Permission problems with ec2 image builder and s3 logs

Question

I am new to EC2 Image Builder but. one of the things it wanted was a S3 bucket to store is logs in so I created a bucket and added a bucket policy that allows the account Image Builder is running (the same as the bucket) full access to write to the bucket.  I also added s3 full access to the IAM role that Image Builder is giving the instance.

But when I run Builder I get this errErrorMessage

> failed to upload file /var/lib/amazon/toe/TOE_2023-09-14_18-20-24_UTC-0_5fa1da0a-532b-11ee-93ba-024c054ce7c5/D0__reboot-linux__1.0.1_1.yml to s3://dev-us-logs/aws-ec2-logs/EC2ImageBuilder/TOE_2023-09-14_18-20-24_UTC-0_5fa1da0a-532b-11ee-93ba-024c054ce7c5/D0__reboot-linux__1.0.1_1.yml with error 'operation error S3: PutObject, https response error StatusCode: 403, RequestID: 42C03VD4B7Z5706V, HostID: NiutkRvqRzPQJFI3Sa3ffxtb6lNibTe3Hr7FrONeeXKVYpNPDThhe7wETNzISTcXVBEYb5feKPM=, api error AccessDenied: Access Denied'or:

Where am I missing permissions to allow this?

Answer

First thing that came to mind is encryption, and if KMS is used then whether ImageBuilder has the privileges to utilise the keys?

This is one of several things identified that can cause 403 errors, and it would be worth stepping through all of them https://repost.aws/knowledge-center/s3-403-forbidden-error

The associated video is helpful as well https://www.youtube.com/watch?v=rn4qLXhMesg

Permission problems with ec2 image builder and s3 logs

Relevant content