Reputation: 4055
I have been trying to secure my api_key
and token
. I thought about using aws secrets
.
1- If I access the api_key
and token
from within my code on ec2
instance then essentially anyone who gains access to the ec2
has access to the secret. In essence no extra security?
2- If I use lambda
to access the api_key
and token
and store the resulting value in a database
and access the database from ec2
again I don't see the additional security here.
Am I missing something? Or is there a more secure way of storing and accessing the secret and keeping it inaccessible from ec2
?
Upvotes: 0
Views: 720
Reputation: 270104
You are correct. If somebody can access your Amazon EC2 instance, then they would be able to assume the permissions granted to the instance via the IAM Role.
Therefore, you should ensure that you limit access to the Amazon EC2 instance.
In fact, some organizations take the step of removing login access to production EC2 instances. This is done for security, but also to limit changes that are made outside of a controlled process. For example, if there was a problem on an instance and an Administrator logs in and does a quick fix, then there would be no record of that fix. The correct way would be to make a fix in the code and then deploy a new instance with that fix (then terminate the old instance).
Other ways to limit access to an EC2 instance are:
Upvotes: 2