What I am trying to accomplish is to use the boto3 python library to upload a file to an S3 bucket from an EC2 machine without having my Network ACL allowing all inbound traffic. I believe I have narrowed it down now to just my Network ACL as the issue because when I allow all inbound traffic the upload works as expected, however I need to have my Network ACL as locked down as possible.
I came across this page and under "Network ACL rules" it states:
In the Inbound Rules view, confirm that the rules allow inbound return traffic from Amazon S3 on ephemeral TCP ports 1024-65535.
I tried that and I initially got it working when I listed the source as 0.0.0.0/0. I then tried both the public and private IP for my EC2 instance and neither worked as the upload failed from boto3.
On the same page it also states:
If your network ACL rules restrict traffic, then you must specify the CIDR block (IP address range) for Amazon S3
Which led me to the AWS published IP address ranges, so I took a look at that but discovered that in my case I was using the us-west-2 region and there were at least 7 IP addresses for S3 listed and they mention that they may change over time as well.
So my question is, what should I be using as the source IP for my Network ACL rule that allows TCP traffic on ports 1024-65535 as recommended by AWS such that I will be able to upload a file to S3 from my EC2?
The inbound rule would have to allow the S3 IP address, because the inbound traffic is coming from S3. It doesn't make sense to list the EC2 instance IP in the inbound rule.
Given your security requirements, you should be adding an S3 VPC Endpoint to your VPC. Then your EC2 instance will be communicating with S3 via a private IP address in your VPC, and you could then simply use your VPC CIDR block for the source IP.