If you use S3 endpoint not NAT/Proxy to access the Amazon yum repository, then this post should be helpful to you.
We use S3 endpoint to access Amazon repositories, and we noticed that any yum operations failed with the ‘HTTPS Error 403 – Forbidden‘ error in the EC2 instances that are launched from the latest Amazon Linux 2 in Sydney region (ami-007b2c28096a63f37).
It turns out that AWS has made some changes to the yum configurations in the latest Amazon Linux 2 AMI in Sydney region. And I have not found any offical documents from AWS so far.
EC2 that is launched from previous AMI
$ for each in $(ls /etc/yum/vars); do echo -n "$each is "; cat /etc/yum/vars/$each| grep -v '^$'; done amazonlinux is amazonlinux awsdomain is amazonaws.com awsproto is http awsregion is ap-southeast-2 product is core target is latest
EC2 that is launched from the latest AMI
$ for each in $(ls /etc/yum/vars); do echo -n "$each is "; cat /etc/yum/vars/$each| grep -v '^$'; done amazonlinux is amazonlinux-2-repos-ap-southeast-2.s3 awsdomain is amazonaws.com awsproto is https awsregion is ap-southeast-2 product is core target is latest
As shown above, that $amzonlinux and $awsproto have changed. As our S3 endpoint policy currently does not allow the bucket amazonlinux-2-repos-ap-southeast-2, that’s why the request get denied. Once we add “arn:aws:s3:::amazonlinux-2-repos-ap-southeast-2/*” to the S3 endpoint policy, yum starts to work again.