NodeJS/Express + HTTPS: How to deploy key & certificate to AWS EC2 node?

Question

I am very new to Node.js & Express.js which I use to write a web API service. To enable HTTPS the service is using the following code:

const server = https
  .createServer({
    key: fs.readFileSync('./cert/myservice.key'),
    cert: fs.readFileSync('./cert/myservice.crt')
  })
 .listen(serverConfig.server.port, () => logger.info(`MyService is up and running`));

As it is easy to see, this code assumes that the .key and .crt files are available locally in the service application location. If I want to deploy the service to a single AWS EC2 host (for simplicity reasons) these files would have to be there, which does not seem to be a secure solution.

I was thinking about using AWS IAM for securing the secrets. The issue is that it's not possible to "deploy"/make the secrets available from IAM to an EC2 node directly. I'd have to use IAM's API to get the secrets, but then the question is how do I make the AWS credentials available on EC2.

Question: Is there a recommended secure way to deploy secrets (including certificates and keys) to AWS EC2 node?

Answer 1

It is not recommended to keep secrets on EC2 instances. You may use AWS KMS to keep the secret keys and AWS Certificate Manager to manage your SSL certificates.

You could setup a Elastic Load Balancer(ELB) in front of your EC2 instance and have your SSL certificates applied on the ELB. Here is a guide. It is good practice to terminate SSL at ELB level to take some load off the server on your EC2 instance.