Cannot access S3 via aws cli from EC2 instance

1
votes

I have an EC2 instance that has an S3_Admin_Access role attached to it. I also have a IAM user with full admin access, and I configured the aws cli on the EC2 instance with the user's credentials. However, when I try to execute aws s3 ls from the EC2 instance terminal, the HTTPS connection times out. Trying the same from my laptop's terminal, the call succeeds. The aws cli is configured with the same credentials as the EC2 instance.

I added inbound rules over SSH/HTTP/HTTPS to the EC2 instance, and I removed the outbound rule that allows all traffic. Interestingly enough, if I add the "allow all" outbound rule back, the aws cli call works, the HTTPS connection does not time out, and I get a list of all buckets. I also added outbound rules only for SSH/HTTPS, and this, again, works. However, removing the outbound rules breaks the call again.

I thought that inbound rules are stateful, as in, if i have an inbound rule over a protocol/port, I do not need an explicit outbound rule over the same port. However, that does not seem to be working. What else might be the problem? Note that I can ssh into the EC2 instance without the outbound rule being present.

1
amazon-web-servicesamazon-s3amazon-ec2
You need to open outbound, why you remove that? - Lamanus
Because I was following along a course, and I read the documentation, from which I understood that if I have an inbound rule, I do not need a matching outbound rule. Or does that not apply in this case, since I am initiating the connection from within the instance itself? - Stefan Rendevski
Edit: You are right, I do not need an outbound rule if I want to establish a connection to the instance, not if I want to establish a connection from the instance. - Stefan Rendevski

1 Answers

2
votes

You should keep the outbound rule on the Security Group. This permits connections to be initiated from the Amazon EC2 instance, which is exactly what you want when using the AWS CLI.

The stateful nature of the security group means that, if you are initiating the request, then you do not require an inbound rule in the security group. Traffic will be allowed to flow back in response to the outbound request. However, you actually will need the inbound rules since you are connecting to the instance via SSH or RDP.

This is the opposite of a web server, which wants to allow inbound connections but does not necessarily need an outbound rule.

However, it is normally okay to have all outbound connections permitted in the security group, since the instance is trusted and it often wants to download information from the internet (eg software updates).

Bottom line: Put back the Outbound rules and you'll be fine.