AWS S3 Access point access denied from EC2 (VPC)

0
votes

I have following scenario, where I am trying to access S3 bucket contents using Access points, however I am getting AccessDenied Error.

  1. Customer VPC with public subnet
  2. EC2 instance with public IP under this subnet
  3. Assigned IAM role to EC2 instance to have full access to S3
  4. Created S3 bucket my-test-bucket & access point 'my-test-ap' with default policy & VPC id provided to restrict access over internet
  5. ssh to EC2 instance and run command - aws s3 ls --Bucket my-test-bucket OR aws s3api list-objects --bucket -my-test-bucket, lists all contents from bucket
  6. Now running command like aws s3api list-objects --bucket arn:aws:s3:us-east-1:my-account-id:accesspoint/my-test-ap gives me `AccessDenied' message

Access Point Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:us-east-1:my-account-id:accesspoint/my-test-ap",
            "Condition": {
                "StringEquals": {
                    "s3:AccessPointNetworkOrigin": "VPC"
                }
            }
        }
    ]
}

Note sure what is missing to get this working.

1
amazon-web-servicesamazon-s3amazon-ec2
Can you show us your Access Point policy configuration, so we can try to reproduce your scenario?John Rotenstein
@JohnRotenstein Edited question with policy.Avi Kenjale
Interesting point is, I am able to create new access point from EC2 instance back to my S3.Avi Kenjale
Shouldn't the resource be arn:aws:s3:us-east-1:my-account-id:accesspoint/my-test-ap/*?Marcin

1 Answers

1
votes

To reproduce your situation, I did the following:

  • Created an Amazon S3 bucket
  • Created a new Amazon VPC with a public subnet (using the VPC Wizard)
  • Launched an Amazon EC2 instance with an IAM Role that permits all Amazon S3 access
  • Logged in via SSH and confirmed that it could access S3
  • Created an S3 Access Point on the bucket with:
    • Network origin = VPC
    • Pointing to the new VPC
    • "Block all public access" set to true (all blocked)
    • With no Access Point policy (this is different to your scenario)

I then tried accessing the bucket with:

 aws s3api list-objects-v2 --bucket arn:aws:s3:ap-southeast-2:1111:accesspoint/my-access-point

Result: AccessDenied

I then added a VPC Endpoint, since Creating access points - Amazon Simple Storage Service says:

To use an access point with a VPC, you must modify the access policy for your VPC endpoint. VPC endpoints allow traffic to flow from your VPC to Amazon S3. They have access-control policies that control how resources within the VPC are allowed to interact with S3. Requests from your VPC to S3 only succeed through an access point if the VPC endpoint policy grants access to both the access point and the underlying bucket.

I was then able to successfully access the bucket.

Therefore, it appears that a VPC Endpoint is required when accessing an S3 Access Point from a VPC.

An example is shown in: Managing Amazon S3 access with VPC endpoints and S3 Access Points | AWS Storage Blog