Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3

0

Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3

ex) # aws s3 cp /aaa/bbb/ccc.tar.gz s3://abucket

upload failed: /aaa/bbb/ccc.tar.gz to s3://abucket/ccc.tar.gz An error occured (AccessDenied) when calling the PutObject operation: Access Denied

We set up the environment as below.

  1. EC2 Environment
  • Private VPC (Private Network)
  1. VPC Endpoint Usage and Policy for S3
  • Add resources you want to allow to the policy =>principle: IAM ID, add S3 bucket(abucket) name
  • Allow S3:* for the Action portion of the policy
  • Use the same VPC as the EC2 VPC you want to communicate with
  1. IAM used
  • The IAM account is allowed to have full privileges on EC2 and S3.
  • SCP is not set for this IAM account.
  1. S3 bucket to approach

  • ACL

    Bucket owner: Object [Listed, Written] / Bucket ACL [Read, Written]

    Everyone (public access): Object [Listed, Write] / Bucket ACL [Read, Write]

  • Block public access (bucket settings)

    Block all public access

    Same if you try with Public

Can you tell me which part I need to check more and why?

  • Antonio Lagrotteria EXPERTO
    hace 3 años

    Have you associated an IAM role to the ec2 instance allowing PutObject permission on the bucket?

Temas
Almacenamiento
Etiquetas
S3 Select
Idioma
English
preguntada hace 3 años378 visualizaciones
1 Respuesta
0

Hello,

Can you try the below

  • Assign a S3 bucket policy as below example policy that allows the ec2 instance to write.
  • If you already have a role assigned to ec2 then you can use the same in the policy, else create new assume role for ec2 and assign that role to ec2 and use that role arn in below policy.
  • the second statement in the policy is basically a best practice to allow only https (not related to the error you are facing)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/role_that_is_assigned_to_ec2"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        },
        {
            "Sid": "RestrictToTLSRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
AWS
respondido hace 3 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante