# Allow EC2 instances write access to S3 buckets in AMS accounts
*Mansi Suratwala, Amazon Web Services*
## Summary
AWS Managed Services (AMS) helps you operate your AWS infrastructure more efficiently and securely. AMS accounts have security guardrails for standardized administration of your AWS resources. One guardrail is that default Amazon Elastic Compute Cloud (Amazon EC2) instance profiles don’t allow write access to Amazon Simple Storage Service (Amazon S3) buckets. However, your organization might have multiple S3 buckets and require more control over access by EC2 instances. For example, you might want to store database backups from EC2 instances in an S3 bucket.
This pattern explains how to use requests for change (RFCs) to allow your EC2 instances write access to S3 buckets in your AMS account. An RFC is a request created by you or AMS to make a change in your managed environment and that includes a [change type](https://docs.aws.amazon.com/managedservices/latest/ctref/classifications.html) (CT) ID for a particular operation.
## Prerequisites and limitations
**Prerequisites **
+ An AMS Advanced account. For more information about this, see [AMS operations plans](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/what-is-ams-op-plans.html) in the AMS documentation.
+ Access to the AWS Identity and Access Management (IAM) `customer-mc-user-role` role to submit RFCs.
+ AWS Command Line Interface (AWS CLI), installed and configured with the EC2 instances in your AMS account.
+ An understanding of how to create and submit RFCs in AMS. For more information about this, see [What are AMS change types?](https://docs.aws.amazon.com/managedservices/latest/ctref/what-are-change-types.html) in the AMS documentation.
+ An understanding of manual and automated change types (CTs). For more information about this, see [Automated and manual CTs](https://docs.aws.amazon.com/managedservices/latest/userguide/ug-automated-or-manual.html) in the AMS documentation.
## Architecture
**Technology stack **
+ AMS
+ AWS CLI
+ Amazon EC2
+ Amazon S3
+ IAM
## Tools
+ [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
+ [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
+ [AWS Managed Services (AMS)](https://docs.aws.amazon.com/managedservices/latest/userguide/what-is-ams.html) helps you operate your AWS infrastructure more efficiently and securely.
+ [Amazon Simple Storage Service (Amazon S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.
+ [Amazon Elastic Compute Cloud (Amazon EC2)](https://docs.aws.amazon.com/ec2/) provides scalable computing capacity in the AWS Cloud. You can launch as many virtual servers as you need and quickly scale them up or down.
## Epics
### Create an S3 bucket with an RFC
| Task | Description | Skills required |
| --- | --- | --- |
| Create an S3 bucket by using an automated RFC. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/allow-ec2-instances-write-access-to-s3-buckets-in-ams-accounts.html)Make sure that you record the S3 bucket's name. | AWS systems administrator, AWS developer |
### Create an IAM instance profile and associate it with the EC2 instances
| Task | Description | Skills required |
| --- | --- | --- |
| Submit a manual RFC to create an IAM role. | When an AMS account is onboarded, a default IAM instance profile named `customer-mc-ec2-instance-profile` is created and associated with each EC2 instance in your AMS account. However, the instance profile doesn’t have write permissions to your S3 buckets.To add the write permissions, submit the **Create IAM Resource** manual RFC to create an IAM role that has the following three policies: `customer_ec2_instance_`, `customer_deny_policy`, and `customer_ec2_s3_integration_policy`. The `customer_ec2_instance_` and `customer_deny_policy` policies already exist in your AMS account. However, you need to create `customer_ec2_s3_integration_policy` by using the following sample policy:{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Role Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::/*",
"Effect": "Allow"
}
]
} | AWS systems administrator, AWS developer |
| Submit a manual RFC to replace the IAM instance profile. | Submit a manual RFC to associate the target EC2 instances with the new IAM instance profile. | AWS systems administrator, AWS developer |
| Test a copy operation to the S3 bucket. | Test a copy operation to the S3 bucket by running the following command in the AWS CLI:aws s3 cp test.txt s3:///test2.txt
| AWS systems administrator, AWS developer |
## Related resources
+ [Create an IAM instance profile for your Amazon EC2 instances](https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html)
+ [Creating an S3 bucket (using the Amazon S3 console, AWS SDKs, or AWS CLI)](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html)