Why can’t I connect to my Amazon S3 bucket from my Amazon EC2 instance?

Last updated: 2020-09-08

I'm unable to access an Amazon Simple Storage Service (Amazon S3) bucket from my Amazon Elastic Compute Cloud (Amazon EC2) instance. How can I enable read/write access to S3 buckets from an EC2 instance?

Short description

To connect to your S3 buckets from your EC2 instances, you need to do the following:

1.    Create and attach an AWS Identity and Access Management (IAM) profile role to the instance that grants access to Amazon S3.

2.    Confirm that the S3 bucket policy doesn't have a policy denying access.

3.    Confirm network connectivity between the EC2 instance and Amazon S3.

Resolution

Create an IAM instance profile that grants access to Amazon S3

1.    Open the IAM console.

2.    Choose Roles, and then choose Create role.

3.    Select AWS Service, and then choose EC2.

Note: Creating an IAM role from the console with EC2 selected as the trusted entity automatically creates an IAM instance profile with the same name as the role name. However, if the role is created using the AWS Command Line Interface (AWS CLI) or from the API, an instance profile isn't automatically created. For more information, refer to I created an IAM role, but the role doesn't appear in the drop-down list when I launch an instance. What do I do?

4.    Select Next: Permissions.

5.    Create a custom policy that provides the minimum required permissions to access your S3 bucket. For instructions on creating custom policies, see Writing IAM policies: how to grant access to an Amazon S3 bucket and Managing access to S3 resources.

Note: Creating a policy with the minimum required permissions is a security best practice. However, to allow EC2 access to all your Amazon S3 buckets, you can use the AmazonS3ReadOnlyAccess or AmazonS3FullAccess managed IAM policy.

6.    Select Next: Tags, and then select Next: Review.

7.    Enter a Role name, and then select Create role.

Attach the IAM instance profile to the EC2 instance

1.    Open the Amazon EC2 console.

2.    Choose Instances.

3.    Select the instance that you want to attach the IAM role to.

4.    Choose the Actions tab, choose Instance Settings, and then choose Attach/Replace IAM role.

5.    Select the IAM role that you just created, choose Apply, and then choose Close. The IAM role is assigned to your EC2 instance.

Validate permissions on your S3 bucket

1.    Open the Amazon S3 console.

2.    Select the S3 bucket that you want to verify the policy for.

3.    Choose Permissions.

4.    Choose Bucket Policy.

5.    Search for statements with Effect: Deny.

6.    In your bucket policy, edit or remove any Effect: Deny statements that are denying the IAM instance profile access to your bucket. For instructions on editing policies, see Editing IAM Policies.

Validate network connectivity from the EC2 instance to Amazon S3

Verify that the EC2 instance has connectivity to S3 endpoints.

The instance must be one of the following:

EC2 instance with a public IP address and a route table entry with the default route pointing to an Internet Gateway.
Private EC2 instance with a default route through a NAT gateway.
Private EC2 instance with connectivity to Amazon S3 using a Gateway VPC Endpoint.

Validate access to S3 buckets

1.    Install the AWS CLI.

2.    Verify access to your S3 buckets by running the following command:

aws s3 ls

Note: S3 objects that are encrypted with an AWS Key Management Service (AWS KMS) key, must have kms: Decrypt permissions granted in the IAM role attached to the instance and in the KMS key policy in order for a copy or download to be successful. For more information, see Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?


Did this article help?


Do you need billing or technical support?