By using AWS re:Post, you agree to the Terms of Use

Bucket Policy to Restrict Access to an Instance Profile


I am trying to restrict access to an S3 bucket to only EC2 instances with a specific instance profile.

Here's the scenario. I have an S3 bucket into which a file is written. There is a lambda trigger that submits a job to an AWS Batch queue. The Batch compute environment launches an EC2 instance with a specific instance profile that attempts to read the file from S3 for processing. Using the roleId of the role attached to the instance profile I've written the following Bucket Policy,

"Version": "2012-10-17",
"Statement": [
"Effect": "Deny",
"Principal": "",
"Action": "s3:
"Resource": [
"Condition": {
"StringNotLike": {
"aws:userId": [

The read fails.

This policy seems to work fine in other scenarios where I'm not in an AWS Batch environment. For example, a lambda function that uses the same role as it's execution role. The file is readable, no problem.

Is there something different about doing this from with a Batch execution environment that is causing this policy to not work?

Thanks for any help...

asked 2 years ago50 views
1 Answer

User error

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions