By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to use patch policy for EC2 Windows Server 2019 Instance

0

Hi there, I have created a patch policy in Systems Manager for one of my Windows server instances but it returned the following Access Denied error.

I have attempted the following but no success..

  • Updated SSM agent to the latest version
  • Added the required AmazonSSMManagedInstanceCore permissions
  • Created IAM policy to update patch baseline
  • Used custom cron expression instead of the default schedule to see if there's any difference but had the same Access Denied error.

Seems like some permission issue but just not sure which exact part to look at. Could be something within the server. Has anyone else experienced this error before?

**Invoke-PatchBaselineOperation : Access Denied At C:\ProgramData\Amazon\SSM\InstanceData\document\orchestration\f41cf6bb-bf64-4908-8aa0-095bfe0102 b8\PatchWindows_script.ps1:219 char:13

  • $response = Invoke-PatchBaselineOperation -Operation Scan -SnapshotId ...
  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OperationStopped: (Amazon.Patch.Ba...UpdateOperation:FindWindowsUpdateOperation) [Invoke -PatchBaselineOperation], AmazonS3Exception
    • FullyQualifiedErrorId : PatchBaselineOperations,Amazon.Patch.Baseline.Operations.PowerShellCmdlets.InvokePatchBa selineOperation

failed to run commands: exit status 0xffffffff**

Topics
Management & Governance
Tags
AWS Systems Manager
Language
English
rePost-User-1311682
asked a year ago650 views
1 Answer
0

Hello, This issue is specifically related to IAM permission. I understand that you have AmazonSSMManagedInstanceCore policy attached to the IAM role. Addition to this policy you also need S3 permission. Add "S3 full permission " to the IAM role. Once done try to perform patching and see how it goes.

Damini_K
answered a year ago
  • rePost-User-1311682
    a year ago

    Hi Damini_K, Thanks for your response! Unfortunately, I do already have that permission associated with the instance but still having the same error. These are the permissions associated currently:

    AmazonEC2RoleforSSM AmazonS3FullAccess AmazonSSMManagedInstanceCore AmazonSSMFullAccess

    I have also made sure the 'Configure Automatic Updates' in group policy is set to disabled in the server to allow patch manager to handle updates. Any insight on this issue is greatly appreciated

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content