AWS Security ChangesHomeSearch

AWS systems-manager-automation-runbooks documentation change

Service: systems-manager-automation-runbooks · 2025-11-19 · Documentation low

File: systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collecteksinstancelogs.md

Summary

Updated branding terms (EC2→Amazon EC2, S3→Amazon S3) and significantly expanded IAM permissions documentation for EC2 instance profiles, including required policies for S3 bucket access and KMS encryption.

Security assessment

The changes add explicit security documentation about required IAM permissions for S3/KMS access and clarify security controls for log uploads. However, there's no evidence of addressing a specific vulnerability - this enhances existing security documentation.

Diff

diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collecteksinstancelogs.md b/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collecteksinstancelogs.md
index af242ba31..738895550 100644
--- a//systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collecteksinstancelogs.md
+++ b//systems-manager-automation-runbooks/latest/userguide/automation-awssupport-collecteksinstancelogs.md
@@ -9 +9 @@
-The `AWSSupport-CollectEKSInstanceLogs` runbook gathers operating system and Amazon Elastic Kubernetes Service (Amazon EKS) related log files from an Amazon Elastic Compute Cloud (Amazon EC2) instance to help you troubleshoot common issues. While the automation is gathering the associated log files, changes are made to the file system structure including the creation of temporary directories, the copying of log files to the temporary directories, and compressing the log files into an archive. This activity can result in increased `CPUUtilization` on the EC2 instance. For more information about `CPUUtilization` , see [Instance metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/viewing_metrics_with_cloudwatch.html#ec2-cloudwatch-metrics) in the _Amazon CloudWatch User Guide_ . 
+The `AWSSupport-CollectEKSInstanceLogs` runbook gathers operating system and Amazon Elastic Kubernetes Service (Amazon EKS) related log files from an Amazon Elastic Compute Cloud (Amazon EC2) instance to help you troubleshoot common issues. While the automation is gathering the associated log files, changes are made to the file system structure including the creation of temporary directories, the copying of log files to the temporary directories, and compressing the log files into an archive. This activity can result in increased `CPUUtilization` on the Amazon EC2 instance. For more information about `CPUUtilization` , see [Instance metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/viewing_metrics_with_cloudwatch.html#ec2-cloudwatch-metrics) in the _Amazon CloudWatch User Guide_ . 
@@ -11 +11 @@ The `AWSSupport-CollectEKSInstanceLogs` runbook gathers operating system and Ama
-If you specify a value for the `LogDestination` parameter, the automation evaluates the policy status of the Amazon Simple Storage Service (Amazon S3) bucket you specify. To help with the security of the logs gathered from your EC2 instance, if the policy status `isPublic` is set to `true` , or if the access control list (ACL) grants `READ|WRITE` permissions to the `All Users` Amazon S3 predefined group, the logs are not uploaded. For more information about Amazon S3 predefined groups, see [ Amazon S3 predefined groups](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#specifying-grantee-predefined-groups) in the _Amazon Simple Storage Service User Guide_ . 
+If you specify a value for the `LogDestination` parameter, the automation evaluates the policy status of the Amazon Simple Storage Service (Amazon S3) bucket you specify. To help with the security of the logs gathered from your Amazon EC2 instance, if the policy status `isPublic` is set to `true` , or if the access control list (ACL) grants `READ|WRITE` permissions to the `All Users` Amazon S3 predefined group, the logs are not uploaded. For more information about Amazon S3 predefined groups, see [ Amazon S3 predefined groups](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#specifying-grantee-predefined-groups) in the _Amazon Simple Storage Service User Guide_ . 
@@ -15 +15 @@ If you specify a value for the `LogDestination` parameter, the automation evalua
-This automation requires at least 10 percent of available disk space on the root Amazon Elastic Block Store (Amazon EBS) volume attached to your EC2 instance. If there is not enough available disk space on the root volume, the automation stops.
+This automation requires at least 10 percent of available disk space on the root Amazon Elastic Block Store (Amazon EBS) volume attached to your Amazon EC2 instance. If there is not enough available disk space on the root volume, the automation stops.
@@ -43 +43 @@ Type: String
-Description: (Required) ID of the Amazon EKS EC2 instance you want to collect logs from.
+Description: (Required) ID of the Amazon EKS Amazon EC2 instance you want to collect logs from.
@@ -49 +49 @@ Type: String
-Description: (Optional) The S3 bucket in your account to upload the archived logs to.
+Description: (Optional) The Amazon Simple Storage Service (Amazon S3) bucket in your account to upload the archived logs to.
@@ -67 +67,53 @@ The `AutomationAssumeRole` parameter requires the following actions to use the r
-We recommend that the EC2 instance receiving the command has an IAM role with the **AmazonSSMManagedInstanceCore** Amazon managed policy attached. To upload the log archive to the S3 bucket you specify in the `LogDestination` parameter, you must add the `s3:PutObject` permission. 
+**Required IAM permissions for the Amazon EC2 instance profile**
+
+The instance profile used by the `EKSInstanceId` must have the **AmazonSSMManagedInstanceCore** Amazon managed policy attached to it. 
+
+It also has to be able to access the `LogDestination` Amazon S3 bucket so that it could upload the collected logs. Below is an example of an IAM policy that could be attached to that instance profile:
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:PutObject",
+            "s3:GetBucketPolicyStatus",
+            "s3:GetBucketAcl"
+          ],
+          "Resource": [
+            "arn:aws:s3:::LogDestination/*",
+            "arn:aws:s3:::LogDestination"
+          ]
+        }
+      ]
+    }
+
+If `LogDestination` uses AWS KMS encryption, then an additional statement must be added to the IAM policy, granting access to the AWS KMS key used in the encryption:
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:PutObject",
+            "s3:GetBucketPolicyStatus",
+            "s3:GetBucketAcl"
+          ],
+          "Resource": [
+            "arn:aws:s3:::LogDestination/*",
+            "arn:aws:s3:::LogDestination"
+          ]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
+          ],
+          "Resource": "arn:aws:kms:REGION:ACCOUNT:key/KMS-KEY-ID"
+        }
+      ]
+    }
@@ -77 +129 @@ We recommend that the EC2 instance receiving the command has an IAM role with th
-  * `aws:runCommand` \- Uploads the log archive to the S3 bucket you specify in the `LogDestination` parameter. 
+  * `aws:runCommand` \- Uploads the log archive to the Amazon S3 bucket you specify in the `LogDestination` parameter. 
@@ -88 +140 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Amazon EKS
+AWS-UpdateEKSSelfManagedLinuxNodeGroups
@@ -90 +142 @@ Amazon EKS
-AWS-CreateEKSClusterWithFargateProfile
+AWSSupport-SetupK8sApiProxyForEKS