Patch Manager Output S3 bucket

Question

We are using Patch Manager to create a patching policy. One of the options is to write output to an S3 bucket. However, we've selected an S3 bucket but no logs are coming.

We can add bucket policies to the Output S3 Bucket but which role should we add the identity based policy to? I'm guessing it's the instance profile role but we've enabled the option (picture 2 below) and it hasn't added the S3 permissions.

![Enter image description here](/media/postImages/original/IM4iiOZtLoSmqK2vP-bM651g)

![Enter image description here](/media/postImages/original/IMLzpSWWlcSZy-eD36m1mztA)

Accepted Answer

Hello Shawn,

Enabling *"Instance Profile Options"* in your Patch Policy will only add S3 permissions to allow communication to the bucket automatically created to store baseline overrides: **aws-quicksetup-patchpolicy-***
 Here is the example policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::aws-quicksetup-patchpolicy-*"
        }
    ]
}
```
-----------------------------------------------
If you require saving command output to a custom bucket, you will need to manually add those permissions to the Instance Profile role. See below example policy and find more info [here.](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html#instance-profile-custom-s3-policy)

```
{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:GetEncryptionConfiguration"
  ],
  "Resource": [
    "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
    "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
  ]
}
```
In case you need centralized logging from multiple accounts, you can refer to this [article.](https://repost.aws/knowledge-center/ssm-output-s3-other-account)

Hope this helps.

Patch Manager Output S3 bucket

Contenido relevante