I am deploying an ECS Fargate cluster with a service in private subnets. To enable tasks to pull the Docker image from ECR, I have created three Endpoints (dkr, ecr API, and S3) in my VPC.
Focusing on the S3 endpoint, I would like to associate the most restrictive policy possible so that only tasks can use this endpoint and only access the specific S3 bucket where ECR stores the images.
In the official AWS documentation, they propose the following policy:
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"]
}
]
}
This policy is okay, but it only restricts access to the bucket through the endpoint. I would like a policy that specifically allows only ECS to access it and not other resources that may be in the same private subnets with access to the endpoint.
I have tried this policy:
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only-from-ecs-task",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"]
}
]
}
But it doesn't work, task can't pull the image and I don't know why. Also I tried putting the role with which the ECS service runs, and I've also tried with the role with which the tasks run. Neither of these two things as the principal works; the tasks are not able to pull the image.
Can you help me out?