How to access AWS resources without using IAM Role or IAM User Access

1
votes

Let assume we have Ec2 instance and there are two applications. only one application should be able to access S3 bucket and other application shouldn't be able to access the S3 bucket.

1) I don't want to use an IAM user Access key ID and Secret access key for this issue, because it's difficult manage. That is not recommended. (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)

2) But I can't use IAM role . Because it's associate with the Ec2 instance and It will allow access to every applications inside that Ec2.

1
amazon-web-servicesamazon-s3amazon-ec2
You can use conditions in IAM policy. If your instance id is not going to change, you can use ARN condition operators. Documentation can be found here: docs.aws.amazon.com/IAM/latest/UserGuide/… - krishna_mee2004
How about the idea of making your S3 bucket public, but put a policy of only the x.x.x.x public IP address can have access? Will that work? - Abel Callejo

1 Answers

0
votes

You can apply a bucket policy to restrict access on same of HTTP header request. allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests referred by www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}
}
]
}

AWS Reference Link