Reputation: 301
Cannot access S3 via aws cli from EC2 instance
I have an EC2 instance that has an S3_Admin_Access role attached to it. I also have a IAM user with full admin access, and I configured the aws cli on the EC2 instance with the user's credentials. However, when I try to execute aws s3 ls from the EC2 instance terminal, the HTTPS connection times out. Trying the same from my laptop's terminal, the call succeeds. The aws cli is configured with the same credentials as the EC2 instance.
I added inbound rules over SSH/HTTP/HTTPS to the EC2 instance, and I removed the outbound rule that allows all traffic. Interestingly enough, if I add the "allow all" outbound rule back, the aws cli call works, the HTTPS connection does not time out, and I get a list of all buckets. I also added outbound rules only for SSH/HTTPS, and this, again, works. However, removing the outbound rules breaks the call again.
I thought that inbound rules are stateful, as in, if i have an inbound rule over a protocol/port, I do not need an explicit outbound rule over the same port. However, that does not seem to be working. What else might be the problem? Note that I can ssh into the EC2 instance without the outbound rule being present.
Upvotes: 2
Views: 794
Answers (1)
Reputation: 269340
You should keep the outbound rule on the Security Group. This permits connections to be initiated from the Amazon EC2 instance, which is exactly what you want when using the AWS CLI.
The stateful nature of the security group means that, if you are initiating the request, then you do not require an inbound rule in the security group. Traffic will be allowed to flow back in response to the outbound request. However, you actually will need the inbound rules since you are connecting to the instance via SSH or RDP.
This is the opposite of a web server, which wants to allow inbound connections but does not necessarily need an outbound rule.
However, it is normally okay to have all outbound connections permitted in the security group, since the instance is trusted and it often wants to download information from the internet (eg software updates).
Bottom line: Put back the Outbound rules and you'll be fine.
Upvotes: 2
Related Questions
- AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden
- AWS S3 CLI - Could not connect to the endpoint URL
- Access denied when trying to do AWS s3 ls using AWS cli
- Unable to copy from S3 to Ec2 instance
- AWS CLI: Could not connect to the endpoint URL
- Does an AWS CLI "Access Denied" error mean bad permissions or a bad key?
- AWS CLI not accepting Access Key
- AWS CLI access to S3 returns error 104
- Cannot connect from EC2 to S3
- AWS CLI S3 Access