AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
Ec2 access S3 bucket without using access key from private subnet
You have a ec2 instance running in private subnet, you need to allow the ec2 to access s3 bucket without using access keys. How would you achieve this?
- Tags
- Amazon EC2AWS Identity and Access ManagementAmazon S3 Storage LensAmazon S3 GlacierS3 Object Lock
- Language
- English
- Newest
- Most votes
- Most comments
Hello.
There is no need to set an access key for EC2.
Instead, attach an IAM role and attach an IAM policy for accessing S3 to the IAM role.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
https://docs.aws.amazon.com/sdkref/latest/guide/access-iam-roles-for-ec2.html
Also, in the case of EC2 in a private subnet, a NAT Gateway or S3 gateway VPC endpoint is required to access S3.
I recommend using the S3 Gateway VPC endpoint as it is free to use.
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
Hello, to further add to the above answer: To allow an EC2 instance in a private subnet to access an S3 bucket without using access keys, you'll need to follow these steps:
- Create an IAM Role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your-bucket-name/*", "arn:aws:s3:::your-bucket-name" ] } ] }
-
Create a VPC Endpoint for S3:
- Go to VPC Console
- Select "Endpoints"
- Create new endpoint
- Choose service: com.amazonaws.[region].s3
- Select your VPC
- Select the route table associated with your private subnet
- Enable DNS name
The VPC Endpoint allows your EC2 instance to communicate with S3 without going through the internet gateway. The IAM role provides the necessary permissions.
Key Benefits:
- More secure than using access keys
- No need to manage credentials
- Traffic stays within AWS network
- Cost-effective as data doesn't go through NAT Gateway
Best Practices:
- Use least privilege principle when creating IAM roles
- Regularly review and audit endpoint policies
- Consider using endpoint policies for additional security
Remember to ensure your security groups allow outbound traffic to S3 endpoints (though this is typically allowed by default).
Relevant content
- AWS OFFICIALUpdated 7 months ago
