- 최신
- 최다 투표
- 가장 많은 댓글
Hi,
You must never share your AWS_Access_Key_ID & AWS_Secret_Access_Key with anyone. It can result in your account being compromised. In case you want the other company to share data with you through S3 , you can use S3 pre-signed urls , which grants time limited access to your s3 bucket. Link to documentation :
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html
Cheers! Prince Arora
Hi englishtiger2011,
Why does the company need to upload data to your S3 bucket?
Do you happen to know if this company is using AWS as well? If they do, I would advise you to create an IAM role in your account with the least amount of privilege needed to get the job done. The company would then have to assume your role and perform the necessary actions.
The other option here, if they are not on AWS is to use presigned URLs [1]. Requires a bit more plumbing, but much more secure that providing IAM user credentials to an external party.
[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/PresignedUrlUploadObject.html
Hope this helps.
Kind regards, Andrei Scorus
Mornin' englishtiger2011,
I'm in total agreement with Prince and Andrei - I would be very hesitant on giving out key pairs for an IAM User to a 3rd Party. However, that is not to say that they don't have legitimate need for them.
Do push back and ask why they need this, and if they have an AWS account of their own then why can't they use a user or role from that account to to the data transfer to S3? I would go a step more restrictive than Andrei and wouldn't make a role for them to assume in my account - I would instead add a statement to your S3 bucket which specifically allowed one of their users or roles (you would use the ARN of the user or role) to make 'PutObject' calls to your bucket. That way they can essentially do a cross-account action. You can find a quick walk-through here, but there are more examples in the AWS docs to help you here.
If you do go down the route of giving them an IAM User and generating a key pair for them to use for this transfer, a few things to bear in mind:
- Give them as little permission as possible. If they're using a key pair, then they don't need List or Get permissions, so only give the relevant Put permissions.
- Be specific with the bucket that they can work with. There are loads of examples out there to help you with this.
- Be sure to revoke the key pair and delete the user, once you're happy that they're done.
