Patch Manager Output S3 bucket
We are using Patch Manager to create a patching policy. One of the options is to write output to an S3 bucket. However, we've selected an S3 bucket but no logs are coming.
We can add bucket policies to the Output S3 Bucket but which role should we add the identity based policy to? I'm guessing it's the instance profile role but we've enabled the option (picture 2 below) and it hasn't added the S3 permissions.
- Newest
- Most votes
- Most comments
Hello Shawn,
Enabling "Instance Profile Options" in your Patch Policy will only add S3 permissions to allow communication to the bucket automatically created to store baseline overrides: aws-quicksetup-patchpolicy-* Here is the example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-quicksetup-patchpolicy-*"
}
]
}
If you require saving command output to a custom bucket, you will need to manually add those permissions to the Instance Profile role. See below example policy and find more info here.
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
]
}
In case you need centralized logging from multiple accounts, you can refer to this article.
Hope this helps.
Relevant content
- asked a year ago
AWS OFFICIALUpdated 8 months ago- How do I use the Microsoft KB number in Patch Manager to install a specific patch or set of patches?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
