AWS Patch Manager silently fails when EC2 instance has pre-existing IAM role — no warning or auto-configuration

Hi AWS Community,

I want to report a bug in AWS Systems Manager Quick Setup — Patch Manager 2.6, that causes a silent failure with no clear guidance for resolution.

ENVIRONMENT

• Service: AWS Systems Manager — Quick Setup
• Feature: Patch Manager 2.6
• Region: us-east-1
• Instance OS: Windows Server 2022 Datacenter
• SSM Agent: amazon-ssm-agent 3.3.x (latest)

BACKGROUND

Our EC2 instance had a pre-existing custom IAM role attached to it (created in 2017) with S3 and SSM permissions. We configured Quick Setup Patch Manager for this instance to perform patch scanning.

WHAT HAPPENED

After Quick Setup completed successfully and showed "Deployment Status: Success", the actual patch scan association kept failing with the following error:

"User: arn:aws:sts::----:assumed-role/ <existing-role>/<instance-id> is not authorized to perform: s3:GetObject on resource: arn:aws:s3:::aws-quicksetup-patchpolicy-----------/ baseline_overrides.json with an explicit deny in a resource-based policy"

ROOT CAUSE (After Deep Investigation)

After extensive debugging, we discovered the following chain of events:

1. Quick Setup creates an S3 bucket automatically: aws-quicksetup-patchpolicy-<account-id>-<config-id>

2. This bucket has a resource-based policy with a condition that DENIES access to any principal that does not carry a specific configuration tag generated during Quick Setup.

3. Quick Setup is designed to create and attach its own managed IAM role to EC2 instances, and that role gets the required tag automatically.

4. HOWEVER — when an EC2 instance already has a pre-existing IAM role attached, Quick Setup does NOT replace or modify that role. It silently skips this step.

5. As a result, the existing IAM role never receives the required configuration tag, and the S3 bucket policy blocks all patch operations.

THE CIRCULAR DEPENDENCY PROBLEM

This is where it becomes a serious product issue:

• The required tag contains a unique configuration ID that is ONLY generated AFTER Quick Setup runs.

• This means it is IMPOSSIBLE for users to prepare their existing IAM role in advance — because the tag value does not exist before Quick Setup executes.

• Users are left in a situation where: → Quick Setup reports SUCCESS → Patch scans silently FAIL → Error message gives no actionable guidance → There is no documented workaround → The fix cannot be applied before setup runs

WHAT AWS QUICK SETUP SHOULD DO

When Quick Setup detects a pre-existing IAM role on an EC2 instance, it should either:

Option A — Auto-fix: Automatically apply the required configuration tag to the existing IAM role during setup.

Option B — Warn the user: Display a clear warning during Quick Setup: "This instance has an existing IAM role. Patch Manager may fail. Please ensure the role has the required permissions before proceeding."

Option C — Documentation: At minimum, clearly document this limitation and provide the exact manual steps to resolve it after setup.

IMPACT

This issue affects any AWS customer who: • Has EC2 instances with pre-existing IAM roles • Configures Quick Setup Patch Manager • Uses custom or shared IAM roles across instances

This is a very common enterprise scenario. Many organizations attach shared IAM roles to EC2 instances for S3, CloudWatch, or Secrets Manager access. All of these customers will silently hit this exact failure with no clear path to resolution.

QUESTION TO AWS

1. Is this a known limitation or a confirmed bug?

2. Is there a planned fix to auto-handle existing IAM roles during Quick Setup?

3. Can the error message be improved to guide users toward the correct resolution?

4. Will this be added to the official Patch Manager troubleshooting documentation?

We believe this needs to be addressed to prevent other customers from spending significant time debugging a silent failure that has no documented resolution path.

Thank you for looking into this.