Anonymous access to S3 bucket only from the EC2 instances

amazon ec2amazon s3

Is there a way to let anonymous access to a certain S3 bucket only from my EC2 instances (all of them) within a single AWS account?

I know I can use IAM roles, but I found it's just too many moving parts, and complicates any scripts that have to use the access key/secret key (e.g. rewriting /etc/apt/* lines when it changes). Not to mention there is no way to attach roles to existing instances, which makes it even more pain.
It's also not possible to simply restrict access by using VPC subnet, because S3 bucket access goes via public EC2 interface.

Best Answer

Yeah you have attach a bucket policy to the bucket like this:

{
   "Version":"2012-10-17",
   "Statement":[{
         "Sid":"AddCannedAcl",
         "Effect":"Allow",
         "Principal": {
            "AWS": ["arn:aws:iam::111122223333:root"]
         },
         "Action":[
            "s3:GetObject",
            "s3:GetObjectAcl"
         ],
         "Resource":["arn:aws:s3:::bucket/*"]
      ]
   }]
}

where 111122223333 is your account id

Related Solutions

Give EC2 IAM role read access to S3 bucket

From your EC2 insctance, you will also have to retrieve the temporary credentials in the instance metadata:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<your-iam-role-name>

You shall then use the provided access and secret key to access your S3 bucket.

AWS EC2 – Shared File Systems Between Multiple Instances

It is not possible to share a single EBS volume between multiple EC2 instances.

Your diagram is offloading the data to a shared server. However, this shared server is simply another single-point-of-failure. So you're not saving yourself anything: if the AZ of that server goes down, then you've lost the data, even if the web server/VisualSVN server in another AZ is still running.

You should split your server between it's two separate functions into two separate servers/clusters so they can be handled independently of each other:

web server, and
VisualSVN server

For the web server, do you really need to mirror the volume in a multi-instance scenario, or can you keep your instances anytime-terminatable without data loss? Ideally, you would not save any data locally to the instance. Instead, you would save all data off-server to a database or to Amazon S3. This way, the data is available to all instances, all the time. If the server is lost, none of the data is. Make your "master" AMI and create all instances in an auto-scaling group from that master AMI. When your web server code changes, deploy a new AMI, terminate the old instances and create new ones from the new AMI.

For the VisualSVN server, the question to ask is whether VisualSVN can handle volume data changing on it without the running process caring about it. For example, if the running process caches some data in RAM, what happens if some hard drive sync process comes along behind it's back and changes the hard drive on it? It could be that the VisualSVN server simply is not able to handle a multi-instance scenario. Depending on the answer to that, you may not be able to cluster the VisualSVN server. It's possible that VisualSVN server has it's own clustering feature. If so, then you should investigate that.

Best Answer

Related Solutions

Give EC2 IAM role read access to S3 bucket

AWS EC2 – Shared File Systems Between Multiple Instances

Related Topic