Home > Enterprise >  Limit AWS EC2 Instances to Access S3 Buckets in the Same Region ONLY
Limit AWS EC2 Instances to Access S3 Buckets in the Same Region ONLY

Time:03-31

I need to download terabytes data from S3 buckets in EC2 instances frequently. I would like to avoid unnecessary data transfer cross regions.

I am aware of Example 1: Granting a user permission to create a bucket only in a specific Region. I tried the following:

  InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
        Version: "2012-10-17"
      Policies:
        - PolicyDocument:
            Statement:
              - Action: s3:*
                Condition:
                  StringLike:
                    s3:LocationConstraint: sa-east-1
                Effect: Allow
                Resource: arn:aws:s3:::*
            Version: "2012-10-17"
          PolicyName: s3
  InstanceInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - Ref: InstanceRole
  Instance:
    Type: AWS::EC2::Instance
    Properties:
      IamInstanceProfile:
        Ref: InstanceInstanceProfile
      ......
    DependsOn:
      - InstanceRole

However, all S3 buckets deny my access from the EC2 instance launched in sa-east-1, no matter if the buckets are in sa-east-1 or not.

Is there a complete and working example for my case?

CodePudding user response:

LocationConstraint only works for CreateBucket and CreateAccessPoint. See: Actions, resources, and condition keys for Amazon S3 - Service Authorization Reference

The easiest approach would probably be:

  • Add an Allow policy that grants all relevant access to S3, then
  • Add a Deny policy specifically for s3:CreateBucket where s3:LocationConstraint is NOT sa-east-1

Try to avoid granting s3:* because this also grants permission to delete every bucket and all objects in the account!

CodePudding user response:

Thank bgdnlp a lot of the suggestion. Following the link aws:RequestedRegion therein, the problem is solved by replacing Condition by

"Condition": {
    "StringEquals": {
        "aws:RequestedRegion": ["sa-east-1"]
    }
}
  • Related