1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
0
Hello Shawn,
Enabling "Instance Profile Options" in your Patch Policy will only add S3 permissions to allow communication to the bucket automatically created to store baseline overrides: aws-quicksetup-patchpolicy-* Here is the example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-quicksetup-patchpolicy-*"
}
]
}
If you require saving command output to a custom bucket, you will need to manually add those permissions to the Instance Profile role. See below example policy and find more info here.
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
]
}
In case you need centralized logging from multiple accounts, you can refer to this article.
Hope this helps.
respondido hace 5 meses
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 9 meses
- OFICIAL DE AWSActualizada hace 3 años