Save session output of the SSM Session Manager to an S3 bucket in another AWS Account

Question

Is it possible to save session output of the SSM Session Manager to an S3 bucket in another AWS Account? I can't get it working, my bucket policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SSMBucketPermissionsCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Sid": " SSMBucketDelivery",
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<bucket-name>/<account-id>/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

Maybe it's a typo, but that's not a valid policy: see the part `}x` — Nir Alfasi, Jun 11 '19 at 21:11
thx @alfasin very sharp! it's a typo in this post, so unfortunately not the fix for my problem :-) — joosts, Jun 11 '19 at 21:13
Are you able to successfully configure SSM to use the desired bucket for output? And do you get an error message or some indication of failure, or does the output simply not arrive? How do you know that SSM is adding an ACL of `bucket-owner-full-control`? If it does not, then the condition would fail. Perhaps you could try removing that condition to see whether it works? (Yes, you'll want it there, but try removing it as a test.) Did you get this policy from somewhere? — John Rotenstein, Jun 11 '19 at 22:20
@JohnRotenstein Thx for your reply! 1) Yes, I'm able to configure it without an error. 2) I am not sure about that condition, but it also fails without it. 3) I found the policy somewhere on github https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_ssm_resource_data_sync_test.go — joosts, Jun 12 '19 at 05:58
That github reference doesn't seem related to Session Manager. Can I ask... How did you manage to configure the output to go to an Amazon S3 bucket in a different account? Did you do it through the console, or AWS CLI? — John Rotenstein, Jun 12 '19 at 06:48
@JohnRotenstein It seems that this is a 'undocumented feature' (or maybe not possible?). The configuration is done via the console. When I try to use a non-existing bucketname it gives an error `The specified bucket does not exist!`. So it seem that _something_ is workingn and the bucket is kinda accepted :-) — joosts, Jun 12 '19 at 07:19
I saw how to [Update Session Manager Preferences (AWS CLI) - AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-configure-preferences-cli.html), but I couldn't figure out how to use it successfully. In the console, I could not see how to specify a bucket that was not in the pull-down list. — John Rotenstein, Jun 12 '19 at 07:24
@JohnRotenstein via the console you can just typ in the bucket at `Enter a bucket name in the text box`. When the bucket is not known (or no is access allowed) you get the error: `The specified bucket does not exist!`. In my case it accepts the bucket on the other account (I don't get an error) but I don't see any session output in that bucket. — joosts, Jun 12 '19 at 08:14
@JohnRotenstein it's only a search box when you click the option `Choose a bucket name from the list` — joosts, Jun 12 '19 at 14:41
@JohnRotenstein aaight, some success :-) Apparently the principal was not correct. Instead of `"Service": "ssm.amazonaws.com"` I had to use `"arn:aws:iam::9999999999:root"` and now the file is in the bucket. Next problem is that when I look at the properties of the files I see "Encryption: access denied". So I can't retrieve the file. — joosts, Jun 12 '19 at 21:50
It sounds like it is being stored with a KMS key to which you do not have access. Can you configure it _not_ to encrypt the log? — John Rotenstein, Jun 13 '19 at 00:15
Thx again @JohnRotenstein I very appreciate your help. At this moment, I disabled encryption. I think the problem is that the ACL is nog set for the uploaded file. I'm trying to find a solution for that, but no luck so far. Almost there! — joosts, Jun 13 '19 at 05:48

score 0 · Accepted Answer · answered Jun 14 '19 at 21:02

Ok, I found the problem. Apparently I had to add the following policy to my instance role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObjectAcl",
            "Resource": "<bucket>/<path>"
        }
    ]
}

Save session output of the SSM Session Manager to an S3 bucket in another AWS Account

1 Answers1