1 回答
- 最新
- 投票最多
- 评论最多
0
Hello Shawn,
Enabling "Instance Profile Options" in your Patch Policy will only add S3 permissions to allow communication to the bucket automatically created to store baseline overrides: aws-quicksetup-patchpolicy-* Here is the example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-quicksetup-patchpolicy-*"
}
]
}
If you require saving command output to a custom bucket, you will need to manually add those permissions to the Instance Profile role. See below example policy and find more info here.
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
]
}
In case you need centralized logging from multiple accounts, you can refer to this article.
Hope this helps.
已回答 5 个月前
相关内容
- AWS 官方已更新 3 年前