search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.05k stars 323 forks source link

Error message incorrect #212

Closed heydonovan closed 5 years ago

heydonovan commented 5 years ago 
$ yum list | grep ssm
amazon-ssm-agent.x86_64                2.3.701.0-1                    installed
$ tail -f /var/log/amazon/ssm/amazon-ssm-agent.log 
2019-09-11 16:41:31 INFO [MessageGatewayService] Sending reply {
  "SchemaVersion": 1,
  "TaskId": "dhernandez-09d24f187c84440c2",
  "Topic": "agent_task_complete",
  "FinalTaskStatus": "Failed",
  "IsRoutingFailure": false,
  "AwsAccountId": "",
  "InstanceId": "i-12345",
  "Output": "We couldn't start the session because encryption is not set up on the selected Amazon S3 bucket. Either encrypt the bucket or choose an option to enable logging without encryption.",
  "S3Bucket": "",
  "S3UrlSuffix": "",
  "CwlGroup": "",
  "CwlStream": ""
}
$ aws s3api get-bucket-encryption --bucket REDACTED --region us-east-1
{
    "ServerSideEncryptionConfiguration": {
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "AES256"
                }
            }
        ]
    }
}
2019-09-11 22:41:50 ERROR [IsBucketEncrypted @ s3util.go.144] [ssm-session-worker] [dhernandez-090b7b6bca681808e] [DataBackend] [pluginName=Standard_Stream] Encountered an error while calling S3 API GetBucketEncryption AccessDenied: Access Denied
    status code: 403, request id: 37D6B10BABCA2CFD, host id: REDACTED

Even the UI says The bucket is encrypted under the drop-down. I'm not seeing GetBucketEncryption in the visual editor for policies, so no idea where that comes from.

heydonovan commented 5 years ago

Figured it out. It needs these two additional lines not found in the documentation:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::logs",
                "arn:aws:s3:::logs/*"
            ]
        }
    ]
}

https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html

paritadhandha commented 5 years ago

Glad that you were able to figure it out. Feel free to open this or another issue if you encounter any other problems Thanks, Parita

felipe1982 commented 4 years ago

Figured it out. It needs these two additional lines not found in the documentation:

@heydonovan

Looks to be documented now

https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html#instance-profile-custom-s3-policy

pmmalinov01 commented 1 year ago

I am having sort of a similar problem, I am trying to use an S3 bucket in one region and EC2s in other regions and getting 

Encountered an error while calling S3 API GetBucketEncryption RequestError: send request failed caused by: Get "[https://bucket_names3.us-east-1.amazonaws.com/?encryption= ](https://bucket_name.s3.us-east-1.amazonaws.com/?encryption=)": net/http: TLS handshake timeout