问题
Scenario: A web app is hosted on EC2 with a role having full S3 access. Now on the webapp, say the S3 resource is an image embedded as a link in some webpage.
So here CORS comes in to action. So if CORS and Public access for the resource are enabled (for the Bucket I mean), that should do.
And when public access is already granted, what's the point in adding a role to EC2 instance, the resource is already public.
So, is not the role for EC2 instance redundant and not necessary. Could someone confirm or suggest the right permissions to use?
(Am required to ask for this clarification as few suggestions on StackOverflow mentioned that role for EC2 is required.)
回答1:
First, I should mention that use of the AmazonS3FullAccess policy should be avoided if possible. It grants permission to do anything in Amazon S3, including deleting all buckets and objects! Always grant least privilege when possible, only granting the access that is necessary.
If the app is linking to public objects, then no additional S3 permissions are required for the scenario you describe.
However, many apps do not with to make all files public. For example, let's say the app is a photo storage/sharing app. People would like to keep their photos private, yet be able to view them in a web page. To do this, the app can generate an Amazon S3 pre-signed URL that provides temporary access to private objects in Amazon S3. This way, an object can be referenced in an <img> tag on an HTML page, yet remain private.
Creating a pre-signed URL requires a set of credentials that have, at minimum, read access to the Amazon S3 object being shared. Thus, it would be necessary for the app to receive these credentials (normally via an IAM Role).
回答2:
If the files are public, there is no need to also give s3fullaccess permissions to the role - public is public; giving s3fullaccess would make your app less secure in fact, because you are giving it permissions beyond what it needs to run, which is never a good idea.
来源:https://stackoverflow.com/questions/57476632/does-an-ec2-instance-hosting-a-web-app-require-any-role-like-s3fullaccess-eve