How to develop a .Net application to integrate with S3 in secureway using Ec2 Instance profile?


Dear expert, I want to develop my .Net Entitiy Application that allows end-users can upload files to the S3 bucket. I also searched some articles and they are using Secret Key and Secret Value to do it. As my understanding, this way is not secure. I want my application can use Ec2 Profile (where the application is deployed) to upload files to s3 bucket. If this is possible, please gime some examples and advice to complete it. Thank all of you so much.

asked 8 months ago391 views
1 Answer
Accepted Answer

Hi! There are several ways you could accomplish having users upload files to S3 when your .NET application is running on an EC2 instance. I am assuming you are using an ASP.NET application.

  1. One way is using pre-signed S3 URLs. When your user wants to upload a file, your ASP.NET application could return a pre-signed URL using the AWS SDK for .NET. Then, your client-side code running in your user's web browser can directly upload the file to S3. This 3rd-party blog post shows how to do this with React.js.
  2. Another way would be to have your users upload the file directly to your ASP.NET application, and then that application could use the AWS SDK for .NET to upload the file to S3 using the EC2 instance's assigned EC2 Instance Profile. An EC2 Instance Profile lets you assign an IAM role directly to the EC2 instance. Then, any application you're running on it that uses the AWS SDK for .NET will automatically use the permissions from that IAM role to access AWS APIs. That includes uploading files to S3. Make sure the IAM role you use has permissions to upload files to the S3 bucket you are using.

There are other ways you could handle this also, such as using a Lambda function and API Gateway, but the two options above are probably the simplest. And you are right - you should never use AWS secret access keys (key ID and secret key) for any client-side code, and it's best practice not to use those keys on an EC2 instance. For applications on EC2, use the EC2 instance profile role instead (which I linked to in option 2 above). When you deploy your application, do not deploy the "credentials" file, just let the AWS SDK take care of getting permissions from the instance profile.

profile pictureAWS
answered 8 months ago
profile picture
reviewed 7 months ago
  • Hi Kirk_D Thank you for your answer, It is very useful and I already resolved my case.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions