top | item 45980706

(no title)

wulfstan | 3 months ago

Right, I can appreciate that argument - but then the right thing to do is to block S3 access from AWS VPCs until you have explicitly confirmed that you want to pay the big $$$$ to do so, or turn on the VPC endpoint.

A parallel to this is how SES handles permission to send emails. There are checks and hoops to jump through to ensure you can't send out spam. But somehow, letting DevOps folk shoot themselves in the foot (credit card) is ok.

What has been done is the monetary equivalent of "fail unsafe" => "succeed expensively"

discuss

raw_anon_1111|3 months ago

s3 access is blocked from an EC2 by default unless you give the attached IAM role access to S3.

Then it is still blocked unless you add a NAT gateway or Internet gateway to the VPC and at a route to them.

If you are doing all of this via IAC, you have to take a lot of steps to make this happen. On the other hand, if I’m using an EC2 instance to run an ETL job from data stored on S3, I’m not putting that EC2 instance in a subnet with internet access in the first place. Why would I?

And no you don’t need internet access to access the EC2 instance ftom your computer even without a VPN. You use System Manager Session Manager.

I do the same with lambda - attach then to a VPC without internet access with the appropriate endpoints. Even if they are serving an API, they are still using an API gateway