I have two servers that have an encrypted line of communication between them. One of these devices I trust with my AWS credentials and it can access files on my S3 bucket via boto or aws cli etc. The other one I do not trust with any aws credentials so normally it cannot access my files.
I am trying to come up with a way to get a file from S3 to the untrusted server but my best idea so far is to download the files to the trusted server and then send them to the other. Is there any better way to do this?
I don't want to use CDN or make my files public since I don't want anyone but the two servers to access them.
Thanks!
答案 0 :(得分:2)
You can generate presigned URLs on the trusted servers and send those to the untrusted server that can then use those URLs to safely download the file. The URLs don't require the untrusted server to hold any keys. They also have a limited time-to-live so you can limit your exposure if those leak for some reason.
This way you can allow the untrusted server to access only the files you want for the period of time you want.
aws s3 presign s3://mybucket/myfile --expires-in 60
答案 1 :(得分:1)
You could make specific IAM policies on demand that allowed access from the untrusted server to only the exact resources that were allowed
But TBH if the files aren't absolutely huge and/or don't change all the time then using the "trusted" server as a proxy is a good approach