Home > Back-end >  AWS S3 Bucket Policy: How to grant access to EC2 instance?
AWS S3 Bucket Policy: How to grant access to EC2 instance?

Time:12-15

I am really struggling with this and the AWS Official Docs simply does not help!

I have an S3 bucket set up and it is allowing public access from a few specified ip addresses. This is the custom policy that is working:

{
    "Version": "2012-10-17",
    "Id": "Policy1111111111",
    "Statement": [
        {
            "Sid": "Stmt111111111",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::myapp-local-test/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "12.122.123.111",
                        "121.217.73.153"
                    ]
                }
            }
        },
        {
            "Sid": "Stmt1111111111",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::myapp-local-test/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "12.122.123.111",
                        "121.217.73.153"
                    ]
                }
            }
        },
    ]
}

Now, instead of only allowing the above 2 ip addresses to access resources in the bucket, I also want my EC2 instance to access it.

I followed this doc: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/

I followed the exact steps. I have created a new IAM role, (arn: "arn:aws:iam::1223123156:role/EC2-to-S3")

I have also attached the role to my EC2 instance.

But in step 6:

6.    In your bucket policy, edit or remove any Effect: Deny 
statements that are denying the IAM instance profile access to 
your bucket. For instructions on editing policies, 
see Editing IAM policies.

How exactly do I do it? It directs me to another doc about Editing IAM policies, BUT IT DOES NOT HELP !!!

How do I remove any "Effect: Deny" statements that are denying the IAM instance profile access to my bucket?

What keyword should I use?

Here is what I tried:

{
    "Version": "2012-10-17",
    "Id": "Policy1111111111",
    "Statement": [
        {
            "Sid": "Stmt111111111",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::myapp-local-test/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "12.122.123.111",
                        "121.217.73.153"
                    ]
                },
                "StringNotEquals": {
                    "aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
                }
        },
        {
            "Sid": "Stmt1111112222",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::myapp-local-test/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "12.122.123.111",
                        "121.217.73.153"
                    ]
                }
            }
        },

        {
            "Sid": "Stmt1639460338435",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::myapp-local-test/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
                }
            }
        }

    ]
}

which does not work. I still had an "Access Denied" error.

Can the docs be a little bit more specific? Why is it so hard to get such a basic task done with aws docs??



This finally worked:

{
    "Version": "2012-10-17",
    "Id": "Policy1111111",
    "Statement": [
        {
            "Sid": "Stmt11111",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::myapp-local-test/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "12.122.123.111",
                        "121.217.73.153"
                    ]
                }
            }
        },
        {
            "Sid": "Stmt1222222222",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234556:role/EC2-to-S3"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::myapp-local-test/*"
        }
    ]
}

So the trick is to drop the deny statement completely since by default everything is denied access.

And my edits earlier:

    "Statement": [
        {
            "Sid": "Stmt111111111",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::myapp-local-test/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "12.122.123.111",
                        "121.217.73.153"
                    ]
                },
                "StringNotEquals": {
                    "aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
                }
        },

the StringNotEquals part does not drop the default deny for the iam role.

CodePudding user response:

If possible, you should avoid using Deny statements, since they override any Allow statements.

Your first bucket policy is saying:

  • Deny access to the bucket if requests are not coming from the given IP addresses
  • Allow access to the bucket if requests are coming from the given IP addresses

Unfortunately, the Deny will prohibit access from the EC2 instance, since it is not one of the listed IP addresses.

Instead of using Deny, just grant Allow access when needed. Access to S3 is denied by default, so users can only gain access if there is an Allow policy that grants them access.

  • Related