stackoom
  简体   繁体   中英

AWS S3 Access point access denied from EC2 (VPC)

 原文  2020-11-03 21:49:37       amazon-web-services/ amazon-s3/ amazon-ec2

Question

I have following scenario, where I am trying to access S3 bucket contents using Access points, however I am getting AccessDenied Error.

  1. Customer VPC with public subnet
  2. EC2 instance with public IP under this subnet
  3. Assigned IAM role to EC2 instance to have full access to S3
  4. Created S3 bucket my-test-bucket & access point 'my-test-ap' with default policy & VPC id provided to restrict access over internet
  5. ssh to EC2 instance and run command - aws s3 ls --Bucket my-test-bucket OR aws s3api list-objects --bucket -my-test-bucket , lists all contents from bucket
  6. Now running command like aws s3api list-objects --bucket arn:aws:s3:us-east-1:my-account-id:accesspoint/my-test-ap gives me `AccessDenied' message

Access Point Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:us-east-1:my-account-id:accesspoint/my-test-ap",
            "Condition": {
                "StringEquals": {
                    "s3:AccessPointNetworkOrigin": "VPC"
                }
            }
        }
    ]
}

Note sure what is missing to get this working.

1 answers

solution1
 1 ACCPTED  2020-11-04 06:03:25

To reproduce your situation, I did the following:

  • Created an Amazon S3 bucket
  • Created a new Amazon VPC with a public subnet (using the VPC Wizard)
  • Launched an Amazon EC2 instance with an IAM Role that permits all Amazon S3 access
  • Logged in via SSH and confirmed that it could access S3
  • Created an S3 Access Point on the bucket with:
    • Network origin = VPC
    • Pointing to the new VPC
    • "Block all public access" set to true (all blocked)
    • With no Access Point policy (this is different to your scenario)

I then tried accessing the bucket with:

 aws s3api list-objects-v2 --bucket arn:aws:s3:ap-southeast-2:1111:accesspoint/my-access-point

Result: AccessDenied

I then added a VPC Endpoint , since Creating access points - Amazon Simple Storage Service says:

To use an access point with a VPC, you must modify the access policy for your VPC endpoint. VPC endpoints allow traffic to flow from your VPC to Amazon S3. They have access-control policies that control how resources within the VPC are allowed to interact with S3. Requests from your VPC to S3 only succeed through an access point if the VPC endpoint policy grants access to both the access point and the underlying bucket.

I was then able to successfully access the bucket .

Therefore, it appears that a VPC Endpoint is required when accessing an S3 Access Point from a VPC .

An example is shown in: Managing Amazon S3 access with VPC endpoints and S3 Access Points | AWS Storage Blog

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS S3 403 Access Denied from EC2 instance AWS S3 Access Denied from EC2 and Lambda How to configure access to my aws s3 bucket from aws ec2 instance via VPC AWS EC2 IAM role access denied on S3 AWS EC2 Access Denied S3 Cross Account AWS Codedploy Agent Access denied from EC2 instance to S3 Access denied error on aws s3 when uploading a file from an ec2 instance that is on a different account Access denied to S3 bucket from ec2 docker container AWS IAM Role in EC2 and access to S3 from JupyterHub AWS S3 Bucket Access from EC2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM