I am trying to do the following configuration in AWS:
- An object is created in an S3 bucket
- This event triggers a lambda function
- The lambda function uses an SSM document to invoke a shell script that is located inside an EC2 instance
- The EC2 has its script executed through the SSM message
This was working in my local Account, but when i tried it my corporate one it return the error from the title above. I've given the following permission to the services as follows:
- EC2 - AmazonSSMManagedInstanceCore
- Lambda - AmazonSSMFullAccess, AWSLambdaBasicExecutionRole, AWSLambdaVPCAccessExecutionRole and a custom S3 policy that allows: { S3: Read, Write } and { CloudWatch Logs: write }
The only difference between my local and my corporate account is the EC2 instance's access. In my local account it has a public IPv4 address, while in my corporate one it does not, because it is in a private subnet.
Is it possible that the problem comes from the possibility of this exact networking issue, because I thought that SSM can communicate without any Problem with EC2 instances located in a private subnet. Please, give me an insight on what could be the problem and thank you in advance.
I changed the IAM roles, but nothing changed. It still says "Instance not in a valid state"