Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SSM Patch failing - nothing written in S3

0

Afternoon all, trying to move to more automation using SSM for the first step in just patch management. So I am not doing anything fancy but doing a manual "patch now", selecting an instance, no reboot, pointing to an S3 bucket used for logging and running.

If fails pretty quick, but when I look at the output, it's truncated with a link to S3. The issue is that bucket ID/folder doens't exist. So inside the bucket I do have the AWS-PatchNow/ folder and a few ID's (not sure when as they don't show a timestamp), however as I said, they will show the S3 link pointing to s3://bucket/AWS-PatchNow/123456789 but that 123456789 doens't exist.

I don't see anywhere with permissions etc. so a bit stuck. A big chunk of the servers are all part of a server farm that is in an autoscaling group so I know I will have to get one box updated and a new template created, but I have other servers that just fail, so better I learn now how to use / troubleshoot now as I learn this process better.

Thanks

Topics
Management & Governance
Tags
AWS Systems Manager
Language
English
asked 2 years ago558 views
1 Answer
1
Accepted Answer

Hello.

Is the policy for accessing S3 that outputs logs attached to the IAM role of the EC2 instance?
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-patch-now-on-demand.html#run-patch-now

The S3 permissions that grant the ability to write the data to an S3 bucket are those of the instance profile (for EC2 instances) or IAM service role (hybrid-activated machines) assigned to the instance, not those of the IAM user performing this task. For more information, see Configure instance permissions for Systems Manager or Create an IAM service role for a hybrid environment. In addition, if the specified S3 bucket is in a different AWS account, make sure that the instance profile or IAM service role associated with the managed node has the necessary permissions to write to that bucket.

Specifically, I think it is possible to output logs to S3 if the IAM policy described in the document below is set in EC2.
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html#instance-profile-custom-s3-policy

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content