A company uses Amazon S3 to store documents that may only be accessible to an Amazon EC2 instance in a certain virtual private cloud (VPC). The company fears that a malicious insider with access to this instance could also set up an EC2 instance in another VPC to access these documents.
Which of the following solutions will provide the required protection?
A. Use an S3 VPC endpoint and an S3 bucket policy to limit access to this VPC endpoint.
B. Use EC2 instance profiles and an S3 bucket policy to limit access to the role attached to the instance profile.
C. Use S3 client-side encryption and store the key in the instance metadata.
D. Use S3 server-side encryption and protect the key with an encryption context.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html
I would go like B
A: This will allow any VPC that is allowed to access the VPN endpoint to also access the S3 bucket.
But still not sure if is A or B….
Any suggestions to get it clearest?
3 Answers
I would go with option A. With option B – IAM Role can be attached to multiple EC2 instances, any of the EC2 instances that have the role attached can access your S3 bucket. With option A – you can set up gateway VPC endpoint within your VPC to access your S3 bucket so that traffic doesn’t traverse over the internet. The ID of gateway VPC endpoint is unique, so you can use SourceVPCE within you bucket policy to grant access to specific gateway VPC endpoint.
Thanks for the feedback. I think you are right. Somehow I got confused
Because of the "..only be accessible to an Amazon EC2 instance " I thought it was just one EC2 inside the VPC then one that should have access and not all EC2 inside the VPC. But I think the questions is about any EC2 inside that VPC
Yes, VPCE is unique, so S3 can restrict to just this VPC/E