AWS - Unable to access S3 bucket from EC2 windows

Question

I have launched EC2 - Windows instance Created a S3 bucket, created a role S3-FullAccess and assigned to EC2 instance.

From EC2 instance browser, i am able to access metadata of my role: http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2-S3-access

{
  "Code" : "Success",
  "LastUpdated" : "2018-04-10T04:47:11Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "myaccess"
  "SecretAccessKey" : "mysecretkey",
  "Token" : "mytoken",
  "Expiration" : "2018-04-10T11:10:43Z"
}

If i tried to access file from S3 bucket: https://s3.ap-south-1.amazonaws.com/mybucket/test.jar

Getting below error:

<Error>
    <Code>AccessDenied</Code>
    <Message>Access Denied</Message>
    <RequestId>5EDB0A49E36E0E50</RequestId>
    <HostId>cPFNEbsfwXA=</HostId>
</Error>

Role JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

I am new to AWS

EDIT:

As suggested i used CLI commands, getting below errors: referred https://docs.aws.amazon.com/cli/latest/reference/s3/cp.html

C:\Users\Administrator>aws s3 cp https://s3.ap-south-1.amazonaws.com/mybucket/test.jar C:\downloads

usage: aws s3 cp <LocalPath> <S3Uri> or <S3Uri> <LocalPath> or <S3Uri> <S3Uri>
Error: Invalid argument type

C:\Users\Administrator>aws s3 cp https://mybucket/test.jar C:\downloads

usage: aws s3 cp <LocalPath> <S3Uri> or <S3Uri> <LocalPath> or <S3Uri> <S3Uri>
Error: Invalid argument type

C:\Users\Administrator>aws s3 cp https://mybucket/test.jar . --recursive

usage: aws s3 cp <LocalPath> <S3Uri> or <S3Uri> <LocalPath> or <S3Uri> <S3Uri>
Error: Invalid argument type

Worked:

C:\Users\Administrator>aws s3 cp s3://mybucket/test.jar C:\downloads

shouldn't use https://, used s3://, it's working

Answer 1

When accessing an object through a URL in your browser, you are not passing any user credentials. Therefore, Amazon S3 does not know who you are and is denying access to the objects.

The preferable method would be to access the objects via an API call, either from a programming language SDK or by using the AWS Command-Line Interface (CLI), which has a aws s3 cp command that can copy files to/from Amazon S3.

If you must have access via web browser while keeping the objects private, your application would need to generate a time-limited pre-signed URL that grants access to objects within a specified timeframe.

Answer 2

EC2 role you created will allow any SDK running on EC2 access the S3 bucket, not from the browser.

If you would like to access S3 files using browser (be it from EC2 (or) your laptop) and limit the visibility of the bucket content, the best approach is use presigned urls.

When you create a pre-signed URL for your object, you must provide your security credentials, specify a bucket name, an object key, specify the HTTP method (GET to download the object) and expiration date and time. The pre-signed URLs are valid only for the specified duration.

Anyone who receives the pre-signed URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a pre-signed URL.