Access to private AWS S3 bucket from EC2 without login and password in 5 steps

from AWS EC2 to S3 without login and password

Hi. If you are wondering if it is safe to access S3 in the AWS cloud from a EC2 virtual machine without entering a password, then I have good news for you. YOU CAN. You don’t need to store the password in any key vault, KMS, HashiCorp Vault or other place. You can do this without entering a password. No more hiding logins and passwords.

All you need to do is follow the 5 steps below 🙂

1) Create an IAM role

First, create an IAM role. You will need to add permissions to it and assign it to the target EC2 machine.

Search for IAM, select “Roles” from the menu and click on “Create Role”.

AWS-tworzenie roli IAM - create roles

Great. Now select EC2 and click on Next. Because you want it to be seen by your EC2 machines. From there, you can also select containers or other AWS components that you want to allow to use this role.

AWS-tworzenie roli IAM dla EC2

You can add any additional policies that you want assigned to this role. However, we will deal with policy-making in the next step. When you are done, click on Next.

Now you can add tags to the role you are creating, but you don’t have to do this if you don’t want to. When you are done, click on Next.

In the last tab, you create the name of the role and I recommend that you enter a description so that you will know in a year what this policy is for and why you have created it. When you are done, click on Create role.

AWS - tworzenie roli IAM

2) Adding a policy to the IAM role

Now let’s add a policy to the role you created. It could have been created in the previous step. However, I did not want to create an additional policy visible on the list of policies, but to create something dedicated to a specific role.

To do this, go to IAM, select “Roles” from the menu and search for our role created in the previous step, in my case “EC2-accessS3-testwojtek” and click “Add inline policy”.

AWS cloud - add inline policy to Role

Select the JSON tab and paste the code shown under the image.

AWS - add inline policy - JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::testwojtek",
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "folder1"
                    ]
                }
            }
        }
    ]
}

The code you just added allows you to perform any operation on S3 called “testwojtek“, but only in the folder “folder1“.

Once you’ve pasted the code above, correct the S3 name in it to match your resources. I additionally limited the action only to a specific folder called folder1, which is in my S3.

  • If you need to, you can only allow reading or writing from a specific folder, which will make the solution even more secure.
  • If you want, you can allow access to the entire bucket, to do that, remove the “Condition” section from JSON.
  • If you want, you can allow access to more than one folder, to do this use “StringLike” instead of “StringEquals”, and replace folders with a decimal point.

In the documentation on the AWS website you will find a lot of useful information on working with S3 buckets.

When you are done creating your perfect policy, click Review policy. Now you can give your policy a name and click Create policy.

3) Adding a role to EC2

Once you’ve created the right role with the policies you need, it’s time to add it to your EC2 virtual machine. From there, you will be able to access the selected resource in S3.

EC2 security - add IAM Role

Now select the role we created from the drop-down list and click Save.

EC2 security - chose IAM Role

4) Prepare EC2

We log into our EC2 and install AWS tools from the command line.

On Ubuntu it looks like this:

#Ubuntu update
sudo apt-get update

#install tool awscli
sudo apt-get install awscli

#verification by viewing the version
aws --version

If you have a different system, follow the directions for your system available on the AWS website in the awscli installation section.

5) Tests

That’s it, now we just need to check if we have access to S3 without providing any credentials. For this purpose, we can list the files in our folder on S3 with the command:

aws s3 ls s3://testwojtek/folder1

You use your own S3 name and folder, of course.

As you can see in the image below, as predicted, I can access folder1 even without providing any credentials (unfortunately there are no files in it). I do not have this access to folder2 anymore, because the permissions only applied to folder1.

awscli - cli command aws ls

Encryption!

A minor note about S3 encryption. Minor, but very important, if you have S3 encrypted with a key in KMS, then you need to add the role you created from step 1 also permissions for this key.

Summary

All in all, adding permissions to EC2 machines in this way improves safety in some ways and simplifies a lot of things. If someone copies such a machine, he will not have access to our data on S3 and he will not be able to extract the login and password to S3 from our EC2 in any way, because they are not there 🙂

However, we must remember that everyone who will have access to this EC2, after logging in, will also have access to S3 to the extent that we have given the role.

There are no perfect solutions, but it is always worth knowing what opportunities we have and what threats they pose.

If you liked the article, I invite you to read the rest of the articles about AWS and Azure clouds.

Leave a Reply

Your email address will not be published. Required fields are marked *