Reputation: 433
Is using IAM Roles really more secure than storing encrypted credentials on disk?
The use of IAM Roles is being touted as the preferred way to get credentials to an EC2 instance so it can talk to the AWS APIs. I understand that the key is temporary and gets rotated which is a clear advantage over using credentials stored on the disk. However, it introduces another serious security issue which is avoided by using encrypted credentials on the disk.
If my credentials are on a file system, I can use the file-system's built in permissions mechanism to prevent any process but the one that needs the keys from reading them. In this case, if someone compromises the instance using some vulnerability in software running as a different user than the one that that needs access to AWS APIs, he can not read the file containing the credentials (enforced by OS). (I'm not considering the case where he can elevate to root access, in which case all bets are off).
However, when using IAM roles, the credentials are available via a network call to:
http://169.254.169.254/latest/meta-data/iam/security-credentials/*.
Any process, even those with virtually zero permission can do a wget (or curl, etc) to this URL and have the credentials, ready to use. The fact that they rotate does nothing much to make this scenario any more secure.
The only remediation I could readily come up with here is a local firewall to limit which processes can access the IP address 169.254.169.254. This seem clunky and inelegant.
Is there a recommended way to address this security problem when using IAM roles?
Upvotes: 6
Views: 831
Answers (1)
Reputation: 5649
The way to think about IAM roles is giving privileges to instances, instead of to processes or users. If your instance has users or processes that shouldn't have a privilege, you shouldn't provide that privilege via an IAM role.
We generally don't use instances as general purpose machines, but only for a specific application purpose. For that use case IAM roles are much better than creating an IAM user with fixed credentials and putting the credentials on the instance. In either case, an intruder taking over the instance can use it for whatever privileges we are giving to that instance. But with a role, the intruder can't take those credentials away and use them separately for an extended period because the credentials expire and are rotated frequently. The intruder has to maintain ownership and presence on the instance to compromise a role, and if the intruder can do that, you've lost all security anyway.
We also create IAM roles along with new instances via a CloudFormation stack, which allows each instance to have exactly the privileges it needs, not a general set of privileges for all instances of its sort.
Upvotes: 2
Related Questions
- AWS IAM role principal vs role session principal
- IAM Roles and instance profile
- AWS IAM Role vs Group
- Is it better to use AWS IAM User Group, or IAM Role for users to assume?
- Application using Iam Role vs STS
- What are the benefits of sharing an IAM role instead of a IAM key?
- AWS: To Role or not to Role?
- Why use AWS Access Keys instead of IAM Roles
- IAM - Purpose of role identity in AWS
- Aws IAM Roles vs Bucket Policies