By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

aws patch manager

1

root [ERROR]: An error occurred (AccessDeniedException) when calling the GetDeployablePatchSnapshotForInstance operation: Instance Id i-009da1237dec531ad doesn't match the credentials I am using aws system patch manager to update system patches, but getting above error, when I run any command they run successfully, means no issue related drier or connectivity

Topics
Management & GovernanceDevOps
Tags
AWS Systems ManagerDevOps
Language
English
Ram
asked a year ago2080 views
1 Answer
1

The error message you're encountering (AccessDeniedException) indicates that the IAM role or user associated with the AWS Systems Manager (SSM) doesn't have the necessary permissions to execute the GetDeployablePatchSnapshotForInstance operation.

To resolve this issue, you need to attach a policy to the IAM role or user that grants the required permissions. Here's an example of an IAM policy that allows the necessary actions for AWS Systems Manager Patch Manager:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeInstanceInformation",
                "ssm:DescribeInstancePatches",
                "ssm:DescribeInstancePatchStates",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:ListInstanceAssociations",
                "ssm:DescribeInstanceAssociationsStatus",
                "ssm:DescribeAvailablePatches",
                "ssm:GetPatchBaseline",
                "ssm:GetPatchBaselineForPatchGroup",
                "ssm:DescribePatchGroups",
                "ssm:DescribePatchGroupState",
                "ssm:DescribeOperatingSystems",
                "ssm:DescribePatchProperties",
                "ssm:DescribeMaintenanceWindowSchedule",
                "ssm:GetMaintenanceWindow",
                "ssm:GetMaintenanceWindowExecution",
                "ssm:GetMaintenanceWindowExecutionTask",
                "ssm:GetMaintenanceWindowExecutionTaskInvocation",
                "ssm:ListResourceComplianceSummaries",
                "ssm:GetComplianceSummary",
                "ssm:DescribeInstancePatchStatesForPatchGroup",
                "ssm:ListComplianceItems",
                "ssm:ListComplianceSummaries"
            ],
            "Resource": "*"
        }
    ]
}

To attach this policy to an IAM role or user, follow these steps:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click "Roles" or "Users" depending on whether you want to attach the policy to a role or a user.
  3. Find the role or user you want to attach the policy to and click on its name.
  4. Click "Add inline policy" on the "Permissions" tab.
  5. Click the "JSON" tab, then copy and paste the policy JSON into the editor.
  6. Click "Review policy", provide a name for the policy, and click "Create policy".

After attaching the policy to the IAM role or user, you should no longer receive the "AccessDeniedException" error when using AWS Systems Manager Patch Manager.

profile picture
EXPERT
Sedat Salman
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content