Should I use EC2 or Elastic Beanstalk when I am creating a new role where my EC2 / Beanstalk instances should have access to S3?

问题

This link says

To create the IAM role

1. Open the IAM console.

2. In the navigation pane, select Roles, then Create New Role.

3. Enter a name for the role, then select Next Step. Remember this name, since you'll need it when you launch your Amazon EC2 instance.

4. On the Select Role Type page, under AWS Service Roles, select Amazon EC2.

5. On the Set Permissions page, under Select Policy Template, select Amazon S3 Read Only Access, then Next Step.

6. On the Review page, select Create Role.

But when you click "Create New Role", you will be asked as follows

They say "choose a service that will use this role"

a) As you launch an app in ElasticBeanStalk which in turn creates an Ec2 instance , should I select Ec2 service or Elastic beanstalk service?

回答1:

You are creating an EC2 instance role, so the service to select is EC2, regardless of whether or not the instances are being spawned and managed by Elastic Beanstalk.

With an instance role, your instance has continuous access to a set of automatically-rotated temporary credentials that it can use to access whatever services the role policies grant access to.

Here, you are granting the EC2 service permission to actually obtain those temporary credentials on behalf of your instance.

回答2:

Rule of thumb with AWS, only create the resources you need. The reason for this is that AWS charges you for everything that you use. Now with that said, if you only need an EC2 that can communicate with your S3, then go with an EC2 only. EC2's are sorta like your base server, and you can always link one to your Elastic Beanstalk (if in fact you want to utilize that service later on).

Note, if you eventually begin using your S3 to show content to your users (e.g. your images, videos, etc.), then you should use CloudFront as your CDN to control things like caching, speed, and availability across various regions.

Hope this helps.

回答3:

The AWS document merely is an example (Apply IAM on EC2). You don't need follow the document mechanically, because your case is different, applying IAM on different type(s) of AWS services.

来源：https://stackoverflow.com/questions/46996536/should-i-use-ec2-or-elastic-beanstalk-when-i-am-creating-a-new-role-where-my-ec2