即使S3资源是公共的,托管Web应用程序的EC2实例是否需要任何角色(例如s3fullaccess)? [英] Does an EC2 instance hosting a web app require any role ( like s3fullaccess) even when the S3 resouce is public?
问题描述
场景:一个Web应用程序托管在EC2上,该角色具有对S3的完全访问权限.现在在Web应用程序上,说S3资源是作为链接嵌入到某些网页中的图像.
Scenario: A web app is hosted on EC2 with a role having full S3 access. Now on the webapp, say the S3 resource is an image embedded as a link in some webpage.
因此,CORS开始发挥作用.因此,如果启用了资源的CORS和公共访问权限(我的意思是为Bucket),则应该这样做.
So here CORS comes in to action. So if CORS and Public access for the resource are enabled (for the Bucket I mean), that should do.
当已经授予公共访问权限时,将角色添加到EC2实例的意义何在,该资源已经是公共的.
And when public access is already granted, what's the point in adding a role to EC2 instance, the resource is already public.
因此,EC2实例的角色不是多余的,不是必需的.有人可以确认或建议使用正确的权限吗?
So, is not the role for EC2 instance redundant and not necessary. Could someone confirm or suggest the right permissions to use?
(要求我进行澄清,因为关于StackOverflow的建议很少提到需要EC2的角色.)
(Am required to ask for this clarification as few suggestions on StackOverflow mentioned that role for EC2 is required.)
推荐答案
首先,我应该指出,如果可能的话,应避免使用AmazonS3FullAccess策略.它授予在Amazon S3中执行任何操作的权限,包括删除所有存储桶和对象!在可能的情况下,始终授予最低特权,仅授予必要的访问权限.
First, I should mention that use of the AmazonS3FullAccess policy should be avoided if possible. It grants permission to do anything in Amazon S3, including deleting all buckets and objects! Always grant least privilege when possible, only granting the access that is necessary.
如果应用链接到公共对象,则对于您描述的场景,不需要其他S3权限.
If the app is linking to public objects, then no additional S3 permissions are required for the scenario you describe.
但是,许多应用程序并未公开所有文件.例如,假设该应用程序是照片存储/共享应用程序.人们希望将照片保留为私有,但仍可以在网页中查看.为此,该应用可以生成 Amazon S3预签名URL 提供对Amazon S3中私有对象的临时访问.这样,可以在HTML页面上的<img>标记中引用对象,但保持私有状态.
However, many apps do not with to make all files public. For example, let's say the app is a photo storage/sharing app. People would like to keep their photos private, yet be able to view them in a web page. To do this, the app can generate an Amazon S3 pre-signed URL that provides temporary access to private objects in Amazon S3. This way, an object can be referenced in an <img> tag on an HTML page, yet remain private.
创建预签名URL需要一组凭证,这些凭证至少具有对共享的Amazon S3对象的读取访问权限.因此,该应用有必要接收这些凭据(通常通过IAM角色).
Creating a pre-signed URL requires a set of credentials that have, at minimum, read access to the Amazon S3 object being shared. Thus, it would be necessary for the app to receive these credentials (normally via an IAM Role).
这篇关于即使S3资源是公共的,托管Web应用程序的EC2实例是否需要任何角色(例如s3fullaccess)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
