How do I configure AWS Systems Manager Run Command to send output to an S3 bucket in another AWS account?

Last updated: 2021-04-20

I want to send AWS Systems Manager Run Command output to an Amazon Simple Storage Service (Amazon S3) bucket in another AWS account. How can I do that?

Resolution

You can use AWS Systems Manager Run Command to run Systems Manager documents such as AWS-RunPatchBaseline and AWS-RunPowerShellScript in managed instances. You can then send the output to Amazon CloudWatch and Amazon S3 in the same AWS account, or to an S3 bucket in another AWS account.

To allow Systems Manager to access an S3 bucket in another AWS account, configure the following AWS Identity and Access Management (IAM) and bucket policies.

Managed EC2 instance IAM instance profile role

The IAM instance profile role attached to your managed Amazon Elastic Compute Cloud (Amazon EC2) instance must have the following actions in place to allow access to the S3 bucket. Replace DOC-EXAMPLE-BUCKET with the S3 bucket name in the target account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
        }
    ]
}

For more information about the S3 permissions required for specific scenarios, see Create a custom policy for S3 bucket access.

Target S3 bucket policy

The target S3 bucket must allow the instance profile role that is attached to the managed EC2 instance to access the bucket. You can either create a bucket policy or grant access to the source AWS account in bucket access control list (ACL).

Warning: It’s a security best practice to create a bucket policy. Adding the source AWS account to the bucket ACL allows all users and roles in the source AWS account to access the S3 bucket.

The following is an example bucket policy for the target S3 bucket. Replace DOC-EXAMPLE-BUCKET with the S3 bucket name in the target account. Replace SOURCE-AWS-ACCOUNT with the source AWS account ID. Replace INSTANCE-PROFILE-ROLE-NAME with the IAM instance profile that is attached to the EC2 instance.

{
    "Version": "2012-10-17",
    "Id": "Policy1589684413780",
    "Statement": [
        {
            "Sid": "Stmt1589684412557",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::SOURCE-AWS-ACCOUNT:role/INSTANCE-PROFILE-ROLE-NAME"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
        }
    ]
}

Configure Run Command to send the command output to Amazon S3

AWS Systems Manager console

1.    Open the Systems Manager console, and then choose Run Command from the navigation pane.

2.    Choose Run command.

3.    Select the document that you want to run, and enter all required parameters.

4.    For Output Options, select Enable an S3 bucket. Choose Enter an S3 bucket name in the text box, and then enter the name of the S3 bucket in the target account.

5.    (Optional) If you want to send the command output to a subfolder of the S3 bucket, for S3 key prefix, enter the S3 key prefix.

AWS CLI

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

When you run a SendCommand API call in the AWS CLI, you can specify the output options by adding the following parameters:

--output-s3-bucket-name "DOC-EXAMPLE-BUCKET" --output-s3-key-prefix "DOC-EXAMPLE-BUCKET-PREFIX"

Note: In the preceding parameter examples, DOC-EXAMPLE-BUCKET is the name of the S3 bucket in your target account. DOC-EXAMPLE-BUCKET-PREFIX indicates the subfolder within the S3 bucket where you want to store the response. The output-s3-key-prefix parameter isn't required to send the command output to an S3 bucket. For more information, see send-command.

The following AWS CLI example initiates a command that uses the AWS-RunPowerShellScript document to remotely run echo helloWorld in the managed instances tagged as Key=tag:Env,Values=Dev,Test. The command output is sent to the S3 bucket named DOC-EXAMPLE-BUCKET in your target account and stored in a subfolder named with the prefix DOC-EXAMPLE-BUCKET-PREFIX.

aws ssm send-command --document-name "AWS-RunPowerShellScript" --parameters '{"commands":["echo helloWorld"]}'  --targets '[{"Key":"tag:Env","Values":["Dev","Test"]}]' --output-s3-bucket-name "DOC-EXAMPLE-BUCKET" --output-s3-key-prefix "DOC-EXAMPLE-BUCKET-PREFIX"

Did this article help?


Do you need billing or technical support?