In my setup, I wish to collect the logs of Run Command into an S3 bucket that is in a central Log Archive AWS account. We have requirements that everything must be encrypted at rest. The S3 bucket in this account has a KMS key in the same account set as the default encryption.
Do an SSM Run Command, and specify that the log output should go to this S3 bucket
The command completes successfully but no logs are placed into the bucket
Looking at the error logs, I see an error stating that the KMS Key was not found
This happens because the agent performs a S3 GetBucketEncryption API call to find the key, and this call responds only with the KMS Key ID. The agent then assumes that the key is within its own account, but the key exists in the Log Archive account.
I understand why this is happening - to target the right account, the agent needs to know the ARN of the key, not the ID. Maybe it can fallback and find the account owner of the S3 bucket, and try that as a second option?
Here to report a bug!
In my setup, I wish to collect the logs of Run Command into an S3 bucket that is in a central Log Archive AWS account. We have requirements that everything must be encrypted at rest. The S3 bucket in this account has a KMS key in the same account set as the default encryption.
This happens because the agent performs a S3
GetBucketEncryption
API call to find the key, and this call responds only with the KMS Key ID. The agent then assumes that the key is within its own account, but the key exists in the Log Archive account.I understand why this is happening - to target the right account, the agent needs to know the ARN of the key, not the ID. Maybe it can fallback and find the account owner of the S3 bucket, and try that as a second option?