SW BBANG

A common operational task — pulling a config file, a deployment artifact, or a secrets template from S3 onto a running EC2 instance — trips up engineers not because the command is complex, but because a missing IAM permission silently blocks the transfer. This guide gives you the exact aws s3 cp command, the minimal IAM policy required, and the mental model to debug it when it fails. TL;DR Step What You Do Key Detail 1 Create an IAM Role with S3 read permission Attach to EC2 instance profile 2 Attach the role to your EC2 instance No access keys needed on the instance 3 SSH into EC2, run aws s3 cp AWS CLI uses instance metadata credentials automatically Architecture: How the Credential Flow Works Before running any command, understand how the EC2 instance authenticates to S3. It does not use hardcoded access keys. Instead, it uses an IAM Instance Profile — a container that holds an IAM Role — which th...

Your Lambda function executes cleanly — no runtime crashes, no timeouts — yet every S3 API call returns a 403 Forbidden . This is one of the most common IAM misconfigurations in serverless architectures, and the root cause is almost always a missing or misconfigured permission on the Lambda execution role . TL;DR Symptom Root Cause Fix AccessDenied / 403 on S3 GetObject Execution role lacks s3:GetObject permission Attach inline or managed policy granting s3:GetObject on the target bucket/prefix 403 even with correct IAM policy S3 bucket policy explicitly denies the role Remove or adjust the bucket policy Deny statement 403 on a KMS-encrypted object Role lacks kms:Decrypt on the CMK Grant kms:Decrypt to the execution role in the KMS key policy 403 on a cross-account bucket Both the role policy AND bucket policy must grant access Update both the execution role policy and the bucket resource policy ...

You launched an EC2 instance, deployed your application, and then realized you forgot to attach an IAM Role — now your app can't call S3, SSM, or any AWS service. The good news: AWS allows you to attach or replace an IAM Instance Profile on a running EC2 instance with zero downtime. TL;DR Scenario Action Restart Required? No role attached at launch Associate a new Instance Profile ❌ No Wrong role attached Replace the existing Instance Profile ❌ No Need to remove role entirely Disassociate the Instance Profile ❌ No Key Concepts: IAM Role vs. Instance Profile These two terms are often used interchangeably but are distinct AWS constructs. Understanding the difference is critical before you proceed. IAM Role: The identity object that holds permission policies. It defines what actions are allowed. Instance Profile: A container that wraps an IAM Role and is the actual resource attached to an EC...

You have a polished HTML/CSS site sitting on your local machine — getting it live shouldn't require a server, a DevOps team, or a monthly bill. Amazon S3's Static Website Hosting feature turns a storage bucket into a globally accessible web endpoint in under 10 minutes. TL;DR Step Action Key Detail 1 Create S3 Bucket Name must match your domain if using Route 53; choose your target region 2 Disable Block Public Access Account-level AND bucket-level settings must both allow public access 3 Enable Static Website Hosting Set index document ( index.html ) and optional error document 4 Attach a Bucket Policy Grant s3:GetObject to Principal: "*" for public reads 5 Upload Your Files Maintain relative paths; set correct Content-Type metadata 6 (Optional) Add CloudFront HTTPS, custom domain, global CDN edge caching Architecture Overview Before diving into configuration, unders...

You stopped your EC2 instance to cut costs over the weekend — but now you're second-guessing yourself: did you just risk losing everything on that volume? Understanding the precise difference between Stop and Terminate is one of the most operationally critical distinctions in AWS, and getting it wrong can mean permanent, unrecoverable data loss. TL;DR Dimension Stop Terminate Instance State Stopped (restartable) Terminated (permanent) EC2 Billing No instance-hour charges while stopped No instance-hour charges after termination Root EBS Volume Persists, remains attached Deleted by default (configurable) Additional EBS Volumes Persist, remain attached Persist by default (configurable) Instance Store (ephemeral) Data is lost on stop Data is lost on ...