Cloud9 to Restricted S3 Bucket. Verify that Cloud9 can successfully write into the unrestricted bucket (bucket with no bucket policy) via the Internet
Ensure that your session is connected to the Cloud9 instance. You will execute step 2 from the Cloud9 EC2 instance bash prompt:**
Execute the commands provided below AFTER replacing the values of
touch test.txt aws sts get-caller-identity nslookup s3.amazonaws.com aws s3 cp test.txt s3://<UnrestrictedS3Bucket>/test.txt aws s3 rm s3://<UnrestrictedS3Bucket>/test.txt
The upload to the unrestricted bucket should succeed.
A. The Cloud9 instance is on the public subnet. When you execute the aws s3 cp command, the AWS CLI signs your API request using credentials associated with the identity returned by the aws sts get-caller-identity. The AWS CLI uses DNS to resolve the address for Amazon Simple Storage Service(S3). A public address is returned (as output from the nslookup command shows). The route table for your Cloud9 instance does not have an entry for the VPC Endpoint and traffic destined for S3 is sent to the Internet Gateway using the 0.0.0.0/0 route table entry.
B. The request is routed to the public IP address of the S3 service.
C. The request reaches Amazon S3. The request is authenticated and the API call is authorized. The unrestricted bucket does not have a resource (bucket) policy. IAM permissions assigned to the identity ALLOW data to be written to the unrestricted bucket.
Note: If you are using the event engine platform for this lab, the effective identity will be a role named “TeamRole”. This identity has been configured with full access to S3. If you are running this lab outside of the event engine platform, it is assumed that the identity being used to access Cloud9 has administrative privileges to S3.