$ yum list | grep ssm
amazon-ssm-agent.x86_64 2.3.701.0-1 installed
$ tail -f /var/log/amazon/ssm/amazon-ssm-agent.log
2019-09-11 16:41:31 INFO [MessageGatewayService] Sending reply {
"SchemaVersion": 1,
"TaskId": "dhernandez-09d24f187c84440c2",
"Topic": "agent_task_complete",
"FinalTaskStatus": "Failed",
"IsRoutingFailure": false,
"AwsAccountId": "",
"InstanceId": "i-12345",
"Output": "We couldn't start the session because encryption is not set up on the selected Amazon S3 bucket. Either encrypt the bucket or choose an option to enable logging without encryption.",
"S3Bucket": "",
"S3UrlSuffix": "",
"CwlGroup": "",
"CwlStream": ""
}
$ aws s3api get-bucket-encryption --bucket REDACTED --region us-east-1
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
2019-09-11 22:41:50 ERROR [IsBucketEncrypted @ s3util.go.144] [ssm-session-worker] [dhernandez-090b7b6bca681808e] [DataBackend] [pluginName=Standard_Stream] Encountered an error while calling S3 API GetBucketEncryption AccessDenied: Access Denied
status code: 403, request id: 37D6B10BABCA2CFD, host id: REDACTED
Even the UI says The bucket is encrypted under the drop-down. I'm not seeing GetBucketEncryption in the visual editor for policies, so no idea where that comes from.
Figured it out. It needs these two additional lines not found in the documentation:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::logs",
"arn:aws:s3:::logs/*"
]
}
]
}
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html
Glad that you were able to figure it out.
Feel free to open this or another issue if you encounter any other problems
Thanks,
Parita
Figured it out. It needs these two additional lines not found in the documentation:
@heydonovan
Looks to be documented now
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html#instance-profile-custom-s3-policy
Most helpful comment
Figured it out. It needs these two additional lines not found in the documentation:
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html