How do I resolve Quick Setup patch policy errors in Systems Manager?

Short description

When you use Quick Setup to create a patch policy to update an Amazon EC2 instance, you might get one of the following error messages.

Linux instances:

"Unable to download file from S3: s3://aws-quicksetup-patchpolicy-5433xxxxx141-xxxxx/baseline_overrides.json.
botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
No IMDS credentials found on instance.failed to run commands: exit status 156"

Windows instances, in the Error section of the patch task:

"Invoke-PatchBaselineOperation : User: arn:aws:sts::5433xxxxx141:assumed-role/<IAM-Role>/i-xxxxxxxxxxxxxxxxx is not authorized to perform: s3:GetObject on resource:
"arn:aws:s3:::aws-quicksetup-patchpolicy-5433xxxxx141-xxxxx/baseline_overrides.json" with an explicit deny in a resource-based policy"

This issue occurs when an Amazon EC2 instance can't download the baseline override from a file because of permission issues. When you create a patch policy in AWS Systems Manager, Quick Setup automatically creates an Amazon Simple Storage Service (Amazon S3) bucket. Quick Setup also generates a patch baseline file, such as aws-quicksetup-patchpolicy-123456789012-abcde, within the bucket.

Systems Manager uses the file to determine what patches to apply and how to manage patching operations across your EC2 instances.

Resolution

Verify permissions to access the S3 bucket

To apply a patch policy task, you must add the required permissions on the instances to access the Amazon S3 bucket.

To provide permissions, take one of the following actions: 

• Use your own instance profile or service role with your managed nodes instead of one provided by Quick Setup. 
• Use virtual private cloud (VPC) endpoints to connect to Systems Manager.

Review the association that QuickSetup applied on your instances

Verify that you applied the correct associations on your instances. 

On the AWS Systems Manager console, check that you applied the following State Manager, a capability of Systems Manager, associations:

• For Amazon EC2 instances: AWS-QuickSetup-PatchPolicy-AttachIAMToEc2Instance-[quick-setup-configuration-id]
• For hybrid instances: AWS-QuickSetup-PatchPolicy-AttachIAMToHybridInstance-[quick-setup-configuration-id]

Complete the following steps:

1. Open the Systems Manager console.
2. In the navigation pane, choose State Manager.
3. On the State Manager page, select your association.
4. On the Association details page, under Execution history, select the most recent execution ID.
5. Review the association execution targets to verify that the association ran on the instance. If the association execution didn't run, then you must use the Apply association now feature to manually apply the association to the instance.
6. To retry the patch policy execution, run the AWS-QuickSetup-PatchPolicy-ScanForPatches-[quick-setup-configuration-id] State Manager association. If the execution isn't successful, then review the output to determine why it failed. Then, Troubleshoot Patch Manager.

Related information

Issue: "Invoke-PatchBaselineOperation : Access Denied" error or "Unable to download file from S3" error for baseline_overrides.json

Creating a patch policy