How can i get putobject access to s3 from specific ec2 instance

Question

I created S3 static web - public bucket and by default all the ec2 instance that i have in my account can upload files to the s3 bucket. My goal is to limit the access to upload files to the bucket just from spesific instance (My bastion instance) . So I created a role with all s3 permission and attach the role to my bastion instance , than I put this policy in the bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::name/*"
        },
        {
            "Sid": "allow only OneUser to put objects",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::3254545218:role/Ec2AccessToS3"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::name/*"
        }
    ]
}

But now all the ec2 instance include the bastion instance cant upload files to the s3 bucket.. Im trying to change this arn line:

  "NotPrincipal": {
                "AWS": "arn:aws:iam::3254545218:role/Ec2AccessToS3"

To user arn and its work .. But I want this is work on the role I was able to do the operation on a specific user but not on a specific instance (role).

What Im doing wrong?

Im not sure if I got you question right. but did you tried to provide the associated role to your ec2 instance permissions to PutObject ? — AceP, Jan 09 '23 at 23:23
You should provide specific details of the policies you created. Note that you don't need to modify the bucket policy here at all. Just create the appropriate IAM role/policy and attach it to the EC2 instance. — jarmod, Jan 09 '23 at 23:56
I will explain myself Clearer . I created S3 public static web server. by default I can upload files to the bucket trough all my instance on my aws account . I want to limit the access to upload files to the bucket just from my bastion machine . So I add this policy to the bucket policy: { "Sid": "allow only OneUser to put objects", "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::32592018:role/Ec2AccessToS3" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::name/*" } — Adi Yahav, Jan 10 '23 at 00:18
You'd need to use the assumed-role ARN. See [here](https://serverfault.com/questions/988118/aws-deny-notprincipal-bucket-policy). However, that's probably not what you should be doing. Buckets are private by default and don't allow uploads. You should simply provide your bastion's IAM role with the relevant s3:PutObject policy. Use the bucket policy to allow reads, as needed, by your (unauthenticated?) users. — jarmod, Jan 10 '23 at 00:27
Thanks, that's exactly my problem ! But I dont understand what i need to do ... — Adi Yahav, Jan 10 '23 at 00:39

user11666461 · Answer 1 · 2023-01-10T05:20:30.290

0

Refer to the "Granting same-account bucket access to a specific role" section of this AWS blog. The gist is as given below.

Each IAM entity (user or role) has a defined aws:userid variable. You will need this variable for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’s aws:userId value is defined as UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example, AROAEXAMPLEID:userdefinedsessionname).

To get AROAEXAMPLEID for the IAM role, do the following:

Be sure you have installed the AWS CLI, and open a command prompt or shell.
Run the following command: aws iam get-role -–role-name ROLE-NAME.
In the output, look for the RoleId string, which begins with AROA.You will be using this in the bucket policy to scope bucket access to only this role.

Use this aws:userId in the policy,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",
            "111111111111"
          ]
        }
      }
    }
  ]
}

edited Jan 10 '23 at 05:20

answered Jan 10 '23 at 01:01

user11666461

761
7
12

i can sure that i do it exactly ... but its stiil doesnt work-An error occurred (AccessDenied) when calling the PutObject operation: Access Denied – Adi Yahav Jan 10 '23 at 02:43
You role has PutObject permission? You will have to explicitly give that permission to your role. – user11666461 Jan 10 '23 at 03:26
Yes for sure . look this is the role permission: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::name/*" } ] } – Adi Yahav Jan 10 '23 at 03:29
Can you provide the output of `aws iam get-role –role-name ROLE-NAME` after redacting the sensitive information? I have simulated the setup in my account and what I have mentioned in the answer works for me. So wanted to check the difference in the role I created and you created. – user11666461 Jan 10 '23 at 04:05
Yes , pls help me : im send it on answer to my qustion – Adi Yahav Jan 10 '23 at 07:22
That has to be the access policy in S3. `aws iam get-role –-role-name ROLE-NAME` should give something of the format ```{"Role": {"Path": "/",...."AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]},...}}}``` – user11666461 Jan 10 '23 at 09:31

score 0 · Answer 2 · answered Jan 10 '23 at 07:23

{
    "Role": {
        "Description": "Allows EC2 instances to call AWS services on your behalf.",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        },
        "MaxSessionDuration": 3600,
        "RoleId": "AROAUXYsdfsdfsdfsdf
L",
        "CreateDate": "2023-01-09T21:36:26Z",
        "RoleName": "Ec2AccessToS3",
        "Path": "/",
        "RoleLastUsed": {
            "Region": "eu-central-1",
            "LastUsedDate": "2023-01-10T05:43:20Z"
        },
        "Arn": "arn:aws:iam::32sdfsdf218:role/Ec2AccessToS3"
    }
}

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). — Community, Jan 10 '23 at 10:18

score -1 · Answer 3 · answered Jan 10 '23 at 03:53

-1

I just want to update , Im trying to give access to spesific user instead .. this is not working to..

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::name.com",
                "arn:aws:s3:::name.com/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AIDOFTHEUSER",
                        "ACCOUNTID"
                    ]
                }
            }
        }
    ]
}

answered Jan 10 '23 at 03:53

Adi Yahav

11
2

If you want please add it as an update to your original question or add it as a comment. – user11666461 Jan 10 '23 at 04:42
Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 10 '23 at 10:15

How can i get putobject access to s3 from specific ec2 instance

3 Answers3