Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

System Manager output to s3 bucket

0

I have a maintenance window setup in System Manager that I'm trying to write output to a S3 bucket in same account. But nothing is showing up. Here's the policy I had in place. I'm assuming its not correct, so what do I need to have instead?

{

"Sid": "AWSSSMWrite",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws-us-gov:iam::<acct#>:root"

},

"Action": "s3:PutObject",

"Resource": "arn:aws-us-gov:s3:::prod-ssm/Patching/*",

"Condition": {

"StringEquals": {

"s3:x-amz-acl": "bucket-owner-full-control"

}

}

}

Argomenti
ArchiviazioneGestione e amministrazione
Tag
Servizio di archiviazione semplice di AmazonGestore dei sistemi AWS
Lingua
English
rePost-User-4136916
posta un anno fa506 visualizzazioni
4 Risposte
0
Risposta accettata

Bucket policy should like as below:

 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "SSMLogging",
             "Effect": "Allow",
             "Principal": {
                 "AWS": "arn:aws:iam::SSM_account_id:root"
             },
             "Action": [
                 "s3:PutObjectAcl",
                 "s3:PutObject",
                 "s3:GetEncryptionConfiguration"
             ],
             "Resource": [
                 "arn:aws:s3:::bucket_name/*",
                 "arn:aws:s3:::bucket_name"
             ]
         }
     ]
 }

IAM Policy should be as below(for systems manager):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*",
                "arn:aws:s3:::bucket-name"
            ]
        }
    ]
}

Follow this re:Post step by step.

profile pictureAWS
ESPERTO
secondabhi_aws
con risposta 10 mesi fa
  • rePost-User-4136916
    10 mesi fa

    The IAM policy goes on the EC2 service role that's configured for the maintenance window, correct?

  • secondabhi_aws ESPERTO
    10 mesi fa

    Yes, that's correct.

  • secondabhi_aws ESPERTO
    10 mesi fa

    Did you try it out, let me know how it works for you.

  • secondabhi_aws ESPERTO
    10 mesi fa

    Did you try it out?

0

Tried it out, but still doesn't seem to be working

rePost-User-4136916
con risposta 10 mesi fa
  • secondabhi_aws ESPERTO
    10 mesi fa

    Please follow this re:Post step by step and let me know how it goes. Please mention the error messages if you are able to capture through cloudtrail or cloudwatch.

  • secondabhi_aws ESPERTO
    10 mesi fa

    How did it go?

0

Hi, unfortunately, no it still did not work.

rePost-User-4136916
con risposta 10 mesi fa
0

Had to also allow permissions due to KMS encryption, but after allowing that; was able to get the data in the bucket.

rePost-User-4136916
con risposta 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente