By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Access Denied when copying or listing contents from S3 bucket to EC2

0

Below is the cloud formation template that I am using to create an EC2, IAM Roles to access S3 bucket.

AWSTemplateFormatVersion: '2010-09-09'
Description: Attach IAM Role to an EC2
Parameters:  
  S3KeyId:
    Description: S3 KMS custom key ID
    Type : 'AWS::SSM::Parameter::Value<String>'
    Default: /CNS/resources/s3_key_id
  SecretsmanagerKeyId:
    Description: ID of Secretsmanager KMS custom key
    Type : 'AWS::SSM::Parameter::Value<String>'
    Default: /CNS/resources/secretsmanager_key_id
  # BUCKET_NAME:
  #   Type: String
  #   Description: Name of the S3 Bucket Name
  #   Default: "sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"

Resources:
  Test:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro
      ImageId: ami-0661da39e6a5cdXXX
      SubnetId: subnet-0061b7c02f9a07XXX
      IamInstanceProfile:
        Ref: ListS3BucketsInstanceProfile
  ListS3BucketsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - Ref: ListS3BucketsRole
  ListS3BucketsPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: ListS3BucketsPolicy
      PolicyDocument:
        Statement:
        - Effect: Allow
          Action:
          - s3:List
          - s3:GetObject
          - s3:GetObjectAcl
          - s3:ListObjectsV2
          - s3:PutObjectAcl
          - s3:PutObject
          - s3:ListObjects
          Resource: "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"
      Roles:
      - Ref: ListS3BucketsRole
  ListS3BucketsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"

When I ssh to the VM, I get error as like below:

Copy Contents from S3 to EC2, Access Denied

aws s3 cp s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/* . --request-payer requester --recursive
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

aws s3 ls s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/*
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Listing files in that S3 bucket... Access Denied

aws s3 ls s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Any lead shall be greatly appreciated! Thank you.

Topics
StorageComputeSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAmazon EC2IAM Policies
Language
English
rePost-User-0579830
asked a year ago593 views
2 Answers
2

Probably the IAM policy has problem. Would you modify as below?

before

PolicyDocument:
        Statement:
        - Effect: Allow
          Action:
          - s3:List
          - s3:GetObject
          - s3:GetObjectAcl
          - s3:ListObjectsV2
          - s3:PutObjectAcl
          - s3:PutObject
          - s3:ListObjects
          Resource: "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"

after

PolicyDocument:
        Statement:
        - Effect: Allow
          Action:
          - s3:ListBucket
          - s3:GetObject
          - s3:GetObjectAcl
          - s3:PutObjectAcl
          - s3:PutObject
          Resource: 
          - "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"
          - "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/*"

It's complicated, but there is not ListObjects in S3 actions and ListBucket is the corresponding action. Resources for GetObject have to specify objects, not a bucket.

imiky
answered a year ago
1

Your IAM policy allows access to the bucket but not to the objects in the bucket. You'll need to add an additional resource which is "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/*"

This blog post may also assist here.

profile pictureAWS
EXPERT
Brettski-AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content