Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3

Question

**Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3**

ex) # aws s3 cp /aaa/bbb/ccc.tar.gz s3://abucket
> upload failed: /aaa/bbb/ccc.tar.gz to s3://abucket/ccc.tar.gz An error occured (AccessDenied) when calling the PutObject operation: Access Denied

We set up the environment as below.

1. EC2 Environment
- Private VPC (Private Network)

2. VPC Endpoint Usage and Policy for S3
- Add resources you want to allow to the policy =>principle: IAM ID, add S3 bucket(abucket) name
- Allow S3:* for the Action portion of the policy
- Use the same VPC as the EC2 VPC you want to communicate with

3. IAM used
- The IAM account is allowed to have full privileges on EC2 and S3.
- SCP is not set for this IAM account.

4. S3 bucket to approach
- ACL
  > Bucket owner: Object [Listed, Written] / Bucket ACL [Read, Written]

> Everyone (public access): Object [Listed, Write] / Bucket ACL [Read, Write]

- Block public access (bucket settings)
  > Block all public access

> Same if you try with Public

Can you tell me which part I need to check more and why?

Answer

Hello,

Can you try the below

* Assign a S3 bucket policy as below example policy that allows the ec2 instance to write.
* If you already have a role assigned to ec2 then you can use the same in the policy, else create new assume role for ec2 and assign that role to ec2 and use that role arn in below policy.
* the second statement in the policy is basically a best practice to allow only https (not related to the error you are facing)

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/role_that_is_assigned_to_ec2"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        },
        {
            "Sid": "RestrictToTLSRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

```

Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3

관련 콘텐츠