使用 ec2 实例标签限制对 S3 存储桶的 ec2 实例访问
[英]Restrict ec2 instance access on S3 bucket using ec2 instance tags
问题描述
I want to allow only specific EC2 instance(s) to have access on specific S3 bucket(s) using EC2 instance tags in the S3 bucket policy.
我想只允许特定的 EC2 实例使用 S3 存储桶策略中的 EC2 实例标签访问特定的 S3 存储桶。
Want to set the bucket policy runtime during creating the bucket using saltstack.希望在使用 saltstack 创建存储桶期间设置存储桶策略运行时。
I tried this with sourceip condition in the S3 bucket policy but I will not be having public IP address of the source EC2 instance.我在 S3 存储桶策略中使用 sourceip 条件尝试了此操作,但我不会拥有源 EC2 实例的公共 IP 地址。
1 个解决方案
解决方案1
0 2019-10-14 20:27:20
This is not possible.这是不可能的。
When an API call is made to Amazon S3, no information about the originating computer is sent.当对 Amazon S3 进行 API 调用时,不会发送有关原始计算机的信息。 Therefore, the tags are not accessible.因此,标签不可访问。
You could restrict access to a particular EC2 instance by restricting access to an IAM Role that has been assigned to the instance (so it's actually restricting by role, not instance), or you could use a VPC Gateway and restrict the S3 bucket to only work via the VPC Gateway, plus a security policy that restricts access to the VPC Gateway to only the EC2 instance (I think).您可以通过限制对已分配给实例的IAM 角色的访问来限制对特定 EC2 实例的访问(因此它实际上是按角色而不是实例进行限制),或者您可以使用VPC 网关并将 S3 存储桶限制为只能工作通过 VPC 网关,加上一个安全策略,将 VPC 网关的访问权限限制为仅限 EC2 实例(我认为)。
The IAM Role would be the preferable method. IAM 角色将是更可取的方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.