Source Systems, Data Ingestion, and Pipelines - Week 1 - Connecting to source system - Troubleshooting Database Connectivity on AWS
I am doing the assignment and am curious about the S3 bucket policy condition.
When i tried to specify the condition as a SourceARN to either the EC2 instance or the Cloud9 ARN, it doesn’t allow me to connect to S3 and am still getting the forbidden error. But specifying the public IP would work. Why would ARN not work in this case?
Are you able to modify the bucket policy ?
I am getting this error when I try to modify / add the policy
You need permissions
User: arn:aws:sts::314717650934:assumed-role/voclabs/user3523613=Sukhdeep_Singh_Johar is not authorized to perform: access-analyzer:ValidatePolicy on resource: arn:aws:access-analyzer:us-east-1:314717650934:*
so, here’s something for the course moderators to look at:
as described above, I am not able to add the policy.
But the grader accepted the submission, as I was trying to check the submission report.
Moreover, the submission report gave the below, which indicates something is not right.
[Executed at: Mon Sep 23 0:11:17 PDT 2024]
=====================================================
Test 3 failed: No policy found for bucket de-c2w1a1-314717650934-us-east-1-data-test. Please try again.
Test 3 passed: S3 Bucket policy was updated correctly.
==================================================
An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The bucket policy does not exist
I just tried the lab again and saw the same error as you User: xxxxxxx is not authorized to perform: access-analyzer:ValidatePolicy on resource: xxxxxx. I believe this is just above the Save Changes button. I believe this just checks if the input policy is valid or not.
I could still successfully edit the s3 bucket policy when i clicked Save Changes. May I know what is the error after clicking the Save Changes button? If there is an error then I believe it’ll be a different error than the above one.
Although there is an error showing on the bottom of policy page like the following, this doesn’t interfere with saving the changes to the policy. Hence, you don’t need to worry about it.
I did a little research and tried several different policies. It seems like it is not possible to use the EC2 ARN instead of its IP in the S3 bucket policy. When S3 receives a request, it can check from which IP that request is sent and validate whether the IP has access or no, but I’m not sure if S3 can access the ARN of the request source. However, there is another and more popular way of doing what we did in this lab, and that’s with IAM roles. We can assign the EC2 instance with some IAM role, and then give that role access to the S3 using the policy. This is achieved through the Principal key in the policy. For more information, you can see here.
Thanks for your detailed explanation. Regarding point 4, thanks for looking into it deeper and I’ll take a look at the link you sent me.
If my understanding is correct, when we stop and start the EC2 instance, the public IP address will change. Hence, I was wondering why public IP was used as I was unsure if that was the best practice as we will need to keep updating the IP address on the bucket policy. But I guess attaching IAM role to the EC2 sounds more “robust” than a “hardcoded” IP address on the policy.
Yes, you are right. Using IAM roles is the more robust and durable way of doing things in real scenarios. However, in this lab the EC2 IP address is used to keep it simple for the sake of learning.