Reputation: 61
AWS EC2 userdata encryption
We have usecase of taking input which includes password from user and pass it to on EC2 instance. From with in Ec2 instance we hit the URL - http://169.254.169.254/latest/user-data/ and get the userdata and set appropriate passwords.
The issue is user data is visible by AWS CLI tool:
aws ec2 describe-instance-attribute --instance-id --attribute userData --output text --query "UserData.Value" | base64 --decode
This imposes huge security risk.
Whats the best way to send sensitive / secret data ?
I tried creating a key-pair, which creates the private key on local instance and public key on EC2. What would be right way to encrypt / decrypt using PowerShell and fetch it back in EC2?
Upvotes: 4
Views: 2576
Answers (1)
Reputation: 35188
The suggested approach would be to store any secrets in an external source.
AWS has a service for storing secrets, Secrets Manager. By using this service you would create a secret containing the secrets that your instance will need to access in its user data. Then give your instance an IAM role with privileges to get the secret value, via the AWS CLI.
Alternatively you could also make use of the AWS SSM Parameter Store service, storing the secrets as a SecureString type. This would work similar to secrets manager with you retrieving the secret via the AWS CLI and then using it in your script.
There are also third party solutions such as Hashicorp Vault that provide similar functionality if you do not want to store your secrets in an AWS solution.
Upvotes: 4
Related Questions
- How to encrypt and securely store and transmit private keys of SSH
- How to store my key for encryption on aws?
- AES 256 encryption and decryption
- AMI - Encryption
- Data encryption at REST on aws EBS
- aws s3 bucket encryption
- How does encryption works between aws ELB and instances
- Amazon S3 File Encryption
- How to limit people access to my EC2 with their public key
- How can I "hide" the data in AWS from users?