SSM Agent communications with Amazon managed S3 buckets - Amazon Systems Manager
Required bucket permissionsExample
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

SSM Agent communications with Amazon managed S3 buckets

In the course of performing various Systems Manager operations, Amazon Systems Manager Agent (SSM Agent) accesses a number of Amazon Simple Storage Service (Amazon S3) buckets. These S3 buckets are publicly accessible, and by default, SSM Agent connects to them using HTTP calls.

However, if you're using a virtual private cloud (VPC) endpoint in your Systems Manager operations, you must provide explicit permission in an Amazon Elastic Compute Cloud (Amazon EC2) instance profile for Systems Manager, or in a service role for non-EC2 machines a hybrid and multicloud environment. Otherwise, your resources can't access these public buckets.

To grant your managed nodes access to these buckets when you are using a VPC endpoint, you create a custom Amazon S3 permissions policy, and then attach it to your instance profile (for EC2 instances) or your service role (for non-EC2 managed nodes).

For information about using a virtual private cloud (VPC) endpoint in your Systems Manager operations, see Create VPC endpoints.

Note

These permissions only provide access to the Amazon managed buckets required by SSM Agent. They don't provide the permissions that are necessary for other Amazon S3 operations. They also don't provide permission to your own S3 buckets.

For more information, see the following topics:

Required bucket permissions

The following table describes each of the S3 buckets that SSM Agent might need to access for Systems Manager operations.

Note

region represents the identifier for an Amazon Web Services Region supported by Amazon Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.

Amazon S3 permissions required by SSM Agent

S3 bucket ARN Description

arn:aws-cn:s3:::aws-windows-downloads-region/*

Required for some SSM documents that support only Windows operating systems.

arn:aws-cn:s3:::amazon-ssm-region/*

 Required for updating SSM Agent installations. These buckets contain the SSM Agent installation packages, and the installation manifests that are referenced by the AWS-UpdateSSMAgent document and plugin. If these permissions aren't provided, the SSM Agent makes an HTTP call to download the update.

arn:aws-cn:s3:::amazon-ssm-packages-region/*

Required for using versions of SSM Agent prior to 2.2.45.0 to run the SSM document AWS-ConfigureAWSPackage.

arn:aws-cn:s3:::region-birdwatcher-prod/*

Provides access to the distribution service used by version 2.2.45.0 and later of SSM Agent. This service is used to run the document AWS-ConfigureAWSPackage.

This permission is needed for all Amazon Web Services Regions except the Africa (Cape Town) Region (af-south-1) and the Europe (Milan) Region (eu-south-1).

arn:aws-cn:s3:::aws-ssm-distributor-file-region/*

Provides access to the distribution service used by version 2.2.45.0 and later of SSM Agent. This service is used to run the SSM document AWS-ConfigureAWSPackage.

This permission is needed only for the Africa (Cape Town) Region (af-south-1) and the Europe (Milan) Region (eu-south-1).

arn:aws-cn:s3:::aws-ssm-document-attachments-region/*

Provides access to the S3 bucket containing the packages for Distributor, a capability of Amazon Systems Manager, that are owned by Amazon.

arn:aws-cn:s3:::patch-baseline-snapshot-region/*

Provides access to the S3 bucket containing patch baseline snapshots. This is required if you use any of the following SSM documents:

  • AWS-RunPatchBaseline

  • AWS-RunPatchBaselineAssociation

  • AWS-RunPatchBaselineWithHooks

  • AWS-ApplyPatchBaseline (a legacy SSM document)

Note

In the Middle East (Bahrain) Region (me-south-1) only, this S3 bucket uses a different naming convention. For this Amazon Web Services Region only, use the following bucket instead.

  • patch-baseline-snapshot-me-south-1-uduvl7q8

In the Africa (Cape Town) Region (af-south-1) only, this S3 bucket uses a different naming convention. For this Amazon Web Services Region only, use the following bucket instead.

  • patch-baseline-snapshot-af-south-1-tbxdb5b9

For Linux and Windows Server managed nodes: arn:aws-cn:s3:::aws-ssm-region/*

For Amazon EC2 instances for macOS: arn:aws-cn:s3:::aws-patchmanager-macos-region/*

Provides access to the S3 bucket containing modules required for use with certain Systems Manager documents (SSM documents). For example:

  • arn:aws-cn:s3:::aws-ssm-us-east-2/*

  • aws-patchmanager-macos-us-east-2/*

Exceptions

The S3 bucket names in a few Amazon Web Services Regions use an extended naming convention, as shown by their ARNs. For these Regions, use the following ARNs instead:

  • Middle East (Bahrain) Region (me-south-1)): aws-patch-manager-me-south-1-a53fc9dce

  • Africa (Cape Town) Region (af-south-1): aws-patch-manager-af-south-1-bdd5f65a9

  • Europe (Milan) Region (eu-south-1): aws-patch-manager-eu-south-1-c52f3f594

  • Asia Pacific (Osaka) Region (ap-northeast-3): aws-patch-manager-ap-northeast-3-67373598a

SSM documents

The following are some commonly used SSM documents stored in these buckets.

In arn:aws-cn:s3:::aws-ssm-region/:

  • AWS-RunPatchBaseline

  • AWS-RunPatchBaselineAssociation

  • AWS-RunPatchBaselineWithHooks

  • AWS-InstanceRebootWithHooks

  • AWS-ConfigureWindowsUpdate

  • AWS-FindWindowsUpdates

  • AWS-PatchAsgInstance

  • AWS-PatchInstanceWithRollback

  • AWS-UpdateSSMAgent

  • AWS-UpdateEC2Config

In arn:aws-cn:s3:::aws-patchmanager-macos-region/:

  • AWS-RunPatchBaseline

  • AWS-RunPatchBaselineAssociation

  • AWS-RunPatchBaselineWithHooks

  • AWS-InstanceRebootWithHooks

  • AWS-PatchAsgInstance

  • AWS-PatchInstanceWithRollback

Example

The following example illustrates how to provide access to the S3 buckets required for Systems Manager operations in the US East (Ohio) Region (us-east-2). In most cases, you need to provide these permissions explicitly in an instance profile or service role only when using a VPC endpoint.

Important

We recommend that you avoid using wildcard characters (*) in place of specific Regions in this policy. For example, use arn:aws:s3:::aws-ssm-us-east-2/* and don't use arn:aws:s3:::aws-ssm-*/*. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the instance profile for more than one Region, we recommend repeating the first Statement block for each Region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws-cn:s3:::aws-windows-downloads-us-east-2/*",
                "arn:aws-cn:s3:::amazon-ssm-us-east-2/*",
                "arn:aws-cn:s3:::amazon-ssm-packages-us-east-2/*",
                "arn:aws-cn:s3:::us-east-2-birdwatcher-prod/*",
                "arn:aws-cn:s3:::aws-ssm-document-attachments-us-east-2/*",
                "arn:aws-cn:s3:::patch-baseline-snapshot-us-east-2/*",
                "arn:aws-cn:s3:::aws-ssm-us-east-2/*",
                "arn:aws-cn:s3:::aws-patchmanager-macos-us-east-2/*"
            ]
        }
    ]
}