Cloud9 to Restricted S3 Bucket

Cloud9 to Restricted S3 Bucket. Verify that Cloud9 can successfully write into the unrestricted bucket (bucket with no bucket policy) via the Internet

  1. Refer to the collected output values from your CloudFormation stack. Note the value of the “UnrestrictedS3Bucket” output. You will substitute this value into the commands below.

Ensure that your session is connected to the Cloud9 instance. You will execute step 2 from the Cloud9 EC2 instance bash prompt:**

  1. Execute the commands provided below AFTER replacing the values of with the output value collected in step 1. Make note of the results.

    touch test.txt
    aws sts get-caller-identity
    nslookup s3.amazonaws.com
    aws s3 cp test.txt s3://<UnrestrictedS3Bucket>/test.txt
    aws s3 rm s3://<UnrestrictedS3Bucket>/test.txt   
    

Expected behavior

The upload to the unrestricted bucket should succeed.

verifyfigure1

Why does this work ?

A. The Cloud9 instance is on the public subnet. When you execute the aws s3 cp command, the AWS CLI signs your API request using credentials associated with the identity returned by the aws sts get-caller-identity. The AWS CLI uses DNS to resolve the address for Amazon Simple Storage Service(S3). A public address is returned (as output from the nslookup command shows). The route table for your Cloud9 instance does not have an entry for the VPC Endpoint and traffic destined for S3 is sent to the Internet Gateway using the 0.0.0.0/0 route table entry.

B. The request is routed to the public IP address of the S3 service.

C. The request reaches Amazon S3. The request is authenticated and the API call is authorized. The unrestricted bucket does not have a resource (bucket) policy. IAM permissions assigned to the identity ALLOW data to be written to the unrestricted bucket.

Note: If you are using the event engine platform for this lab, the effective identity will be a role named “TeamRole”. This identity has been configured with full access to S3. If you are running this lab outside of the event engine platform, it is assumed that the identity being used to access Cloud9 has administrative privileges to S3.

figure25