![\"S3-RoleBasedAccess](\"\/blog\/wp-ttn-blog\/uploads\/2013\/12\/S3-RoleBasedAccess-New-Page-2.png\" "\\"S3-RoleBasedAccess")
<\/a><\/p>\nTo accomplish this we followed the steps mentioned below<\/p>\n
- \n
- Created an AWS Role named “Worker” which EC2 instances can assume with no specific permission policy.<\/span><\/li>\n
A role in AWS IAM defines the permissions for service requests and it is assumed by AWS resources like EC2 Instance. The benefit of using roles was that we didn’t have to configure S3 separately on the instance. S3 in this case used ROLE credentials which are temporary and rotated automatically.<\/p>\n
- Created an EC2 instance with Role “Worker” and Ip address : 54.254.196.37<\/span><\/li>\n
- Added policy to our bucket “com.intelligrape.rolebasedaccess.test” which only allows EC2 instances with Role “worker” and IP address “54.254.196.37” to access the file named “SIPD”.<\/span><\/li>\n<\/ol>\n
\r\n\"Version\": \"2008-10-17\",\r\n\"Id\": \"Policy1388257451238\",\r\n\"Statement\": [ \r\n { \"Sid\": \"1232343455\",\r\n \"Effect\": \"Allow\",\r\n \"Principal\": { \"AWS\": \"arn:aws:iam::10987654321:role\/worker\" }, \/\/arn:aws:iam::accountnumber:role\/rolename\r\n \"Action\": \"s3:GetObject\", \/\/ actions allowed, only allowed to fetch object.\r\n \"Resource\": \"arn:aws:s3:::com.intelligrape.rolebasedaccess.test\/SIPD\", \/\/\"arn:aws:s3:::bucketname\/file\"\r\n \"Condition\": {\r\n \"IpAddress\": {\"aws:SourceIp\": \"54.254.196.37\/32\"} \/\/ Ip address to allow access to\r\n } \r\n } \r\n ] \r\n}\r\n<\/code><\/pre>\n(Do not forget to remove the comments before putting it to use.)
\nAnd its done, with this we were able to limit access to S3 bucket to EC2 instance with specific IP address.<\/p>\n - Created an EC2 instance with Role “Worker” and Ip address : 54.254.196.37<\/span><\/li>\n