Passer au contenu
En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post
À propos de re:Post

Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3

0

Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3

ex) # aws s3 cp /aaa/bbb/ccc.tar.gz s3://abucket

upload failed: /aaa/bbb/ccc.tar.gz to s3://abucket/ccc.tar.gz An error occured (AccessDenied) when calling the PutObject operation: Access Denied

We set up the environment as below.

  1. EC2 Environment
  • Private VPC (Private Network)
  1. VPC Endpoint Usage and Policy for S3
  • Add resources you want to allow to the policy =>principle: IAM ID, add S3 bucket(abucket) name
  • Allow S3:* for the Action portion of the policy
  • Use the same VPC as the EC2 VPC you want to communicate with
  1. IAM used
  • The IAM account is allowed to have full privileges on EC2 and S3.
  • SCP is not set for this IAM account.
  1. S3 bucket to approach

  • ACL

    Bucket owner: Object [Listed, Written] / Bucket ACL [Read, Written]

    Everyone (public access): Object [Listed, Write] / Bucket ACL [Read, Write]

  • Block public access (bucket settings)

    Block all public access

    Same if you try with Public

Can you tell me which part I need to check more and why?

  • Antonio Lagrotteria EXPERT
    il y a 3 ans

    Have you associated an IAM role to the ec2 instance allowing PutObject permission on the bucket?

Sujets
Stockage
Balises
S3 Select
Langue
English
demandé il y a 3 ans377 vues
1 réponse
0

Hello,

Can you try the below

  • Assign a S3 bucket policy as below example policy that allows the ec2 instance to write.
  • If you already have a role assigned to ec2 then you can use the same in the policy, else create new assume role for ec2 and assign that role to ec2 and use that role arn in below policy.
  • the second statement in the policy is basically a best practice to allow only https (not related to the error you are facing)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/role_that_is_assigned_to_ec2"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        },
        {
            "Sid": "RestrictToTLSRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
AWS
répondu il y a 3 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Contenus pertinents