| ▲ | icedchai 2 hours ago | |
The EC2 needs credentials, but not necessarily a role. If someone is able to compromise an EC2 instance that has unrestricted S3 connectivity (no endpoint policies), they could use their own credentials to exfiltrate data to a bucket not associated with the account. | ||
| ▲ | unethical_ban 2 hours ago | parent [-] | |
I'll have to dive in and take a look. I'm not arguing, but here is how I naively see it: It seems there is a gap between "how things are" and "how things should be". "Transiting the internet" vs. "Cost-free intra-region transit" is an entirely different question than "This EC2 has access to S3 bucket X" or "This EC2 does not have access to S3 bucket X". Somewhere, somehow, that fact should be exposed in the design of the configuration of roles/permissions/etc. so that enabling cost-free intra-region S3 access does not implicitly affect security controls. | ||