I need to download terabytes data from S3 buckets in EC2 instances frequently. I would like to avoid unnecessary data transfer cross regions.
I am aware of Example 1: Granting a user permission to create a bucket only in a specific Region. I tried the following:
InstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ec2.amazonaws.com
Version: "2012-10-17"
Policies:
- PolicyDocument:
Statement:
- Action: s3:*
Condition:
StringLike:
s3:LocationConstraint: sa-east-1
Effect: Allow
Resource: arn:aws:s3:::*
Version: "2012-10-17"
PolicyName: s3
InstanceInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- Ref: InstanceRole
Instance:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile:
Ref: InstanceInstanceProfile
......
DependsOn:
- InstanceRole
However, all S3 buckets deny my access from the EC2 instance launched in sa-east-1, no matter if the buckets are in sa-east-1 or not.
Is there a complete and working example for my case?
CodePudding user response:
LocationConstraint only works for CreateBucket and CreateAccessPoint. See: Actions, resources, and condition keys for Amazon S3 - Service Authorization Reference
The easiest approach would probably be:
- Add an
Allowpolicy that grants all relevant access to S3, then - Add a
Denypolicy specifically fors3:CreateBucketwheres3:LocationConstraintis NOTsa-east-1
Try to avoid granting s3:* because this also grants permission to delete every bucket and all objects in the account!
CodePudding user response:
Thank bgdnlp a lot of the suggestion. Following the link aws:RequestedRegion
therein, the problem is solved by replacing Condition by
"Condition": {
"StringEquals": {
"aws:RequestedRegion": ["sa-east-1"]
}
}