Troubleshooting Database Connectivity on AWS - S3 Bucket Policy

Source Systems, Data Ingestion, and Pipelines - Week 1 - Connecting to source system - Troubleshooting Database Connectivity on AWS

I am doing the assignment and am curious about the S3 bucket policy condition.

When i tried to specify the condition as a SourceARN to either the EC2 instance or the Cloud9 ARN, it doesn’t allow me to connect to S3 and am still getting the forbidden error. But specifying the public IP would work. Why would ARN not work in this case?

Are you able to modify the bucket policy ?
I am getting this error when I try to modify / add the policy

You need permissions

User: arn:aws:sts::314717650934:assumed-role/voclabs/user3523613=Sukhdeep_Singh_Johar is not authorized to perform: access-analyzer:ValidatePolicy on resource: arn:aws:access-analyzer:us-east-1:314717650934:*

I don’t remember if i tried modifying the policy directly. Maybe you can try delete the policy and create a new bucket policy?

Thanks.
I did delete the old policy. But there is no option to create a new policy. I need to Edit the blank policy and it doesn’t allow me to.

so, here’s something for the course moderators to look at:

as described above, I am not able to add the policy.
But the grader accepted the submission, as I was trying to check the submission report.

Moreover, the submission report gave the below, which indicates something is not right.

[Executed at: Mon Sep 23 0:11:17 PDT 2024]
=====================================================
Test 3 failed: No policy found for bucket de-c2w1a1-314717650934-us-east-1-data-test. Please try again.
Test 3 passed: S3 Bucket policy was updated correctly.
==================================================

An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The bucket policy does not exist

I just tried the lab again and saw the same error as you User: xxxxxxx is not authorized to perform: access-analyzer:ValidatePolicy on resource: xxxxxx. I believe this is just above the Save Changes button. I believe this just checks if the input policy is valid or not.

I could still successfully edit the s3 bucket policy when i clicked Save Changes. May I know what is the error after clicking the Save Changes button? If there is an error then I believe it’ll be a different error than the above one.

1 Like

You are right ! :slight_smile:
It does go through in spite of the error.

My bad :frowning:
Thanks a lot ! : )

@mubsi, maybe a few things to check into here?

1 Like

Hello @jkwd, @sukhdeepjohar, and @TMosh
I went through the lab, and here are my observations.

  1. Although there is an error showing on the bottom of policy page like the following, this doesn’t interfere with saving the changes to the policy. Hence, you don’t need to worry about it.

  2. I once deleted the policy and then edited the empty policy. It works and there is no problem with doing so.

  3. The grader seems to be working fine. After editing the S3 bucket policy you can get the complete grade.

  4. I did a little research and tried several different policies. It seems like it is not possible to use the EC2 ARN instead of its IP in the S3 bucket policy. When S3 receives a request, it can check from which IP that request is sent and validate whether the IP has access or no, but I’m not sure if S3 can access the ARN of the request source. However, there is another and more popular way of doing what we did in this lab, and that’s with IAM roles. We can assign the EC2 instance with some IAM role, and then give that role access to the S3 using the policy. This is achieved through the Principal key in the policy. For more information, you can see here.

2 Likes

Hi @Amir_Zare

Thanks for your detailed explanation. Regarding point 4, thanks for looking into it deeper and I’ll take a look at the link you sent me.

If my understanding is correct, when we stop and start the EC2 instance, the public IP address will change. Hence, I was wondering why public IP was used as I was unsure if that was the best practice as we will need to keep updating the IP address on the bucket policy. But I guess attaching IAM role to the EC2 sounds more “robust” than a “hardcoded” IP address on the policy.

1 Like

Hi @jkwd

Yes, you are right. Using IAM roles is the more robust and durable way of doing things in real scenarios. However, in this lab the EC2 IP address is used to keep it simple for the sake of learning.

Happy learning!

Yup understand haha. Thanks!

1 Like