chore: S3 관련 권한 조정

Gooraeng · Gooraeng · commit 73907421d328 · 2025-10-14T16:32:51.000+09:00
- S3관련 FullAccess 삭제
- BE 내부적으로 저장(Put), 삭제(Delete), 필요 시 불러오기(Get) 허용
- S3에서 EC2 관련 권한 명시
diff --git a/infra/aws/terraform/ec2.tf b/infra/aws/terraform/ec2.tf
@@ -32,11 +32,45 @@ resource "aws_iam_role" "ec2_role_1" {
 ####################
 # EC2 - Policy 설정
 ####################
-# EC2 역할에 AmazonS3FullAccess 정책을 부착
-# 생성된 인스턴스는 S3에 대한 완전한 액세스 권한을 가짐.
-resource "aws_iam_role_policy_attachment" "s3_full_access" {
+resource "aws_iam_policy" "ec2_s3_access_policy" {
+  name        = "${var.prefix}-ec2-s3-access-policy"
+  description = "EC2 instance S3 access policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "ListSpecificBucket",
+        Effect = "Allow",
+        Action = [
+          "s3:ListBucket",
+          "s3:GetBucketLocation"
+        ],
+        Resource = aws_s3_bucket.s3_1.arn
+      },
+      {
+        Sid    = "AccessableBucketObjectsPermissions",
+        Effect = "Allow",
+        Action = [
+          "s3:GetObject",
+          "s3:DeleteObject",
+          "s3:PutObject"
+        ],
+        Resource = "${aws_s3_bucket.s3_1.arn}/*"
+      }
+    ]
+  })
+
+  tags = merge(local.common_tags, {
+    Name = "${var.prefix}-ec2-s3-access-policy"
+  })
+}
+
+# EC2 역할에 커스텀 정책을 부착
+# 생성된 인스턴스는 특정 S3에 대한 읽기/쓰기/삭제 권한을 가짐.
+resource "aws_iam_role_policy_attachment" "s3_access" {
   role       = aws_iam_role.ec2_role_1.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+  policy_arn = aws_iam_policy.ec2_s3_access_policy.arn
 }
 
 # EC2 역할에 AmazonEC2RoleforSSM 정책을 부착
@@ -113,7 +147,6 @@ resource "aws_instance" "ec2_1" {
     volume_type           = "gp2"
     volume_size           = 30 # 볼륨 크기를 30GB로 설정
     encrypted             = true
-    delete_on_termination = false
   }
 
   user_data = local.ec2_user_data
diff --git a/infra/aws/terraform/s3.tf b/infra/aws/terraform/s3.tf
@@ -38,27 +38,52 @@ resource "aws_s3_bucket_ownership_controls" "s3_1_ownership" {
 # CloudFront OAI가 S3 버킷에 접근할 수 있도록 허용
 # EC2 인스턴스가 파일 업로드/관리 가능
 # AWS 계정 소유자 및 Admin 사용자 접근 허용
-# Presigned URL을 통한 접근 차단
+# 일반 사용자의 직접적인 접근 차단
 resource "aws_s3_bucket_policy" "s3_1_policy" {
   bucket = aws_s3_bucket.s3_1.id
   policy = jsonencode({
-    Version = "2012-10-17",
+    Version   = "2012-10-17",
     Statement = [
       # 1. CloudFront OAI: S3 객체 읽기 (CDN 콘텐츠 제공)
       {
-        Sid = "AllowCloudFrontOAIReadOnly",
-        Effect = "Allow",
+        Sid       = "AllowCloudFrontOAIReadOnly",
+        Effect    = "Allow",
         Principal = {
           AWS = aws_cloudfront_origin_access_identity.oai_1.iam_arn
         },
-        Action = [
+        Action    = [
           "s3:GetObject",
           "s3:ListBucket"
         ],
-        Resource = [
+        Resource  = [
           aws_s3_bucket.s3_1.arn,
           "${aws_s3_bucket.s3_1.arn}/*"
         ]
+      },
+      {
+        Sid       = "AllowEC2Access",
+        Effect    = "Allow",
+        Principal = {
+          AWS = aws_iam_role.ec2_role_1.arn
+        },
+        Action    = [
+          "s3:ListBucket",
+          "s3:GetBucketLocation"
+        ],
+        Resource  = aws_s3_bucket.s3_1.arn
+      },
+      {
+        Sid       = "AllowEC2ObjectAccess",
+        Effect    = "Allow",
+        Principal = {
+          AWS = aws_iam_role.ec2_role_1.arn
+        },
+        Action    = [
+          "s3:GetObject",
+          "s3:DeleteObject",
+          "s3:PutObject"
+        ],
+        Resource  = "${aws_s3_bucket.s3_1.arn}/*"
       }
     ]
   })
