1 Answer
- Newest
- Most votes
- Most comments
0
Hello Shawn,
Enabling "Instance Profile Options" in your Patch Policy will only add S3 permissions to allow communication to the bucket automatically created to store baseline overrides: aws-quicksetup-patchpolicy-* Here is the example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-quicksetup-patchpolicy-*"
}
]
}
If you require saving command output to a custom bucket, you will need to manually add those permissions to the Instance Profile role. See below example policy and find more info here.
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
]
}
In case you need centralized logging from multiple accounts, you can refer to this article.
Hope this helps.
answered 5 months ago
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- How do I use the Microsoft KB number in Patch Manager to install a specific patch or set of patches?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago