By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Elastic Beanstalk deployment failing after platform upgrade

0

We recently upgraded the platform version on our .NET Framework 4.8 application from "IIS 10.0 running on 64bit Windows Server 2016/2.7.1" to "IIS 10.0 running on 64bit Windows Server 2016/2.11.6", and now the deployment fails. Specifically, access is denied to the hook which downloads the source files from the S3 bucket. I have checked that the IAM role for accessing the bucket is being correctly assumed, and that it gives access to get objects from the bucket.
I have checked that the Azure pipeline that uploads the .zip file is successful. We have iterated over the versions of windows server from 2.7.1, and anything above v 2.10 fails in this way. Reverting back to the original version works, but we must upgrade soon, because of this warning : "We have identified that your account is running one or more older Beanstalk environments that will be impacted by the upcoming update of the TLS configuration for all AWS API endpoints to a minimum of version TLS 1.2. The impact to these environments include but are not limited to configuration deployments, application deployments, auto scaling, new environment launch, log rotation and enhanced health reports. To avoid impact, please upgrade each affected platform to Windows platform version 2.10.7 or later, released on and after Dec 28, 2022. For more information, see Updating your Elastic Beanstalk environment's platform version." The application already uses TLSv1.2

1 Answer
0

Hello,

The access denied error could occur due to permissions issues at multiple levels.

  1. IAM Instance Profile [1] associated to the instance. You can also compare the IAM Instance profile permissions with the Elastic Beanstalk [2] suggested required policies and check for any missing permissions.
  2. Bucket policy configured for the S3 bucket. [3][4]
  3. Any SCP policies [5] configured at the account level that might cause an explicit deny when performing GetObject. Please refer [6] for some similar examples.

In addition to the above permissions, we would need to perform an in-depth investigation by checking the environment configurations, S3 Bucket configurations, IAM permissions and logs. Thus, currently due to the limited information available, I would highly suggest you to reach out to AWS Premium Support with a case for a faster resolution.


References
[1] Troubleshooting access denied error messages - https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html.
[2] Managing Elastic Beanstalk instance profiles - https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html.
[3] Troubleshoot Access Denied (403 Forbidden) errors in Amazon S3 - https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html.
[4] re:Post - Knowledge Center - How do I troubleshoot 403 Access Denied errors from Amazon S3? - https://repost.aws/knowledge-center/s3-troubleshoot-403.
[5] Service control policies (SCPs) - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html.
[6] Example SCPs for Amazon S3 - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_s3.html.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions