Closed yellowmamba closed 3 years ago
This is due to the fact that the sse header is missing during s3 upload, https://github.com/aws/amazon-ssm-agent/blob/0aa412ef856ffc58e9cb0e5e8b08b77af48aef62/agent/s3util/s3util.go#L93-L99
Working on adding the 'AES256' and 'KMS' SSE headers
@ranjrish Yes I did notice this code and I was going to submit a PR. However, we do have another aws account in which ssm logs are able to be uploaded to an AES256-enabled bucket, under the same version of ssm agent. So I wasn't sure whether this was a code issue as you highlighted.
We are seeing the same issue on some of the accounts. The problem started when we enabled an SCP policy to request sse headers on the source account that the ssm agent was running (we have different account where the logs are stored).
Bucket with the exact same configuration and on the same account as the one not working, can still receive logs from an account where the SCP isn't enabled.
This happens when an SCP which ensures only encrypted files are being uploaded to the bucket. We are working on a fix for this
In our case, we don't seem to have any suspicious SCP applied.
@ranjrish Correcting my comment above, we do have an SCP that denies s3 access if no SSE header is present, and the account in which things are working does not have the same SCP applied. Please let me know when this issue has been resolved.
This issue has been resolved in v3.0.529.0
When I check the ssm error logs
var/log/amazon/ssm/errors.log
, I can see uploading to s3 has failedHowever, if I manually run
aws s3 cp
command with--sse
(my bucket is encrypted with the defaultAES256
), the upload succeeded.Can anyone point out where I might have got things wrong?
The agent version is
3.0.222.0