Patch Manager Output S3 bucket

0

We are using Patch Manager to create a patching policy. One of the options is to write output to an S3 bucket. However, we've selected an S3 bucket but no logs are coming.

We can add bucket policies to the Output S3 Bucket but which role should we add the identity based policy to? I'm guessing it's the instance profile role but we've enabled the option (picture 2 below) and it hasn't added the S3 permissions.

Enter image description here

Enter image description here

1 Answer
1
Accepted Answer

Hello Shawn,

Enabling "Instance Profile Options" in your Patch Policy will only add S3 permissions to allow communication to the bucket automatically created to store baseline overrides: aws-quicksetup-patchpolicy-* Here is the example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::aws-quicksetup-patchpolicy-*"
        }
    ]
}

If you require saving command output to a custom bucket, you will need to manually add those permissions to the Instance Profile role. See below example policy and find more info here.

{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:GetEncryptionConfiguration"
  ],
  "Resource": [
    "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
    "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
  ]
}

In case you need centralized logging from multiple accounts, you can refer to this article.

Hope this helps.

profile pictureAWS
Dalier
answered 6 months ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions