Closed yellowmamba closed 3 years ago
ranjrish
commented
3 years ago This is due to the fact that the sse header is missing during s3 upload, https://github.com/aws/amazon-ssm-agent/blob/0aa412ef856ffc58e9cb0e5e8b08b77af48aef62/agent/s3util/s3util.go#L93-L99
Working on adding the 'AES256' and 'KMS' SSE headers
yellowmamba
commented
3 years ago @ranjrish Yes I did notice this code and I was going to submit a PR. However, we do have another aws account in which ssm logs are able to be uploaded to an AES256-enabled bucket, under the same version of ssm agent. So I wasn't sure whether this was a code issue as you highlighted.
hpapadopoulos
commented
3 years ago We are seeing the same issue on some of the accounts. The problem started when we enabled an SCP policy to request sse headers on the source account that the ssm agent was running (we have different account where the logs are stored).
Bucket with the exact same configuration and on the same account as the one not working, can still receive logs from an account where the SCP isn't enabled.
ranjrish
commented
3 years ago This happens when an SCP which ensures only encrypted files are being uploaded to the bucket. We are working on a fix for this
yellowmamba
commented
3 years ago In our case, we don't seem to have any suspicious SCP applied.
yellowmamba
commented
3 years ago @ranjrish Correcting my comment above, we do have an SCP that denies s3 access if no SSE header is present, and the account in which things are working does not have the same SCP applied. Please let me know when this issue has been resolved.
ranjrish
commented
3 years ago This issue has been resolved in v3.0.529.0
When I check the ssm error logs
var/log/amazon/ssm/errors.log, I can see uploading to s3 has failedHowever, if I manually run
aws s3 cpcommand with--sse(my bucket is encrypted with the defaultAES256), the upload succeeded.Can anyone point out where I might have got things wrong?
The agent version is
3.0.222.0