Creating a resource data sync for Compliance - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a resource data sync for Compliance

You can use the resource data sync feature in Amazon Systems Manager to send compliance data from all of your managed nodes to a target Amazon Simple Storage Service (Amazon S3) bucket. When you create the sync, you can specify managed nodes from multiple Amazon Web Services accounts, Amazon Web Services Regions, and your hybrid and multicloud environment. Resource data sync then automatically updates the centralized data when new compliance data is collected. With all compliance data stored in a target S3 bucket, you can use services like Amazon Athena and Amazon QuickSight to query and analyze the aggregated data. Configuring resource data sync for Compliance is a one-time operation.

Use the following procedure to create a resource data sync for Compliance by using the Amazon Web Services Management Console.

To create and configure an S3 bucket for resource data sync (console)

  1. Open the Amazon S3 console at https://console.amazonaws.cn/s3/.

  2. Create a bucket to store your aggregated compliance data. For more information, see Create a Bucket in the Amazon Simple Storage Service User Guide. Make a note of the bucket name and the Amazon Web Services Region where you created it.

  3. Open the bucket, choose the Permissions tab, and then choose Bucket Policy.

  4. Copy and paste the following bucket policy into the policy editor. Replace DOC-EXAMPLE-BUCKET and Account-ID with the name of the S3 bucket you created and a valid Amazon Web Services account ID. Optionally, replace Bucket-Prefix with the name of an Amazon S3 prefix (subdirectory). If you didn't create a prefix, remove Bucket-Prefix/ from the ARN in the policy. 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SSMBucketPermissionsCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com.cn"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET"
        },
        {
            "Sid": " SSMBucketDelivery",
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com.cn"
            },
            "Action": "s3:PutObject",
            "Resource": ["arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET/Bucket-Prefix/*/accountid=Account_ID_number/*"],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
To create a resource data sync

  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  2. In the navigation pane, choose Fleet Manager.

  3. Choose Account management, Resource Data Syncs, and then choose Create resource data sync.

  4. In the Sync name field, enter a name for the sync configuration.

  5. In the Bucket name field, enter the name of the Amazon S3 bucket you created at the start of this procedure.

  6. (Optional) In the Bucket prefix field, enter the name of an S3 bucket prefix (subdirectory).

  7. In the Bucket region field, choose This region if the S3 bucket you created is located in the current Amazon Web Services Region. If the bucket is located in a different Amazon Web Services Region, choose Another region, and enter the name of the Region.

    Note

    If the sync and the target S3 bucket are located in different Regions, you might be subject to data transfer pricing. For more information, see Amazon S3 Pricing.

  8. Choose Create.