• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Working with Amazon S3 buckets and bucket policies for Systems Manager
During the [onboarding process](systems-manager-setting-up-console.md) for AWS Systems Manager, Quick Setup creates an Amazon Simple Storage Service (Amazon S3) bucket in the delegated administrator account for organization setups. For single-account setups, the bucket is stored in the account being set up.
You can use Systems Manager to run diagnostic operations on your fleet to identify cases of failed deployments and drifted configurations. Systems Manager can also detect cases where configuration issues are preventing Systems Manager from managing EC2 instances in your account or organization. The results of these diagnostic operations are stored in this Amazon S3 bucket, which is protected by both an encryption method and an S3 bucket policy. For information about the diagnostic operations that output data to this bucket, see [Diagnosing and remediating](diagnose-and-remediate.md).
**Changing the bucket encryption method**
By default, the S3 bucket uses server-side encryption with Amazon S3 managed keys (SSE-S3).
You can instead use server-side encryption with AWS KMS keys (SSE-KMS) using a customer managed key (CMK) as an alternative to Amazon S3 managed keys, as explained in [Changing to an AWS KMS customer managed key to encrypt S3 resources](remediate-s3-bucket-encryption.md).
**Contents of the bucket policy**
The bucket policy prevents member accounts in an organization from discovering one another. Read and write permissions to the bucket are allowed only for the diagnosis and remediation roles created for Systems Manager. The contents of these system-generated policies are presented in [S3 bucket policies for the unified Systems Manager console](remediate-s3-bucket-policies.md).
**Warning**
Modifying the default bucket policy might allow member accounts in an organization to discover one another, or read diagnosis outputs for instances in another account. We recommend using extreme caution if you choose to modify this policy.
**Topics**
+ [Changing to an AWS KMS customer managed key to encrypt S3 resources](remediate-s3-bucket-encryption.md)
+ [S3 bucket policies for the unified Systems Manager console](remediate-s3-bucket-policies.md)
# Changing to an AWS KMS customer managed key to encrypt S3 resources
During the onboarding process for the unified Systems Manager console, Quick Setup creates an Amazon Simple Storage Service (Amazon S3) bucket in the delegated administrator account. This bucket is used to store the diagnosis output data generated during remediation runbook executions. By default, the bucket uses server-side encryption with Amazon S3 managed keys (SSE-S3).
You can review the content of these policies in [S3 bucket policies for the unified Systems Manager console](remediate-s3-bucket-policies.md).
However, you can instead use server-side encryption with AWS KMS keys (SSE-KMS) using a customer managed key (CMK) as an alternative to an AWS KMS key.
Complete the following tasks in order to configure Systems Manager to use your CMK.
## Task 1: Add a tag to an existing CMK
AWS Systems Manager uses your CMK only if it is tagged with the following key-value pair:
+ Key: `SystemsManagerManaged`
+ Value: `true`
Use the following procedure to provide access for encrypting the S3 bucket with your CMK.
**To add a tag to your existing CMK**
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. In the left navigation, choose **Customer managed keys**.
1. Select the AWS KMS key to use with AWS Systems Manager.
1. Choose the **Tags** tab, and then choose **Edit**.
1. Choose **Add tag**.
1. Do the following:
1. For **Tag key**, enter **SystemsManagerManaged**.
1. For **Tag value**, enter **true**.
1. Choose **Save**.
## Task 2: Modify an existing CMK key policy
Use the following procedure to update the [KMS key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) of your CMK to allow AWS Systems Manager roles to encrypt the S3 bucket on your behalf.
**To modify an existing CMK key policy**
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. In the left navigation, choose **Customer managed keys**.
1. Select the AWS KMS key to use with AWS Systems Manager.
1. On the **Key policy** tab, choose **Edit**.
1. Add the following JSON statement to the `Statement` field, and replace the *placeholder values* with your own information.
Ensure that you add all AWS account IDs that are onboarded in your organization to AWS Systems Manager in the `Principal` field.
To locate the correct bucket name in the Amazon S3 console, in the delegated administrator account, locate the bucket in the format `do-not-delete-ssm-operational-account-id-home-region-disambiguator`.
```
{
"Sid": "EncryptionForSystemsManagerS3Bucket",
"Effect": "Allow",
"Principal": {
"AWS": [
"account-id-1",
"account-id-2",
...
]
},
"Action": ["kms:Decrypt", "kms:GenerateDataKey"],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::amzn-s3-demo-bucket"
},
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
},
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/AWS-SSM-*"
}
}
}
```
**Tip**
Alternatively, you can update the CMK key policy using the [aws:PrincipalOrgID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid) condition key to grant AWS Systems Manager access to your CMK.
## Task 3: Specify the CMK in Systems Manager settings
After completing the previous two tasks, use the following procedure to change the S3 bucket encryption. This change ensures that the associated Quick Setup configuration process can add permissions for Systems Manager to accept your CMK.
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Settings**.
1. On the **Diagnose and remediate** tab, in the **Update S3 bucket encryption** section, choose **Edit**.
1. Select the **Customize encryption settings (advanced)** check box.
1. In the search (![\[The search icon\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/search-icon.png)) box, choose the ID of an existing key, or paste the ARN of an existing key.
1. Choose **Save**.
# S3 bucket policies for the unified Systems Manager console
This topic includes the Amazon S3 bucket policies created by Systems Manager when you onboard an organization or single account to the unified Systems Manager console.
**Warning**
Modifying the default bucket policy might allow member accounts in an organization to discover one another, or read diagnosis outputs for instances in another account. We recommend using extreme caution if you choose to modify this policy.
## Amazon S3 bucket policy for an organization
The diagnosis bucket is created with the following default bucket policy when onboarding an organization to Systems Manager.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyNonSigV4Requests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"StringNotEquals": {
"s3:SignatureVersion": "AWS4-HMAC-SHA256"
}
}
},
{
"Sid": "AllowAccessLog",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/access-logs/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "000000000000"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::amzn-s3-demo-bucket"
}
}
},
{
"Sid": "AllowCrossAccountRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/actions/*/${aws:PrincipalAccount}/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
}
}
},
{
"Sid": "AllowCrossAccountWrite",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name/actions/*/${aws:PrincipalAccount}/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/AWS-SSM-DiagnosisExecutionRole-operational-123456789012-home-region",
"arn:aws:iam::*:role/AWS-SSM-DiagnosisAdminRole-operational-123456789012-home-region",
"arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole-operational-123456789012-home-region",
"arn:aws:iam::*:role/AWS-SSM-RemediationAdminRole-operational-123456789012-home-region"
]
}
}
},
{
"Sid": "AllowCrossAccountListUnderAccountOwnPrefix",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
},
"StringLike": {
"s3:prefix": "*/${aws:PrincipalAccount}/*"
}
}
},
{
"Sid": "AllowCrossAccountGetConfigWithinOrganization",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetEncryptionConfiguration",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
}
}
}
]
}
```
------
## Amazon S3 bucket policy for a single account
The diagnosis bucket is created with the following default bucket policy when onboarding a single account to Systems Manager.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyNonSigV4Requests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"StringNotEquals": {
"s3:SignatureVersion": "AWS4-HMAC-SHA256"
}
}
}
]
}
```
------