prgrms-web-devcourse-final-project · Gooraeng · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
diff --git a/.github/workflows/Backend-CD.yml b/.github/workflows/Backend-CD.yml
@@ -228,7 +228,7 @@ jobs:
             # ---------------------------------------------------------
             # 0) 실행 로그(라인 타임스탬프 부착)
             # ---------------------------------------------------------
-            LOG="/tmp/ssm-$(date +%Y%m%d_%H%M%S).log"
+            LOG="/var/log/relife/ssm-$(date +%Y%m%d_%H%M%S).log"
             exec > >(awk '{ fflush(); print strftime("[%Y-%m-%d %H:%M:%S]"), $0 }' | tee -a "$LOG")
             exec 2> >(awk '{ fflush(); print strftime("[%Y-%m-%d %H:%M:%S]"), $0 }' | tee -a "$LOG" >&2)
 

diff --git a/infra/aws/terraform/cloudfront.tf b/infra/aws/terraform/cloudfront.tf
@@ -74,7 +74,7 @@ resource "aws_cloudfront_distribution" "cloudfront_distribution" {
   # PriceClass_100: 미국, 캐나다, 유럽
   # PriceClass_200: PriceClass_100 + 아시아, 중동, 아프리카
   # PriceClass_All: 전세계
-  price_class = "PriceClass_100"
+  price_class = "PriceClass_200"
 
   # CDN 도메인 설정
   aliases = [var.cdn_domain]

diff --git a/infra/aws/terraform/ec2.tf b/infra/aws/terraform/ec2.tf
@@ -32,11 +32,45 @@ resource "aws_iam_role" "ec2_role_1" {
 ####################
 # EC2 - Policy 설정
 ####################
-# EC2 역할에 AmazonS3FullAccess 정책을 부착
-# 생성된 인스턴스는 S3에 대한 완전한 액세스 권한을 가짐.
-resource "aws_iam_role_policy_attachment" "s3_full_access" {
+resource "aws_iam_policy" "ec2_s3_access_policy" {
+  name        = "${var.prefix}-ec2-s3-access-policy"
+  description = "EC2 instance S3 access policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "ListSpecificBucket",
+        Effect = "Allow",
+        Action = [
+          "s3:ListBucket",
+          "s3:GetBucketLocation"
+        ],
+        Resource = aws_s3_bucket.s3_1.arn
+      },
+      {
+        Sid    = "AccessableBucketObjectsPermissions",
+        Effect = "Allow",
+        Action = [
+          "s3:GetObject",
+          "s3:DeleteObject",
+          "s3:PutObject"
+        ],
+        Resource = "${aws_s3_bucket.s3_1.arn}/*"
+      }
+    ]
+  })
+
+  tags = merge(local.common_tags, {
+    Name = "${var.prefix}-ec2-s3-access-policy"
+  })
+}
+
+# EC2 역할에 커스텀 정책을 부착
+# 생성된 인스턴스는 특정 S3에 대한 읽기/쓰기/삭제 권한을 가짐.
+resource "aws_iam_role_policy_attachment" "s3_access" {
   role       = aws_iam_role.ec2_role_1.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+  policy_arn = aws_iam_policy.ec2_s3_access_policy.arn
 }
 
 # EC2 역할에 AmazonEC2RoleforSSM 정책을 부착
@@ -113,7 +147,6 @@ resource "aws_instance" "ec2_1" {
     volume_type           = "gp2"
     volume_size           = 30 # 볼륨 크기를 30GB로 설정
     encrypted             = true
-    delete_on_termination = false
   }
 
   user_data = local.ec2_user_data

diff --git a/infra/aws/terraform/s3.tf b/infra/aws/terraform/s3.tf
@@ -38,27 +38,52 @@ resource "aws_s3_bucket_ownership_controls" "s3_1_ownership" {
 # CloudFront OAI가 S3 버킷에 접근할 수 있도록 허용
 # EC2 인스턴스가 파일 업로드/관리 가능
 # AWS 계정 소유자 및 Admin 사용자 접근 허용
-# Presigned URL을 통한 접근 차단
+# 일반 사용자의 직접적인 접근 차단
 resource "aws_s3_bucket_policy" "s3_1_policy" {
   bucket = aws_s3_bucket.s3_1.id
   policy = jsonencode({
-    Version = "2012-10-17",
+    Version   = "2012-10-17",
     Statement = [
       # 1. CloudFront OAI: S3 객체 읽기 (CDN 콘텐츠 제공)
       {
-        Sid = "AllowCloudFrontOAIReadOnly",
-        Effect = "Allow",
+        Sid       = "AllowCloudFrontOAIReadOnly",
+        Effect    = "Allow",
         Principal = {
           AWS = aws_cloudfront_origin_access_identity.oai_1.iam_arn
         },
-        Action = [
+        Action    = [
           "s3:GetObject",
           "s3:ListBucket"
         ],
-        Resource = [
+        Resource  = [
           aws_s3_bucket.s3_1.arn,
           "${aws_s3_bucket.s3_1.arn}/*"
         ]
+      },
+      {
+        Sid       = "AllowEC2Access",
+        Effect    = "Allow",
+        Principal = {
+          AWS = aws_iam_role.ec2_role_1.arn
+        },
+        Action    = [
+          "s3:ListBucket",
+          "s3:GetBucketLocation"
+        ],
+        Resource  = aws_s3_bucket.s3_1.arn
+      },
+      {
+        Sid       = "AllowEC2ObjectAccess",
+        Effect    = "Allow",
+        Principal = {
+          AWS = aws_iam_role.ec2_role_1.arn
+        },
+        Action    = [
+          "s3:GetObject",
+          "s3:DeleteObject",
+          "s3:PutObject"
+        ],
+        Resource  = "${aws_s3_bucket.s3_1.arn}/*"
       }
     ]
   })

diff --git a/infra/aws/terraform/variables.tf b/infra/aws/terraform/variables.tf
@@ -122,7 +122,7 @@ variable "expose_rds_port" {
 variable "expose_npm_config" {
   description = "Nginx Proxy Manager 설정 페이지 외부 노출 여부"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "expose_redis_port" {