Day 37: Managing EC2 Access with S3 Role-based Permissions

Source: Dev.to

Lab Information

The Nautilus DevOps team needs to set up an application on an EC2 instance to interact with an S3 bucket for storing and retrieving data. The team must create a private S3 bucket, set appropriate IAM policies and roles, and test the application functionality.

Task Overview

1. EC2 Instance Setup

   • An instance named xfusion-ec2 already exists.
   • The instance requires access to an S3 bucket.

2. Setup SSH Keys

   • Create a new SSH key pair (id_rsa and id_rsa.pub) on the aws-client host.
   • Add the public key to the root user’s authorized_keys on the EC2 instance.

3. Create a Private S3 Bucket

   • Bucket name: xfusion-s3-29734.
   • Ensure the bucket is private.

4. Create an IAM Policy and Role

   • Policy must allow s3:PutObject, s3:GetObject, and s3:ListBucket on xfusion-s3-29734.
   • Role name: xfusion-role.
   • Attach the policy to the role and the role to the EC2 instance.

5. Test the Access

   • SSH into the EC2 instance and upload a file to the bucket.
   • List the bucket contents to verify.

---

Step 1: Verify Existing EC2 Instance

An EC2 instance named xfusion-ec2 already exists. No changes are needed at this stage; the instance will later be attached to an IAM role for S3 access.

---

Step 2: Set Up SSH Keys (Password‑less Access)

2.1 Create SSH Key Pair on aws-client

# Generate a new SSH key pair:
ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ""

# Confirm files exist:
ls /root/.ssh/

You should see:

id_rsa  id_rsa.pub

2.2 Add Public Key to EC2 Instance

1. Connect to xfusion-ec2 using AWS Console (Instance Connect or Session Manager).
2. Ensure the EC2 security group allows inbound SSH (port 22).
3. Edit the authorized_keys file:

sudo -i
vi /root/.ssh/authorized_keys

4. Paste the contents of /root/.ssh/id_rsa.pub from the aws-client host, save, and exit.

✅ Password‑less SSH is now enabled.

---

Step 3: Create a Private S3 Bucket

1. Open the AWS Console → S3 → Create bucket.

2. Configure:

   • Bucket name: xfusion-s3-29734
   • Region: Same as the EC2 instance
   • Object Ownership: ACLs disabled
   • Block Public Access: Keep all enabled (bucket remains private)

3. Click Create bucket.

✅ The bucket is private by default.

---

Step 4: Create IAM Policy for S3 Access

4.1 Create the Policy

Navigate to IAM → Policies → Create policy, select the JSON tab, and paste the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::xfusion-s3-29734/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::xfusion-s3-29734"
    }
  ]
}

4. Click Next, name the policy xfusion-s3-policy, and create it.

---

Step 5: Create IAM Role and Attach Policy

5.1 Create Role

1. Go to IAM → Roles → Create role.
2. Trusted entity: AWS service → EC2.
3. Click Next.

5.2 Attach Policy

Select the xfusion-s3-policy you just created and click Next.

5.3 Role Name

Enter xfusion-role as the role name and click Create role.

✅ Role is ready.

---

Step 6: Attach IAM Role to EC2 Instance

1. Open EC2 → Instances.
2. Select xfusion-ec2.
3. Choose Actions → Security → Modify IAM role.
4. Select xfusion-role and click Update IAM role.

✅ The EC2 instance now has permission to access the S3 bucket.

---

Step 7: Test S3 Access from EC2

7.1 SSH into the EC2 Instance

ssh root@

7.2 Create a Test File

echo "S3 access test" > testfile.txt

7.3 Upload the File to S3

aws s3 cp testfile.txt s3://xfusion-s3-29734/

7.4 List Files in the Bucket

aws s3 ls s3://xfusion-s3-29734/

If the upload succeeded, the file will appear in the listing output.