[英]Using Instance Profile to assign role vs. adding EC2 instance to trust relationship
We are newbies and learning AWS.我们是新手,正在学习 AWS。 So, please excuse our ignorance.
所以,请原谅我们的无知。 We are creating a test environment to check how to allow least privilege access to, say, DynamoDB from EC2.
我们正在创建一个测试环境,以检查如何允许从 EC2 对 DynamoDB 进行最低权限访问。
AWS documentation ( https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/ ) suggests a couple of options without highlighting which ones allow least privilege access: AWS 文档 ( https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/ ) 建议了几个选项,但没有强调哪些选项允许最低权限访问:
Step 1: Create a role with specific policy to allow access to DynamoDB.第 1 步:创建具有特定策略的角色以允许访问 DynamoDB。
Step 2: We are not sure whether we should:第 2 步:我们不确定是否应该:
OR要么
Can someone please guide us on which of the above two options allows least privilege access for security purpose?有人可以指导我们出于安全目的,以上两个选项中的哪一个允许最低权限访问? We even checked security best practice @ https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html , and couldn't get a clear answer.
我们甚至检查了安全最佳实践 @ https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html ,但无法得到明确的答案。
If you create the instance role using IAM console , the instance profile is automatically created for you.如果您使用IAM 控制台创建实例角色,则会自动为您创建实例配置文件。 You don't have to do anything.
您无需执行任何操作。 What's more, trust relationship will also be setup correctly .
更重要的是,信任关系也将被正确设置。
Therefore, the only thing you have to do are to add permissions that you require for DynamoDB to the role, and later to add the role/instance profile to your instance when you create it, or later on after its been created.因此,您唯一需要做的就是将 DynamoDB 所需的权限添加到角色,然后在创建实例时或创建实例后将角色/实例配置文件添加到您的实例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.