When attempting to start a Systems Manager session to an EC2 instance within an AWS account managed by Stax, you may receive an error message similar to the below:
Starting session with SessionId: my-account-04e3abb2988da4862
SessionId: my-account-04e3abb2988da4862 : Couldn't start the session because we are unable to validate encryption on Amazon S3 bucket. Error: AccessDenied: Access Denied
status code: 403, request id: F51F5BFDC9981FFF, host id: <your-host-id>
This error occurs because Stax updates the Systems Manager configuration to output logs to an encrypted bucket in your logging account. You need to grant your EC2 instances permission to write to this bucket.
To resolve this error, follow the steps at Use Systems Manager Session Manager with Stax Networks VPCs. If you're not using Stax Networks, you can skip directly to the Configure the IAM Instance Profile.