aws - secrets manager - how to secure secrets when I want to access from ec2?

Question

I have been trying to secure my api_key and token. I thought about using aws secrets.

1- If I access the api_key and token from within my code on ec2 instance then essentially anyone who gains access to the ec2 has access to the secret. In essence no extra security?

2- If I use lambda to access the api_key and token and store the resulting value in a database and access the database from ec2 again I don't see the additional security here.

Am I missing something? Or is there a more secure way of storing and accessing the secret and keeping it inaccessible from ec2?

Answer 1

You are correct. If somebody can access your Amazon EC2 instance, then they would be able to assume the permissions granted to the instance via the IAM Role.

Therefore, you should ensure that you limit access to the Amazon EC2 instance.

In fact, some organizations take the step of removing login access to production EC2 instances. This is done for security, but also to limit changes that are made outside of a controlled process. For example, if there was a problem on an instance and an Administrator logs in and does a quick fix, then there would be no record of that fix. The correct way would be to make a fix in the code and then deploy a new instance with that fix (then terminate the old instance).

Other ways to limit access to an EC2 instance are:

• Restrict IP address ranges in Security Groups
• Use Keypairs, not passwords
• Disable SSH and instead access via AWS Systems Manager Session Manager -- all such connections are logged by AWS and access is controlled by IAM rather than Keypairs