If you are using AWS services, specifically EC2 and S3. In the usual way, if you want to access from EC2 to S3 to read and write data, you need to use two pieces of information: the access key and secret key.
These two pieces of information are usually stored in the source code or somewhere on the EC2 instance. This approach carries a risk of information leakage, and if hackers obtain these keys, it could result in a loss of data on S3 bucket.
If you do not want to hardcode these keys, you can use an IAM role to grant the necessary permissions to the EC2 instance to access the S3 bucket.
To set this up, you would create an IAM role with permissions to access the S3 bucket and then attach that role to the EC2 instance. Afterward, the EC2 instance can use the role’s temporary security credentials to access the S3 bucket.
Here are the detailed steps to do it.
Step 1: Create an IAM Role for the EC2 Instance
1. Access IAM on the AWS Console.
2. Go to Roles and click Create Role.
3. In the Trusted entity section, select AWS service and select EC2 because this role will be assigned to an EC2 instance.
4. In the Permissions section:
- Select AmazonS3FullAccess or create a separate policy if you want to allow access to only a specific bucket.
- If you want to create your own policy, you can select Create policy and use the following JSON to specify access to a specific bucket:
| { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::your-bucket-name/*" } ] } |
5. Confirm and name the role, for example EC2S3AccessRole.
Step 2: Assign IAM Role to EC2 Instance
1. Go to EC2 Console and select the instance you want to assign permissions to.
2. On the Actions tab, select Security > Modify IAM role.
3. Select the EC2S3AccessRole role you created in the step above and confirm.
Step 3: Example upload images from EC2 to S3
With the IAM Role assigned, the EC2 instance will have access to S3 without using the Access Key or Secret Key. Here is an example Python code to upload images from EC2 to S3:
1. Install boto3 if not already present:
| pip install boto3 |
2. Write Python code to upload images to S3:
|
import boto3 # Initialize S3 client # Define bucket and file name # Upload file |
Note:
- IAM Role ensures access only from the assigned EC2 instance without using a direct key.
- If you need more specific permissions, adjust the policy to suit your needs.
Conclusion
Using IAM Roles helps to enhance security and eliminate risks associated with managing and transmitting Access Keys and Secret Keys. Hopefully the above guide will help you easily deploy and secure your system when uploading data from EC2 to S3 bucket.
References:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
- https://repost.aws/knowledge-center/ec2-instance-access-s3-bucket
- https://www.freepik.com/free-vector/cloud-computing-remote-encryption-background-safeguarding-data-web_385420046.htm#fromView=search&page=1&position=46&uuid=202ee4b9-9d93-4485-9ce3-4b4878ba8a3c (Image source)