Ok, So I am kind of stuck here and don't know where to go from here. I am trying to understand how SSM works to patch EC2 in a private subnet and I keep getting this error.
Unable to download payload: https://s3.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.115.tar.gz.failed to run commands: exit status 156
I have my EC2 instance under Fleet Manager. I have my Maintenance window set and SSM can start the EC2 instance and stop it before it runs the task for AWS-RunPatchBaseline. The role that is attached to my EC2 instance has the following.
AmazonSSMManagedInstanceCore
AmazonSSMPatchAssociation
aws-quicksetup-patchpolicy-baselineoverrides-s3
and this policy...
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::aws-windows-downloads-us-east-1/*",
"arn:aws:s3:::amazon-ssm-us-east-1/*",
"arn:aws:s3:::amazon-ssm-packages-us-east-1/*",
"arn:aws:s3:::us-east-1-birdwatcher-prod/*",
"arn:aws:s3:::aws-ssm-document-attachments-us-east-1/*",
"arn:aws:s3:::patch-baseline-snapshot-us-east-1/*",
"arn:aws:s3:::aws-ssm-us-east-1/*",
"arn:aws:s3:::aws-patchmanager-macos-us-east-1/*"
]
}
]
}
I then go into the run command under systems manager to test just the task that has the AWS-RunPatchBaseline document and I still get the same error. I guess my question is the role that is listed under the task is the role that should be granted the rights to do what ever and the access to whatever is needed to perform the patching or is it the role that shows up as attached to the EC2 instance during QuickSetup. I have given all of them both the access and not sure why it can't access the s3 bucket.
I can telnet from the EC2 to that s3 bucket.
telnet s3.us-east-1.amazonaws.com 443
Trying 52.217.66.62...
Connected to s3.us-east-1.amazonaws.com.
Escape character is '^]'.
Thanks in advance.