© 2022 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab environment. Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Objectives

After completing this lab, you will be able to:

• Create an Amazon Simple Storage Service (Amazon S3) bucket
• Modify the S3 bucket policy
• Upload objects to an S3 bucket
• Modify an instance to use the S3 bucket
• Delete an object from an S3 bucket

Prerequisites

This lab requires:

• Notebook computer with Wi-Fi and Microsoft Windows, macOS, or Linux (Ubuntu, SuSE, or Red Hat)
• Administrator access (Microsoft Windows users)
• Internet browser, such as Chrome, Firefox, or Internet Explorer 9 or later
• SSH (Secure Shell) client, such as PuTTY

Note: Tablet devices cannot access the lab environment, although they can display student guides.

Duration

This lab requires 30 minutes to complete.

Scenario

In this lab, you will create an S3 bucket and modify the bucket policy. Then, you will upload some objects to the S3 bucket. Next, you will configure an instance to use an S3 bucket and launch the EC2 instance. Finally, you will remove objects from the S3 bucket.

Start lab

1. To launch the lab, at the top of the page, choos Start Lab.

This starts the process of provisioning the lab resources. An estimated amount of time to provision the lab resources is displayed. You must wait for the resources to be provisioned before continuing.

If you are prompted for a token, use the one distributed to you (or credits you have purchased).

2. To open the lab, choose Open Console.

The AWS Management Console sign-in page opens in a new web browser tab.

3. On the Sign in as IAM user page:

• For IAM user name, enter .
• For Password, copy and paste the Password value listed to the left of these instructions.
• Choose Sign in.

Do not change the Region unless instructed.

Common sign-in errors

Error: You must first sign out

If you see the message, You must first log out before logging into a different AWS account:

• Choose the click here link.
• Close your Amazon Web Services Sign In web browser tab and return to your initial lab page.
• Choose Open Console again.

Error: Choosing Start Lab has no effect

In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button from working as intended. If you experience an issue starting the lab:

• Add the lab domain name to your pop-up or script blocker's allow list or turn it off.
• Refresh the page and try again.

Task 1: Create an S3 Bucket

Infrastructure

To support the lab, some resources required by the web application are provisioned for you. The resources include a VPC with a public subnet in an Availability Zone, with a route table for the subnet, as shown.

Currently, the web application runs in . The web application does not have access to Amazon S3, but you will provide that access later in this lab.

Applications must sign their API requests with AWS credentials to access other AWS resources. AWS Identity and Access Management (IAM) roles are designed to help applications make secure API requests to an instance, without requiring you to manage the security credentials that the applications use.

Instead of creating and distributing AWS credentials for the application, you can delegate permission to make API requests using IAM roles. In this lab, the application uses . The role hasn't been configured yet to allow Amazon S3 access. You will see a warning message that the application displays until Amazon S3 access is provided.

To access the web application, do the following:

4. In the lab instructions screen (not the AWS Console), from the left pane, copy .
5. In a new browser tab, paste the URL you copied in the previous step. You should see the application, as shown.

Note: You might need to wait a few minutes before the web application becomes available.

A warning message states the following: S3: Employee Images bucket not found.

To fix this, you will create an S3 bucket and upload images to it. You will also configure a policy to allow the web application's IAM role to access the S3 bucket, so the images can be displayed.

In this task, you will create an S3 bucket. Every object in Amazon S3 is stored in an S3 bucket. When you create your bucket, make sure that you create it in your specific Region.

6. In the AWS Management Console, on the Services menu, choose S3. Alternatively, you can type the service name in the Search box to access it.

7. Choose Create bucket, and then configure the following:

• Bucket name:
  • Replace INITIALS with your initials
  • Replace NUMBER with a random number
• For Region, make sure it matches the AWS Region value in the left pane of your instructions.

Example bucket name:

Note: Each S3 bucket name must be unique across all AWS accounts.

When you select a particular Region, you can optimize latency, minimize costs, and address regulatory requirements, as needed. Objects stored in a Region never leave that Region, unless you explicitly transfer them to another Region.

The Copy settings from an existing bucket option creates buckets that use the same settings as another bucket. For this lab, you will not use this option.

8. Under Block Public Access settings for this bucket, examine the Block all public access section.

No changes are needed. The default setting is checked, Block all public access. This prevents all public access to data stored in the bucket.

9. At the bottom, choose Create bucket.

Note: You might get warnings and error messages at the top of the window. You can ignore those. You don't need to make the objects in the bucket publicly available. They will be made available to the web application using an IAM role.

You created an S3 bucket.

Task 2: Create a Bucket Policy

A bucket policy is a set of permissions associated with an S3 bucket. It can control access to a whole bucket or to specific directories in a bucket.

In the S3 Management Console, locate where the buckets are listed, and then complete the following:

10. Choose the link for your bucket.

11. Choose the Permissions tab.

12. Scroll down to the Bucket policy section, and then choose Edit.

You will see a sample Bucket policy editor. Bucket policies can be created manually, or they can be created with the assistance of the AWS Policy Generator.

Replace the existing policy with the following policy. Delete the existing policy and paste the following policy into the Bucket policy editor:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3ReadAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::INSERT-ACCOUNT-NUMBER:role/EmployeeDirectoryAppRole"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::INSERT-BUCKET-NAME",
        "arn:aws:s3:::INSERT-BUCKET-NAME/*"
      ]
    }
  ]
}
content_copy

13. Replace the two placeholders with your bucket name, .

14. In the left pane of the instructions, select and copy the value next to AWS Account.

15. Replace the placeholder with the AWS Account value copied in the previous step.

Your bucket policy should look similar to the following example.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3ReadAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000000:role/EmployeeDirectoryAppRole"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::employee-photo-bucket-al-1234",
        "arn:aws:s3:::employee-photo-bucket-al-1234/*"
      ]
    }
  ]
}
content_copy

NOTE: If you see errors to the right of the Bucket Policy you can ignore them.

16. Scroll to the bottom, and choose Save changes.

You applied a bucket policy to your S3 bucket. The bucket policy uses the IAM role to allow read access from your application to the S3 bucket. With this policy, all objects in your bucket are accessible to your application.

In the next task, you will configure your application to point to the bucket.

Task 3: Modify the Application to Use the S3 Bucket

17. Return to the browser tab with the Employee Directory application.

18. In the Administration section, choose the Configuration.

The Configuration Settings for the Employee Directory should look like this:

The S3 Access Enabled value and blank S3 Bucket value indicate an S3 bucket has not been associated with the Employee Directory application.

You will used the application Administration Configuration section to associate your S3 bucket () with the application.

19. Choose Change in the S3 Bucket field.

20. Enter in the S3 Bucket field.

21. Choose Save.

After you have associated your bucket with the application it should look like the following:

The S3 Access Enabled value and S3 Bucket value of indicate an S3 bucket has successfully been associated with the Employee Directory application.

Task 4: Upload an Object to an S3 Bucket

You created a bucket and granted permission to it. You are ready to store objects. An object can be any kind of file – text, photo, video, .zip, and so forth. When you add an object to an S3 bucket, you can include custom metadata with the object and set permissions to control access.

In this task, you will upload objects to your S3 bucket.

43. In the left pane in the lab instructions, copy the URL, and open it in a new browser tab. This will download a .zip file, which contains several sample images.

44. Extract the compressed files to your computer, in a location of your choice.

45. Navigate to the extracted files to access the sample images. You should see 10 .png files in the directory.

Now, you will upload the images to your bucket.

46. In the AWS Management Console, on the Services menu, choose S3. Alternatively, you can type the service name in the Search box to access it.

47. Choose the S3 bucket link.

48. In the bucket, choose the Objects tab.

49. Choose Upload.

50. In the Files and Folders section, choose Add files.

51. Browse to and select the .png files on your computer.

52. Choose Open.

You should see your selected files in the Files and folders section.

53. At the bottom, choose Upload.

You can see the upload progress. When the files are uploaded, you will see a message stating Upload succeeded in a green banner. At that point, the files will be displayed in the bucket.

54. Choose Close to return to the S3 dashboard.

55. Return to the browser tab with the Employee Directory application.

56. In the Employees section, choose Images.

The application will display the employee images you uploaded. It should look similar to the following image.

Task 5: Delete S3 Objects

57. Go to the S3 Management Console tab you used to upload the images previously.

58. Choose the S3 bucket link.

59. Select the files (or objects) that you want to delete.

60. Choose Delete.

61. In the Permanently delete objects? section, confirm the deletion by typing permanently delete.

62. Choose Delete objects.

63. At the top, choose Close to return to the S3 dashboard.

64. Return to the browser tab with the Employee Directory application.

65. In the Employees section, choose Images.

The application should no longer display the employee images.

Note: You might need to refresh the browser to update the image list.

You successfully deleted objects from an S3 bucket.

Lab Complete

Congratulations! You completed the lab.

End lab

Follow these steps to close the console, end your lab, and evaluate your lab experience.

66. Return to the AWS Management Console.

67. At the upper-right corner of the page, choose awsstudent@<AccountNumber>, and then choose Sign out.

68. Choose End Lab.

69. Choose OK.

70. (Optional):

• Select the applicable number of stars to rate your lab experience.
  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied
• Enter a comment.
• Choose Submit.

You can close the window if you don't want to provide feedback.

Additional Resources

• For more information about Amazon S3, see Amazon S3.
• For more information about editing object permissions, see Editing Object Permissions.