来自EC2的AWS S3存储桶访问 [英] AWS S3 Bucket Access from EC2
问题描述
我需要启动一个S3存储桶,以便我的EC2实例有权将图像文件存储到其中。 EC2实例需要读/写权限。我不想让S3存储桶公开可用,我只希望EC2实例可以访问它。
I need to fire up an S3 bucket so my EC2 instances have access to store image files to it. The EC2 instances need read/write permissions. I do not want to make the S3 bucket publicly available, I only want the EC2 instances to have access to it.
另一个难题是我的EC2实例由根据负载/使用情况,我和OpsWorks可能会触发不同的实例。如果要通过IP限制它,我可能并不总是知道EC2实例具有的IP。我可以通过VPC进行限制吗?
The other gotcha is my EC2 instances are being managed by OpsWorks and I can have may different instances being fired up depending on load/usage. If I were to restrict it by IP, I may not always know the IP the EC2 instances have. Can I restrict by VPC?
是否必须启用S3存储桶以进行静态网站托管?
是否需要同时公开存储桶中的所有文件?
Do I have to make my S3 bucket enabled for static website hosting? Do I need to make all files in the bucket public as well for this to work?
推荐答案
您不需要需要使存储桶公开,文件也不公开。
You do not need to make the bucket public readable, nor the files public readable. The bucket and it's contents can be kept private.
不要根据IP地址限制对存储桶的访问,而应根据EC2实例的IAM角色对其进行限制。
Don't restrict access to the bucket based on IP address, instead restrict it based on the IAM role the EC2 instance is using.
- 为您的EC2实例创建IAM EC2实例角色。
- 运行EC2实例使用该角色。
- 为该IAM角色提供访问S3存储桶的策略。
例如:
{
"Version": "2012-10-17",
"Statement":[{
"Effect": "Allow",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"]
}
]
}
- 如果您想限制对存储桶本身的访问,请尝试使用S3存储桶策略。
例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::111122223333:role/my-ec2-role"]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"]
}
]
}
这篇关于来自EC2的AWS S3存储桶访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
