How should the application use AWS credentials to access the S3 bucket securely?

By:
In: SAP-C01
Tagged:
With: 2 Comments
You have an application running on an EC2 instance which will allow users to download files from a private S3 bucket using a pre-signed URL. Before generating the URL, the application should verify the existence of the file in S3.

How should the application use AWS credentials to access the S3 bucket securely?

Use the AWS account access keys; the application retrieves the credentials from the source code of the application.

Create an IAM role for EC2 that allows list access to objects in the S3 bucket; launch the Instance with the role, and retrieve the role’s credentials from the EC2 instance metadata.

Create an IAM user for the application with permissions that allow list access to the S3 bucket; the application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the Application user.

Create an IAM user for the application with permissions that allow list access to the S3 bucket; launch the instance as the IAM user, and retrieve the IAM user’s credentials from the EC2 instance user data.

Explanations:

Using AWS account access keys in source code is a security risk, as it exposes sensitive credentials, making them vulnerable to leaks or misuse.

Creating an IAM role for the EC2 instance and using instance metadata to retrieve temporary credentials is a secure method. It adheres to the principle of least privilege and eliminates the need to manage static credentials.

While creating an IAM user with limited permissions can work, storing IAM user credentials in a temporary directory poses security risks. It also requires more management of static credentials compared to using roles.

Launching an instance as an IAM user is not possible. IAM users are associated with AWS accounts, not EC2 instances, and retrieving credentials from user data also exposes sensitive information, leading to security risks.

2026-03-22

2 Comments

  1. Sara
    Author

    I compute that the answer is:
    Create an IAM role for EC2 that allows list access to objects in the S3 bucket; launch the Instance with the role, and retrieve the role’s credentials from the EC2 instance metadata.

  2. Jacob
    Author

    I scheme that the answer is:
    Create an IAM role for EC2 that allows list access to objects in the S3 bucket; launch the Instance with the role, and retrieve the role’s credentials from the EC2 instance metadata.

Leave a Reply

Your email address will not be published. Required fields are marked *

three × 1 =