Reputation: 195
how to manage aws elastic beanstalk db password in a secure way
we have a db instance outside our eb env, and password is stored in a properties file which will be zipped along with jar and got uploaded and deployed. this is not very secure as the password is literally carried around. (compare to old way of deployment where password is store on the server gets pulled out with other connection info through JNDI). is there any better way to manage db password in a more secured way?
Upvotes: 3
Views: 4312
Answers (2)
Reputation: 5229
I agree with Rodrigo M that AWS Parameter Store is a good idea. Here is a small how-to:
Elastic Beanstalk runs on EC2. When you run AWS CLI on EC2, it automatically has the permissions of any IAM roles which are assigned to EC2. So this means that you can create an IAM role which gives EC2 instances the permission to get the secret, then get it in your application code on startup.
IAM: For example, attach the AmazonSSMReadOnlyAccess policy to the aws-elasticbeanstalk-ec2-role. This will get you going. There might be more restrictive and secure ways to do this, for example, there's an example here https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/ of a policy which only allows access to a named parameter, instead of all of them.
There is an SDK which allows you to use AWS CLI from your application. See https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SSM.html.
npm install aws-sdk
then in your code:
const AWS = require('aws-sdk');
const ssm = new AWS.SSM({'region': 'us-east-1'});
var params = {
Name: 'db-pw',
WithDecryption: true
};
ssm.getParameter(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else {
const dbPw = data.Parameter.Value;
}
});
This worked for me in a little test today. It seems OK to me, but I'm not a security expert so I will check the security aspects with colleagues before using it in prod.
Upvotes: 3
Reputation: 13648
Consider using AWS Parameter Store to manage application secrets like DB password.
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter. Highly scalable, available, and durable, Parameter Store is backed by the AWS Cloud. Parameter Store is offered at no additional charge.
Upvotes: 2
Related Questions
- AWS Elastic Beanstalk and Secret Manager
- AWS Elastic BeanStalk Security Group
- Securing/Encrypting Database Password on AWS EC2
- AWS - Configuring access to EC2 instance from Beanstalk App
- Add encrypted database to elastic beanstalk
- AWS Beanstalk and SES authentication
- Password protect AWS Node EB application
- Keep config file secure using github and Elastic Beanstalk?
- How to protect access to Elastic Beanstalk resources + security advices?
- Elasticbeanstalk controlling access