In our django application, we allow users to upload files directly to S3.
We do this using generate_presigned_post.
All works great, but we now get Suspicious Access alerts in Macie because it sees that EC2 credentials are being used externally.
The Macie description is
This alert is created by temporary EC2 instance credentials being used outside of Amazon IP space. EC2 instance profile credentials are expected to most commonly be used on EC2 instances where they have been made available by the EC2 metadata service. This technique is used by open source exploitation frameworks such as Metasploit, and observing their usage from outside of AWS network may indicate their potential leakage. Please consider reaching out to user to confirm whether they were intentially using EC2 credentials outside of AWS. If so, whitelist valid users or consider resetting IAM user credentials.
This makes sense because the Instance role generates the presigned post url which is used by an external user.
Am I truly at risk that an external user could gain the same access as my instance role?
If so, is it worth creating a separate role that only has access to s3:PutObject in my particular bucket, then assuming that role before generating the presigned post url? That way if compromised somehow it wouldn't have as many privileges as the instance role?
Based on the Boto3 docs, the url should only grant access to post a specific object to a specific bucket, but this Macie alert makes me nervous.
Thanks!
