How can I grant my Amazon EC2 instance access to an Amazon S3 bucket?

4 minute read
2

I can't access an Amazon Simple Storage Service (Amazon S3) bucket from my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Resolution

Create an IAM instance profile that grants access to Amazon S3

Complete the following steps:

  1. Open the AWS Identity and Access Management (IAM) console.
  2. In the navigation pane, under Access management, choose Roles.
  3. Choose Create role.
  4. Under Trusted entity type, choose AWS service, and then choose EC2.
    Note: When you use the IAM console to create an IAM role and you choose EC2 as the trusted entity, an IAM instance profile with the same name as the role name is automatically created. However, if you use the AWS Command Line Interface (AWS CLI) or an API to create the role, then an instance profile isn't automatically created. For more information, see I created an IAM role, but the role doesn't appear in the dropdown list when I launch an instance. What do I do?
  5. Choose Next.
  6. Create a custom policy that provides the minimum required permissions to access your S3 bucket.
    Note: It's a security best practice to create a policy with the minimum required permissions. However, to allow EC2 access to all your S3 buckets, use the AmazonS3ReadOnlyAccess or AmazonS3FullAccess managed IAM policy.
  7. Choose Next.
  8. Enter a role name, and then choose Create role.

Attach the IAM instance profile to the EC2 instance

Complete the following steps:

  1. Open the Amazon EC2 console.
  2. In the navigation pane, choose Instances.
  3. Select the instance that you want to attach the IAM role to.
  4. Choose the Actions tab, and then choose Security.
  5. Choose Modify IAM role.
  6. Select the IAM role, and then choose Save. The IAM role is assigned to your EC2 instance.

Verify permissions on your S3 bucket

Complete the following steps:

  1. Open the Amazon S3 console.
  2. Select the S3 bucket link that you want to verify the policy for.
  3. Choose Permissions tab.
  4. In the Bucket policy section, search for statements with Effect: Deny.
  5. Edit the IAM policy to remove any Effect: Deny statements that are denying the IAM instance profile access to your bucket.

Verify network connectivity from the EC2 instance to Amazon S3

Prerequisites

  • An EC2 instance with a public IP address and a route table entry with the default route to an internet gateway.
  • A private EC2 instance with a default route through a NAT gateway.
  • A private EC2 instance with connectivity to Amazon S3 with a gateway virtual private cloud (VPC) endpoint.

To troubleshoot connectivity between a private EC2 instance and an S3 bucket, see How do I troubleshoot connectivity issues with my gateway Amazon VPC endpoints?

Verify access to S3 buckets

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps:

  1. Install the AWS CLI on your EC2 instance.
  2. Run the following command to verify access to your S3 buckets:
    aws s3 ls s3://DOC-EXAMPLE-BUCKET
    Note: In the preceding command, replace DOC-EXAMPLE-BUCKET with the name of your S3 bucket.

For S3 objects that are encrypted with an AWS Key Management Service (AWS KMS) key, grant kms: Decrypt permissions in the IAM role and KMS key policy. If you don't grant kms:Decrypt permissions, then you can't copy or download the S3 objects. 

Related information

Identity and Access Management for Amazon S3

How do I troubleshoot connectivity issues when I use interface VPC endpoints to connect to my Amazon S3 bucket?

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
1 Comment

This is excellent, thanks very much. I found another article with parallel content but this proved to be the more general use case.

replied a year ago