How do I grant my EC2 instance access to an S3 bucket?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Create an IAM instance profile that grants access to Amazon S3

Complete the following steps:

1. Open the AWS Identity and Access Management (IAM) console.
2. In the navigation pane, under Access management, choose Roles.
3. Choose Create role.
4. Under Trusted entity type, choose AWS service. For Service or use case, choose EC2. For Use Case, choose EC2.
   Note: When you use the IAM console to create an IAM role and choose EC2 as the trusted entity, an IAM instance profile is automatically created. The newly created IAM instance profile has the same name as the role. However, if you use the AWS CLI or an API to create the role, then an instance profile isn't automatically created. For more information, see I created an IAM role, but the role doesn't appear in the dropdown list when I launch an instance. What do I do?
5. Choose Next.
6. Create a custom policy that provides the minimum required permissions to access your S3 bucket.
   Note: It's a security best practice to create a policy with the minimum required permissions. However, to give Amazon EC2 access to all of your S3 buckets, use the AmazonS3ReadOnlyAccess or AmazonS3FullAccess managed IAM policy.
7. Select the required policy, and then choose Next.
8. Enter a role name, and then choose Create role.

Attach the IAM instance profile to the EC2 instance

Complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Instances.
3. Select the instance that you want to attach the IAM role to.
4. Choose Actions, and then choose Security.
5. Choose Modify IAM role.
6. Select the IAM role you just created, and then choose Save. The IAM role is assigned to your EC2 instance.

Verify permissions on your S3 bucket

Complete the following steps:

1. Open the Amazon S3 console.
2. Select the S3 bucket link that you want to verify the policy for.
3. Choose the Permissions tab.
4. In the Bucket policy section, search for statements that contain Effect: Deny.
5. Edit the IAM policy to remove any Effect: Deny statements that deny the IAM instance profile access to your bucket.

Verify network connectivity from the EC2 instance to Amazon S3

Prerequisites

• An EC2 instance with a public IP address and a route table entry with the default route to an internet gateway.
• A private EC2 instance with a default route through an NAT gateway.
• A private EC2 instance with connectivity to Amazon S3 with a gateway virtual private cloud (VPC) endpoint.

To troubleshoot connectivity between a private EC2 instance and an S3 bucket, see How do I troubleshoot connectivity issues with my gateway Amazon VPC endpoints?

Verify access to S3 buckets

Complete the following steps:

1. Install the AWS CLI on your EC2 instance.
2. Run the following command to verify access to your S3 buckets:

   aws s3 ls s3://DOC-EXAMPLE-BUCKET

   Note: Replace DOC-EXAMPLE-BUCKET with the name of your S3 bucket.

For S3 objects that are encrypted with an AWS Key Management Service (AWS KMS) key, grant kms: Decrypt permissions in the IAM role and KMS key policy. If you don't grant kms:Decrypt permissions, then you can't copy or download the S3 objects.

Related information

Identity and Access Management for Amazon S3

How do I troubleshoot connectivity issues when I use interface VPC endpoints to connect to my Amazon S3 bucket?