0

What would be the best way to pass sensitive data to EC2 instance (on boot or otherwise) that only root can access?

  1. I cannot use UserData, because anyone can read it.
  2. I cannot use private S3 buckets for the same reason (metadata and hence credentials can be accessed by anyone on the box).
  3. I'd strongly prefer not to bake my own AMI, as it's quite a hassle.
Alex B
  • 1,714
  • 2
  • 18
  • 30

2 Answers2

0

I cannot use UserData, because anyone can read it.

Why are you allowing un-trusted users to have shell accounts on your system?

I cannot use private S3 buckets for the same reason (metadata and hence credentials can be accessed by anyone on the box).

If you're using IAM server roles, this is the case. However, you can still use an S3 bucket, just store credentials in a file that only root has access to.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • 1) no untrusted users, but in the event of RCE bug in the app I don't want to risk leaking long-term keys. 2) But how would I distribute that credentials file to the instance? – Alex B Oct 18 '14 at 14:05
  • You'd distribute via your configuration management system. – EEAA Oct 18 '14 at 15:13
  • Also, when using IAM server roles, credentials get automatically rotated periodically, so there are no "long-term keys". – EEAA Oct 18 '14 at 15:16
  • I should have made myself clear, when I said "long-term keys" I was talking about the SSL certificates. Anyone with access to instance creds can download it off S3 bucket, rotated creds or not. I'd rather not stick it into CM considering that the app needs access to config but should not have access to SSL certs/keys. – Alex B Oct 18 '14 at 15:40
0

There are all kinds of ways to do this:

  • You can ssh into the VM after it is up, sudo to the root user (assuming you have its credentials) and copy the sensitive data in.

  • If the root user has an ssh key and you have access to the public key, encrypt the sensitive data using the public key and place it in the user-data. Only the root user will be able to decrypt it.

  • Any variation of the previous item, where the root user has a 'secret' can be used for encrypting the data.

Barak
  • 393
  • 2
  • 9
  • Another clarification: instances are a part of autoscaling group, startup has to be unattended, and manual SSH is not an option. But even if it was just a one-off instance, I don't want to add another moving part that is subject to human error. – Alex B Oct 19 '14 at 11:48