By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3

0

Permission Deny Occurs When Attempting to Back Up Files from EC2 to S3

ex) # aws s3 cp /aaa/bbb/ccc.tar.gz s3://abucket

upload failed: /aaa/bbb/ccc.tar.gz to s3://abucket/ccc.tar.gz An error occured (AccessDenied) when calling the PutObject operation: Access Denied

We set up the environment as below.

  1. EC2 Environment
  • Private VPC (Private Network)
  1. VPC Endpoint Usage and Policy for S3
  • Add resources you want to allow to the policy =>principle: IAM ID, add S3 bucket(abucket) name
  • Allow S3:* for the Action portion of the policy
  • Use the same VPC as the EC2 VPC you want to communicate with
  1. IAM used
  • The IAM account is allowed to have full privileges on EC2 and S3.
  • SCP is not set for this IAM account.
  1. S3 bucket to approach

  • ACL

    Bucket owner: Object [Listed, Written] / Bucket ACL [Read, Written]

    Everyone (public access): Object [Listed, Write] / Bucket ACL [Read, Write]

  • Block public access (bucket settings)

    Block all public access

    Same if you try with Public

Can you tell me which part I need to check more and why?

  • Antonio_Lagrotteria EXPERT
    a year ago

    Have you associated an IAM role to the ec2 instance allowing PutObject permission on the bucket?

Topics
Storage
Tags
S3 Select
Language
English
rePost-User-4900775
asked a year ago238 views
1 Answer
0

Hello,

Can you try the below

  • Assign a S3 bucket policy as below example policy that allows the ec2 instance to write.
  • If you already have a role assigned to ec2 then you can use the same in the policy, else create new assume role for ec2 and assign that role to ec2 and use that role arn in below policy.
  • the second statement in the policy is basically a best practice to allow only https (not related to the error you are facing)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/role_that_is_assigned_to_ec2"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        },
        {
            "Sid": "RestrictToTLSRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
AWS
gokul_guna
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content