- 최신
- 최다 투표
- 가장 많은 댓글
Is the EC2 accessing S3 through an endpoint, or over the internet? If it's over the internet then it needs to have an outbound route to the internet, and as the EC2 is provisioned in a private subnet then this will have to be via a NAT Gateway.
Thank you all... I already have NAT.... and it was my stupid mistake.. newly auto-scaled subnet is not connected to NAT.. Sorry for annoying you guys.. Have a nice day
As you pay for throughput when sending through a NAT you could consider a gateway endpoint which is free so you don't need to pay the throughput charges as it will bypass the NAT and go through AWS backbone
As @Steve_M mention, since your EC2 instances are in a private subnet, they do not have direct access to the internet.
💡 Another option is to use an S3 VPC Endpoint, which allows resources in the VPC to access S3 without going through the internet. If you have an S3 VPC Endpoint configured, ensure that the private subnet's route table has a route to the S3 VPC Endpoint for the S3 prefix list.
🤑 S3 VPC Endpoint is generally the cheaper solution.
Access could be blocked either by no route to S3, incorrect permissions or restrictive security groups or NACLs
No Route to S3
If your EC2 is in a private subnet the best way to access is S3 is via a gateway endpoint. Create a new gateway endpoint and associate it with the route tables in the VPC that are associated with the EC2 subnet your instance is in. Using a gateway endpoint uses AWS backbone and doesn't traverse the internet. This is the most secure and cost effective option
Incorrect Permissions
To troubleshoot, enable CloudTrail to check for any rejected access. If it's still not clear use the IAM Access Analyser to verify the role is defining the correct action.
Security Groups / NACLs
Confirm security group and NACL outbound TCP connection configuration.
관련 콘텐츠
- 질문됨 8달 전
I simply added IAM role to ec2. The EC2 not created by auto-scaling which I gave role manually works fine even though it's in private vpc. However the EC2 created by auto-scaling cannot access S3. My S3 bucket all blocks public access.
Does the EC2 instance created by auto-scaling have the same security group rules, and in particular the same outbound rules, as the instance you created manually?
Also are they both in the same subnet?