By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

System Manager output to s3 bucket

0

I have a maintenance window setup in System Manager that I'm trying to write output to a S3 bucket in same account. But nothing is showing up. Here's the policy I had in place. I'm assuming its not correct, so what do I need to have instead?

{

"Sid": "AWSSSMWrite",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws-us-gov:iam::<acct#>:root"

},

"Action": "s3:PutObject",

"Resource": "arn:aws-us-gov:s3:::prod-ssm/Patching/*",

"Condition": {

"StringEquals": {

"s3:x-amz-acl": "bucket-owner-full-control"

}

}

}

Topics
StorageManagement & Governance
Tags
Amazon Simple Storage ServiceAWS Systems Manager
Language
English
rePost-User-4136916
asked 10 months ago472 views
4 Answers
0
Accepted Answer

Bucket policy should like as below:

 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "SSMLogging",
             "Effect": "Allow",
             "Principal": {
                 "AWS": "arn:aws:iam::SSM_account_id:root"
             },
             "Action": [
                 "s3:PutObjectAcl",
                 "s3:PutObject",
                 "s3:GetEncryptionConfiguration"
             ],
             "Resource": [
                 "arn:aws:s3:::bucket_name/*",
                 "arn:aws:s3:::bucket_name"
             ]
         }
     ]
 }

IAM Policy should be as below(for systems manager):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*",
                "arn:aws:s3:::bucket-name"
            ]
        }
    ]
}

Follow this re:Post step by step.

profile pictureAWS
EXPERT
secondabhi_aws
answered 10 months ago
  • rePost-User-4136916
    10 months ago

    The IAM policy goes on the EC2 service role that's configured for the maintenance window, correct?

  • secondabhi_aws EXPERT
    10 months ago

    Yes, that's correct.

  • secondabhi_aws EXPERT
    10 months ago

    Did you try it out, let me know how it works for you.

  • secondabhi_aws EXPERT
    10 months ago

    Did you try it out?

0

Tried it out, but still doesn't seem to be working

rePost-User-4136916
answered 10 months ago
  • secondabhi_aws EXPERT
    10 months ago

    Please follow this re:Post step by step and let me know how it goes. Please mention the error messages if you are able to capture through cloudtrail or cloudwatch.

  • secondabhi_aws EXPERT
    10 months ago

    How did it go?

0

Hi, unfortunately, no it still did not work.

rePost-User-4136916
answered 10 months ago
0

Had to also allow permissions due to KMS encryption, but after allowing that; was able to get the data in the bucket.

rePost-User-4136916
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content