AWS S3 bucket policy should deny actions from ec2

Question

I am trying to deny uploads from an ec2 instance (while SSH in it) to an s3 bucket using policy bucket. My ec2 uploads a file from the CLI with the following command: "aws s3 cp text.txt s3://bucket-name". The bucket policy in place is the following in json:

{
    "Version": "2012-10-17",
    "Id": "Policy1668560706336",
    "Statement": [
        {
            "Sid": "Stmt1668560704089",
            "Effect": "Deny",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

any ideas why this wouldn't work to deny my ec2 instance from uploading to the s3 bucket? (bucket and ec2 instance are in the same region of the same account).

Thanks in advance.

I was expecting the bucket policy to deny the upload from the ec2 instance.

Answer 1

The Bucket Policy is saying: "Deny all S3 access to this bucket when the request comes from the Amazon EC2 service".

However, when you run the aws s3 cp command on the Amazon EC2 instance, the request is coming from the EC2 instance. It is not coming from the "EC2 service", which is the AWS service that provisions and manages EC2 instances.

The best approach is to look at the IAM Role that is associated with that EC2 instance. To be able to access to S3, the IAM Role must be given permission to use S3. It would be more appropriate to restrict the permissions in the IAM Role rather than using a Bucket Policy.

If the instance is able to currently upload to S3 using the AWS CLI, then the IAM Role has been given sufficient permission to do that upload. You should modify the IAM Role so that it does not have such permissions.