If I grant an EC2 instance to S3, does it mean all operating system level account in the EC2 instance will have the same access to the S3 resource? This would not be secure, how do I further limit specific EC2 OS accounts access to S3? do I have to user username/password or access keypair?
Asked
Active
Viewed 124 times
1
-
so if I assign a role to EC2, so it can assess S3, it would mean all users (as long as they can execute aws command) will have the same access to the S3 bucket, it's not really secure, isn't it? – ilovesun Nov 30 '19 at 18:41
-
if I need two EC2 instances to talk, I can just use the normal ssh from one instance to another, do I need to assign roles to the instances on top of it? – ilovesun Nov 30 '19 at 18:42
-
Please create a New Question for your ssh question. It does not relate to the existing question topic & description. – John Rotenstein Dec 02 '19 at 02:10
2 Answers
2
Refer this How OS level users are restricted from certain commands
sh-4.2$ whoami
ssm-user
after using this " setfacl -m u:ssm-user:r /bin/aws"
sh-4.2$ aws
sh: /usr/bin/aws: Permission denied
sh-4.2$ sudo su
[root@ip-172-31-23-71 bin]# whoami
root
[root@ip-172-31-23-71 bin]# aws
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: too few arguments
[root@ip-172-31-23-71 bin]#
So the user "ssm-user" is restricted from the "aws" command but root can ...
jestadi
- 96
- 6
0
I'm not sure what you mean by "assign a role for EC2 to S3".
OS level users differ from AWS level roles (i.e. OS users don't have access to any resource outside of OS).
However it's possible to use IAM principals to connect to EC2 via SSH (not to play with SSH keys), in this case it depends on IAM policy used (i.e. if it grants access to S3, then its users will have it).
nickolay.laptev
- 2,253
- 1
- 21
- 31