All geek questions in one place

Access to EC2 AWS S3 Bucket

I need to run the S3 bucket so that my EC2 instances have access to the image file repository. EC2 instances need read / write permissions. I do not want the S3 core to be publicly available, I want EC2 instances to have access to it.

Another way: my EC2 instances are managed by OpsWorks, and I may be able to run different instances depending on load / usage. If I limited it to IP, I might not always know the IP that has EC2 instances. Can I restrict VPC?

Should I make my S3 bucket enabled for static hosting? Do I need to make all the files in the bucket publicly available for this to work?

+11
source share
3 answers

You do not need to make the bucket public, and the files public. The bucket and its contents can be kept secret.

Do not restrict access to the segment based on the IP address, but restrict it based on the IAM role that the EC2 instance uses.

  1. Create an IAM EC2 instance role for your EC2 instances.
  2. Launch your EC2 instances using this role.
  3. Assign an S3 basket access policy to this IAM role.

For example:

{
  "Version": "2012-10-17",
  "Statement":[{
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": ["arn:aws:s3:::my_bucket",
                 "arn:aws:s3:::my_bucket/*"]
    }
  ]
}
  1. If you want to restrict access to the trash itself, try the S3 trash policy.

For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::111122223333:role/my-ec2-role"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::my_bucket",
                   "arn:aws:s3:::my_bucket/*"]
    }
  ]
}

Additional information: http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc

+11
source

The IAM role is the solution for you.

s3, ec2 - , .

enter image description here

Refer: AWS OpsWorks

+1

. :

  • AWS EC2 .
  • .
  • "/ IAM"
  • S3FullAccess.

AWS, :

  • aws s3 cp / s3://_

... . - . : , S3 . .

0
source

Source: https://habr.com/ru/post/1618364/

More articles:


All Articles