How can i get putobject access to s3 from specific ec2 instance

Question

I created S3 static web - public bucket and by default all the ec2 instance that i have in my account can upload files to the s3 bucket. My goal is to limit the access to upload files to the bucket just from spesific instance (My bastion instance) . So I created a role with all s3 permission and attach the role to my bastion instance , than I put this policy in the bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::name/*"
        },
        {
            "Sid": "allow only OneUser to put objects",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::3254545218:role/Ec2AccessToS3"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::name/*"
        }
    ]
}

But now all the ec2 instance include the bastion instance cant upload files to the s3 bucket.. Im trying to change this arn line:

  "NotPrincipal": {
                "AWS": "arn:aws:iam::3254545218:role/Ec2AccessToS3"

To user arn and its work .. But I want this is work on the role I was able to do the operation on a specific user but not on a specific instance (role).

What Im doing wrong?

Answer 1

Refer to the "Granting same-account bucket access to a specific role" section of this AWS blog. The gist is as given below.

Each IAM entity (user or role) has a defined aws:userid variable. You will need this variable for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’s aws:userId value is defined as UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example, AROAEXAMPLEID:userdefinedsessionname).

To get AROAEXAMPLEID for the IAM role, do the following:

1. Be sure you have installed the AWS CLI, and open a command prompt or shell.
2. Run the following command: aws iam get-role -–role-name ROLE-NAME.
3. In the output, look for the RoleId string, which begins with AROA.You will be using this in the bucket policy to scope bucket access to only this role.

Use this aws:userId in the policy,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",
            "111111111111"
          ]
        }
      }
    }
  ]
}

Answer 2

{
    "Role": {
        "Description": "Allows EC2 instances to call AWS services on your behalf.",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        },
        "MaxSessionDuration": 3600,
        "RoleId": "AROAUXYsdfsdfsdfsdf
L",
        "CreateDate": "2023-01-09T21:36:26Z",
        "RoleName": "Ec2AccessToS3",
        "Path": "/",
        "RoleLastUsed": {
            "Region": "eu-central-1",
            "LastUsedDate": "2023-01-10T05:43:20Z"
        },
        "Arn": "arn:aws:iam::32sdfsdf218:role/Ec2AccessToS3"
    }
}