AWS-RunPatchBaseline in SSM with EC2 in private subnets

1

Ok, So I am kind of stuck here and don't know where to go from here. I am trying to understand how SSM works to patch EC2 in a private subnet and I keep getting this error.

Unable to download payload: https://s3.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.115.tar.gz.failed to run commands: exit status 156

I have my EC2 instance under Fleet Manager. I have my Maintenance window set and SSM can start the EC2 instance and stop it before it runs the task for AWS-RunPatchBaseline. The role that is attached to my EC2 instance has the following.

AmazonSSMManagedInstanceCore AmazonSSMPatchAssociation aws-quicksetup-patchpolicy-baselineoverrides-s3 and this policy...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::aws-windows-downloads-us-east-1/*",
                "arn:aws:s3:::amazon-ssm-us-east-1/*",
                "arn:aws:s3:::amazon-ssm-packages-us-east-1/*",
                "arn:aws:s3:::us-east-1-birdwatcher-prod/*",
                "arn:aws:s3:::aws-ssm-document-attachments-us-east-1/*",
                "arn:aws:s3:::patch-baseline-snapshot-us-east-1/*",
                "arn:aws:s3:::aws-ssm-us-east-1/*",
                "arn:aws:s3:::aws-patchmanager-macos-us-east-1/*"
            ]
        }
    ]
}

I then go into the run command under systems manager to test just the task that has the AWS-RunPatchBaseline document and I still get the same error. I guess my question is the role that is listed under the task is the role that should be granted the rights to do what ever and the access to whatever is needed to perform the patching or is it the role that shows up as attached to the EC2 instance during QuickSetup. I have given all of them both the access and not sure why it can't access the s3 bucket.

I can telnet from the EC2 to that s3 bucket.

telnet s3.us-east-1.amazonaws.com 443
Trying 52.217.66.62...
Connected to s3.us-east-1.amazonaws.com.
Escape character is '^]'.

Thanks in advance.

asked 6 months ago151 views
1 Answer
0

The error basically indicates that the managed node doesn't have the required permissions to access the specified S3 bucket.

(-) https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-troubleshooting.html#patch-manager-troubleshooting-linux-4

You have already,

  1. Attached necessary IAM permissions to the role attached to the instance

  2. Tested connectivity to S3 using telnet

As far as I can think, the only thing left which would be causing issues with S3 access is the S3 Gateway endpoint policy which must be restrictive. Please verify the endpoint policy and allow access from the nodes.

(-) Steps to edit endpoint policy - https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#edit-vpc-endpoint-policy-s3

AWS
SUPPORT ENGINEER
Aamir_H
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions