How do I troubleshoot "S3 write failed for bucket" 403 Access Denied errors from Amazon S3 when creating resource data sync for Systems Manager inventory?
I want to troubleshoot 403 Access Denied errors from Amazon Simple Storage Service (Amazon S3) when creating a resource data sync.
Resolution
There are two methods for configuring resource data sync for AWS Systems Manager inventory:
- Create a resource data sync for multiple accounts within the same organization.
- Create a resource data sync for multiple accounts that aren't within the same organization.
To resolve S3 write failed for bucket errors, do the following:
Troubleshooting for multiple accounts within the same organization
Make sure that the central Amazon S3 bucket policy has the required permissions to allow multiple AWS accounts to send inventory data to the bucket.
To create a resource data sync for multiple accounts within the same organization, use the CreateResourceDataSync API and be sure to specify the DestinationDataSharing parameter. From AWS CloudTrail, you can check the API request for event name CreateResourceDataSync to confirm the DestinationDataSharing parameter is included in the event.
Note: You can't create a resource data sync from the AWS Management Console when the resource data sync is for multiple accounts within the same organization.
The following is an example AWS Command Line Interface (AWS CLI) command for CreateResourceDataSync:
aws ssm create-resource-data-sync --sync-name name --s3-destination "BucketName=DOC-EXAMPLE-BUCKET,Prefix=prefix-name,SyncFormat=JsonSerDe,Region=AWS Region ID,DestinationDataSharing={DestinationDataSharingType=Organization}"
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Troubleshooting for multiple accounts that aren't within the same organization
To create a resource data sync, confirm that the S3 bucket policy of the target S3 bucket allows the required actions from the source account.
For example, you have Account A and Account B sending the inventory data to an S3 bucket in Account C.
The S3 bucket policy in Account C is similar to the following example policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SSMBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::S3_bucket_name" }, { "Sid": " SSMBucketDelivery", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::S3_bucket_name/*/accountid=AWS_AccountA_ID/*", "arn:aws:s3:::S3_bucket_name/*/accountid=AWS_AccountB_ID/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": [ "AWS_AccountA_ID", "AWS_AccountB_ID" ], "s3:x-amz-acl": "bucket-owner-full-control" }, "ArnLike": { "aws:SourceArn": [ "arn:aws:ssm:*:AWS_AccountA_ID:resource-data-sync/*", "arn:aws:ssm:*:AWS_AccountB_ID:resource-data-sync/*" ] } } } ] }
Note: To encrypt the resource data sync, be sure to update the AWS Key Management Service (AWS KMS) key policy and S3 bucket policy. For more information, see Walkthrough: Use resource data sync to aggregate inventory data.
Relevant content
- asked 6 months ago
- Accepted Answerasked 7 months ago
- asked 6 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
