By using AWS re:Post, you agree to the Terms of Use

Bucket Policy to Restrict Access to an Instance Profile

0

I am trying to restrict access to an S3 bucket to only EC2 instances with a specific instance profile.

Here's the scenario. I have an S3 bucket into which a file is written. There is a lambda trigger that submits a job to an AWS Batch queue. The Batch compute environment launches an EC2 instance with a specific instance profile that attempts to read the file from S3 for processing. Using the roleId of the role attached to the instance profile I've written the following Bucket Policy,

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "",
"Action": "s3:
",
"Resource": [
"arn:aws:s3:::MY_BUCKET",
"arn:aws:s3:::MY_BUCKET/"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAMY_ROLEID:
"
]
}
}
}
]
}

The read fails.

This policy seems to work fine in other scenarios where I'm not in an AWS Batch environment. For example, a lambda function that uses the same role as it's execution role. The file is readable, no problem.

Is there something different about doing this from with a Batch execution environment that is causing this policy to not work?

Thanks for any help...

asked 2 years ago50 views
1 Answer
0

User error

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions