Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I resolve Quick Setup patch policy errors in Systems Manager?
I want to resolve errors that I receive when I use Quick Setup, a capability of AWS Systems Manager, to patch my Amazon Elastic Compute Cloud (Amazon EC2) instance.
Short description
Error messages similar to the following examples might appear when you use Quick Setup to create a patch policy to update an Amazon EC2 instance:
- For Linux instances:
"Unable to download file from S3: s3://aws-quicksetup-patchpolicy-543312345141-12345/baseline_overrides.json. botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden No IMDS credentials found on instance.failed to run commands: exit status 156" - For Windows instances:
"Invoke-PatchBaselineOperation: User: arn:aws:sts::543312345141:assumed-role//i-12345678911223344 is not authorized to perform: s3:GetObject on resource: "arn:aws:s3:::aws-quicksetup-patchpolicy- 543312345141-12345/baseline_overrides.json" with an explicit deny in a resource-based policy"
Note: The message appears in the in the Error section of the patch task.
The previous errors indicate that your Amazon EC2 instance doesn't have the permissions to download the patch configuration file from an Amazon Simple Storage Service (Amazon S3) bucket. Systems Manager uses the patch configuration file to determine what patches to apply and how to manage patching operations across your instances.
To resolve this error, add the necessary permission to download the patch baseline configuration file from the S3 bucket. Then, check that you apply the correct associations for State Manager, a capability of AWS Systems Manager.
Resolution
Add the permissions to download the patch baseline configuration file
Quick Setup, a capability of AWS Systems Manager, creates a bucket that contains the patch baseline configuration file when you create a patch policy in Systems Manager. The name of the bucket is similar to aws-quicksetup-patchpolicy- example-quick-setup-configuration-id.
Add the necessary permissions for your instance to access the bucket. For instructions, see Permissions for the patch policy S3 bucket.
Review the association that Quick Setup applied on your instances
View your State Manager association histories, and check for the following associations:
-
For Amazon EC2 instances:
AWS-QuickSetup-PatchPolicy-AttachIAMToEc2Instance-example-quick-setup-configuration-id -
For hybrid instances:
AWS-QuickSetup-PatchPolicy-AttachIAMToHybridInstance-example-quick-setup-configuration-id
If the association execution didn't run, then choose the Apply association now button to apply the association to your instance. Then, run the following State Manager association:
AWS-QuickSetup-PatchPolicy-ScanForPatches-example-quick-setup-configuration-id
Note: Replace example-quick-setup-configuration-id with the ID number for your Quick Setup configuration.
If the policy isn't successful, then review the output to determine why it failed. Then, use your findings to troubleshoot Patch Manager, a capability of AWS Systems Manager.
- Topics
- Management & Governance
- Language
- English
This article was updated on 3/23/2026.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a month ago
