How can I grant my Amazon EC2 instance access to an Amazon S3 bucket?

4 minute read

I'm unable to access an Amazon Simple Storage Service (Amazon S3) bucket from my Amazon Elastic Compute Cloud (Amazon EC2) instance. How can I activate read/write access to S3 buckets from an EC2 instance?

Short description

To connect to your S3 buckets from your EC2 instances, you must do the following:

1.    Create an AWS Identity and Access Management (IAM) profile role that grants access to Amazon S3.

2.    Attach the IAM instance profile to the instance.

3.    Validate permissions on your S3 bucket.

4.    Validate network connectivity from the EC2 instance to Amazon S3.

5.    Validate access to S3 buckets.


Create an IAM instance profile that grants access to Amazon S3

1.    Open the IAM console.

2.    Choose Roles, and then choose Create role.

3.    Select AWS Service, and then choose EC2 under Use Case.

Note: Creating an IAM role from the console with EC2 selected as the trusted entity automatically creates an IAM instance profile with the same name as the role name. However, if the role is created using the AWS Command Line Interface (AWS CLI) or from the API, then an instance profile isn't automatically created. For more information, refer to I created an IAM role, but the role doesn't appear in the dropdown list when I launch an instance. What do I do?

4.    Select Next: Permissions.

5.    Create a custom policy that provides the minimum required permissions to access your S3 bucket. For instructions on creating custom policies, see Writing IAM policies: how to grant access to an Amazon S3 bucket and Identity and access management in Amazon S3.

Note: Creating a policy with the minimum required permissions is a security best practice. However, to allow EC2 access to all your Amazon S3 buckets, use the AmazonS3ReadOnlyAccess or AmazonS3FullAccess managed IAM policy.

6.    Select Next: Tags, and then select Next: Review.

7.    Enter a Role name, and then select Create role.

Attach the IAM instance profile to the EC2 instance

1.    Open the Amazon EC2 console.

2.    Choose Instances.

3.    Select the instance that you want to attach the IAM role to.

4.    Choose the Actions tab, choose Security, and then choose Modify IAM role.

5.    Select the IAM role that you just created, and then choose Save. The IAM role is assigned to your EC2 instance.

Validate permissions on your S3 bucket

1.    Open the Amazon S3 console.

2.    Select the S3 bucket that you want to verify the policy for.

3.    Choose Permissions.

4.    Choose Bucket Policy.

5.    Search for statements with Effect: Deny.

6.    In your bucket policy, edit or remove any Effect: Deny statements that are denying the IAM instance profile access to your bucket. For instructions on editing policies, see Editing IAM policies.

Validate network connectivity from the EC2 instance to Amazon S3

For your EC2 instance to connect to S3 endpoints, the instance must be one of the following:

  • EC2 instance with a public IP address and a route table entry with the default route pointing to an Internet Gateway
  • Private EC2 instance with a default route through a NAT gateway
  • Private EC2 instance with connectivity to Amazon S3 using a gateway VPC endpoint

To troubleshoot connectivity between a private EC2 instance and an S3 bucket, see Why can’t I connect to an S3 bucket using a gateway VPC endpoint?

Validate access to S3 buckets

1.    Install the AWS CLI on your EC2 instance.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

2.    Verify access to your S3 buckets by running the following command. Replace DOC-EXAMPLE-BUCKET with the name of your S3 bucket.

aws s3 ls s3://DOC-EXAMPLE-BUCKET

Note: S3 objects encrypted with an AWS Key Management Service (AWS KMS) key must have kms: Decrypt permissions granted in the following:

  • The IAM role attached to the instance.
  • The KMS key policy.

If these permissions aren't granted, then you can't copy or download the S3 objects. For more information, see Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?

Related information

Why can’t I connect to an S3 bucket using a gateway VPC endpoint?

AWS OFFICIALUpdated a year ago
1 Comment

This is excellent, thanks very much. I found another article with parallel content but this proved to be the more general use case.

replied 10 months ago