Home > Mobile >  Access S3 from EC2 by using instance IP instead of assumerole
Access S3 from EC2 by using instance IP instead of assumerole

Time:07-18

I'm trying to get an EC2 instance to access a S3 bucket. I'd rather use the IP address of the instance to allow access to S3 rather than assumerole.

In the bucket policy, I've tried allowing the instance's public AND private IP but trying to access any resources gives <Code>AccessDenied</Code><Message>Access Denied</Message>

I'm able to use IAM roles and aws cli to access the S3 bucket but I need to access the S3 bucket using a plain HTTP address like http://s3.amazonaws.com/somebucket/somefile.txt. I've also tested with non cloud servers (my own laptop and other servers) and allowing the public IP of those servers would successfully let me access the S3 resources, it's only not working when I do the same for EC2 instances.

I tried looking at access logs and I see the private IP of the EC2 instance being logged and giving a 403 access denied.

My bucket policy looks like this:

{
    "Sid": "Statement1",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::test-bucket1/*",
    "Condition": {
        "IpAddress": {
            "aws:SourceIp": [
                "EC2-public-ip-address/32",
                "EC2-private-ip-address/32"
            ]
        }
    }
},

CodePudding user response:

I see a gateway endpoint associated with the VPC that the EC2 instance is in

So that's why it uses private IP. S3 gateway endpoint enable private connections from VPC to S3 without accessing the internet. Thus only private IP is used in that case.

You either have to settle for the private IP only, or modify your VPC and S3 gateway settings to allow internet connections to S3. This may be security issue, as S3 gateway endpoints are more secure (no internet).

  • Related