By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Exact roles/permissions needed to export Patch? Unable to create “AWS-ExportPatchReportToS3l” error

0

I am trying to export a SSM Patch Manager compliance report to an S3 bucket but I keep getting an Unable to create AWS-ExportPatchReportToS3 error. From my understanding this automation role is created the first time we generate a report (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-store-compliance-results-in-s3.html). I have looked over my roles and policies for SSM, S3 and user and I don’t see anything that would restrict the creation of this role.

Topics
StorageSecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon Simple Storage ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementAWS Systems Manager
Language
English
rePost-User-3743459
asked a year ago505 views
1 Answer
0

To export a SSM Patch Manager compliance report to an S3 bucket, you need to have the following permissions:

  1. S3 bucket permissions: You need to have write permissions to the S3 bucket where you want to export the patch report. Make sure that the bucket policy allows the AWS account that owns the instance to write to the bucket.
  2. IAM permissions: You need to have IAM permissions to run the following AWS Systems Manager Automation document: "AWS-ExportPatchReportToS3". The required IAM permissions for this document are:
ssm:UpdateAssociationStatus
ssm:UpdateInstanceInformation
ssm:SendCommand
s3:PutObject

To create an IAM role with these permissions, you can use the AWS Systems Manager console, AWS CLI, or AWS SDKs. The role must have an inline policy with the above mentioned permissions. If you already have a role that has these permissions, then make sure that the role is assigned to the EC2 instances that you want to export the patch report from.

  1. Patch Manager permissions: You must also have permissions to create a patch baseline and associate it with instances. This can be done by attaching the "AmazonSSMManagedInstanceCore" policy to the instance or by creating a custom policy that allows the required permissions.

Make sure that you have all of the above permissions in order to successfully export the patch report to S3.

hash
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content