EC2 cannot access S3 object via IAM role

Question

I created an IAM role as follows and attached to my EC2 instance:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

Also added bucket policy for my S3 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<my-aws-account-id>:role/Get-Pic"
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<my-bucket>",
                "arn:aws:s3:::<my-bucket>/*"
            ]
        }
    ]
}

Options of Block public access of S3 are:

• [on] Block public access to buckets and objects granted through new access control lists (ACLs)
• [on] Block public access to buckets and objects granted through any access control lists (ACLs)
• [off] Block public access to buckets and objects granted through new public bucket or access point policies
• [off] Block public and cross-account access to buckets and objects through any public bucket or access point policies

But I still cannot access my S3 from EC2:

$ curl https://<my-bucket>.s3-ap-southeast-2.amazonaws.com/Instagram.png
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2006E789486C0744</RequestId><HostId>DVldRN7BgUXvKvXElPYTVGd7mgAsoPEJkH9D/mlrr4Vv5FNZdr0DLbKTFkGu9ZuCo45yPq+i2rU=</HostId></Error>

Is there anything I should do?

Answer 1

The reason it fails is that you are using curl to access objects as if they were publicly accessible. But your bucket policy does not allow for public read access. The correct policy should be:

{
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
        "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

However, if you don't want your objects to be publicly accessible, on your instance you should be using AWS CLI to get objects, e.g. aws s3 cp, or SDK, e.g. boto3's get_object.