pkaramol
Reputation: 19412
Allowing EC2 instance to access bucket that has deny policy attached to it
I have a bucket with a deny policy attached to it, more or less like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictedAccess",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::1234567890:user/someuser@somecompany",
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
It is evident, that even if I grant IAM permissions to an IAM user/role to access the bucket, the above Deny will prevail.
Now, I want to create an EC2 instance that should also have access to this bucket.
What type of principal should I add here
"AWS": [
"arn:aws:iam::1234567890:user/someuser@somecompany",
]
},
Upvotes: 0
Views: 37
Answers (1)
Maurice
Reputation: 13187
You have to add the ARN of the Role the EC2 instance is using to your Deny exception and add an explicit allow to the role for the S3 operations you wish to perform.
Upvotes: 1
Related Questions
- AWS S3 Bucket Policy: How to grant access to EC2 instance?
- IAM Policy: Users cannot access S3 bucket
- Amazon S3 bucket policy deny to a iam user
- AWS S3 Bucket Policy Access Denied Tag Condition EC2
- S3 IAM policy for one bucket not granting access
- Grant EC2 instance access to S3 Bucket
- AWS S3 Bucket Policy throws Access Denied Error
- AWS S3 Bucket policy Access Denyed
- AWS bucket policy- permission denied
- S3 Bucket Policy - GET Implicitly Allowed