

Themen
SpeicherManagement & Unternehmensführung
Tags
Amazon Simple Storage ServiceAWS Systemmanager
Sprache
English
rePost-User-4136916
gefragt vor einem Jahr506 Aufrufe
4 Antworten
0
Akzeptierte Antwort

Bucket policy should like as below:

 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "SSMLogging",
             "Effect": "Allow",
             "Principal": {
                 "AWS": "arn:aws:iam::SSM_account_id:root"
             },
             "Action": [
                 "s3:PutObjectAcl",
                 "s3:PutObject",
                 "s3:GetEncryptionConfiguration"
             ],
             "Resource": [
                 "arn:aws:s3:::bucket_name/*",
                 "arn:aws:s3:::bucket_name"
             ]
         }
     ]
 }

IAM Policy should be as below(for systems manager):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*",
                "arn:aws:s3:::bucket-name"
            ]
        }
    ]
}

Follow this re:Post step by step.

profile pictureAWS
EXPERTE
secondabhi_aws
beantwortet vor einem Jahr
  • rePost-User-4136916
    vor 10 Monaten

    The IAM policy goes on the EC2 service role that's configured for the maintenance window, correct?

  • secondabhi_aws EXPERTE
    vor 10 Monaten

    Yes, that's correct.

  • secondabhi_aws EXPERTE
    vor 10 Monaten

    Did you try it out, let me know how it works for you.

  • secondabhi_aws EXPERTE
    vor 10 Monaten

    Did you try it out?

0

Tried it out, but still doesn't seem to be working

rePost-User-4136916
beantwortet vor 10 Monaten
  • secondabhi_aws EXPERTE
    vor 10 Monaten

    Please follow this re:Post step by step and let me know how it goes. Please mention the error messages if you are able to capture through cloudtrail or cloudwatch.

  • secondabhi_aws EXPERTE
    vor 10 Monaten

    How did it go?

0

Hi, unfortunately, no it still did not work.

rePost-User-4136916
beantwortet vor 10 Monaten
0

Had to also allow permissions due to KMS encryption, but after allowing that; was able to get the data in the bucket.

rePost-User-4136916
beantwortet vor 10 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt