By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Auto-scaled EC2 cannot access S3

0

EVen though I gave IAM role in Launch Template,

Auto-scaled EC2 cannot access S3.

The EC2 is in private VPC.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Auto ScalingIAM Policies
Language
English
Chris Han
asked 13 days ago241 views
4 Answers
1
Accepted Answer

Is the EC2 accessing S3 through an endpoint, or over the internet? If it's over the internet then it needs to have an outbound route to the internet, and as the EC2 is provisioned in a private subnet then this will have to be via a NAT Gateway.

profile picture
EXPERT
Steve_M
answered 13 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 13 days ago
profile picture
EXPERT
Osvaldo Marte
reviewed 13 days ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 13 days ago
  • Chris Han
    13 days ago

    I simply added IAM role to ec2. The EC2 not created by auto-scaling which I gave role manually works fine even though it's in private vpc. However the EC2 created by auto-scaling cannot access S3. My S3 bucket all blocks public access.

  • Steve_M EXPERT
    13 days ago

    Does the EC2 instance created by auto-scaling have the same security group rules, and in particular the same outbound rules, as the instance you created manually?

    Also are they both in the same subnet?

1

Thank you all... I already have NAT.... and it was my stupid mistake.. newly auto-scaled subnet is not connected to NAT.. Sorry for annoying you guys.. Have a nice day

Chris Han
answered 13 days ago
  • Peter Grainger
    13 days ago

    As you pay for throughput when sending through a NAT you could consider a gateway endpoint which is free so you don't need to pay the throughput charges as it will bypass the NAT and go through AWS backbone

0

As @Steve_M mention, since your EC2 instances are in a private subnet, they do not have direct access to the internet.

💡 Another option is to use an S3 VPC Endpoint, which allows resources in the VPC to access S3 without going through the internet. If you have an S3 VPC Endpoint configured, ensure that the private subnet's route table has a route to the S3 VPC Endpoint for the S3 prefix list.

🤑 S3 VPC Endpoint is generally the cheaper solution.

profile picture
EXPERT
Osvaldo Marte
answered 13 days ago
0

Access could be blocked either by no route to S3, incorrect permissions or restrictive security groups or NACLs

No Route to S3

If your EC2 is in a private subnet the best way to access is S3 is via a gateway endpoint. Create a new gateway endpoint and associate it with the route tables in the VPC that are associated with the EC2 subnet your instance is in. Using a gateway endpoint uses AWS backbone and doesn't traverse the internet. This is the most secure and cost effective option

Incorrect Permissions

To troubleshoot, enable CloudTrail to check for any rejected access. If it's still not clear use the IAM Access Analyser to verify the role is defining the correct action.

Security Groups / NACLs

Confirm security group and NACL outbound TCP connection configuration.

profile pictureAWS
Peter Grainger
answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content