从 EC2 访问 AWS S3 存储桶 [英] AWS S3 Bucket Access from EC2
问题描述
我需要启动一个 S3 存储桶,以便我的 EC2 实例可以访问将图像文件存储到它.EC2 实例需要读/写权限.我不想让 S3 存储桶公开可用,我只希望 EC2 实例可以访问它.
I need to fire up an S3 bucket so my EC2 instances have access to store image files to it. The EC2 instances need read/write permissions. I do not want to make the S3 bucket publicly available, I only want the EC2 instances to have access to it.
另一个问题是我的 EC2 实例由 OpsWorks 管理,我可能会根据负载/使用情况启动不同的实例.如果我通过 IP 对其进行限制,我可能并不总是知道 EC2 实例拥有的 IP.我可以通过 VPC 限制吗?
The other gotcha is my EC2 instances are being managed by OpsWorks and I can have may different instances being fired up depending on load/usage. If I were to restrict it by IP, I may not always know the IP the EC2 instances have. Can I restrict by VPC?
我是否必须为静态网站托管启用我的 S3 存储桶?我是否需要将存储桶中的所有文件也设为公开才能使其正常工作?
Do I have to make my S3 bucket enabled for static website hosting? Do I need to make all files in the bucket public as well for this to work?
推荐答案
您不需要使存储桶公开可读,也不需要使文件公开可读.存储桶及其内容可以保密.
You do not need to make the bucket public readable, nor the files public readable. The bucket and it's contents can be kept private.
不要根据 IP 地址限制对存储桶的访问,而是根据 EC2 实例使用的 IAM 角色对其进行限制.
Don't restrict access to the bucket based on IP address, instead restrict it based on the IAM role the EC2 instance is using.
- 为您的 EC2 实例创建一个 IAM EC2 实例角色.
- 使用该角色运行您的 EC2 实例.
- 为该 IAM 角色提供访问 S3 存储桶的策略.
例如:
{
"Version": "2012-10-17",
"Statement":[{
"Effect": "Allow",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"]
}
]
}
- 如果您想限制对存储桶本身的访问,请尝试 S3 存储桶策略.
例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::111122223333:role/my-ec2-role"]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"]
}
]
}
这篇关于从 EC2 访问 AWS S3 存储桶的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!