0

I'm new to AWS CLI, but one thing that is bothering me a bit, is the fact that I need to store my credentials in a file. I have several buckets on S3, and I create an account for my application, which will have only access for this bucket. However, if my server is hacked, the attacker could easily read my .aws/credentials file and destroy everything within my bucket. Then, my company would be in huge problems, since we rely on AWS a lot! Is there any suggestion to increase the security of this scenario ?

I can totally understand that if my server is hacked, and has sudo acess, my chances are slim, however, I would like to make more difficult as possible to prevent any damage.

Valter Silva
  • 190
  • 10
  • 1
    Enable versioning and delete protection on your bucket. – EEAA Sep 08 '16 at 12:29
  • @EEAA, great idea! I understand the versioning suggestion. But I'm a bit lost when you said "delete protection on your bucket". What that means ? – Valter Silva Sep 08 '16 at 12:44
  • Set your permissions such that your application user does not have delete credentials. You can also require MFA for delete operations. – EEAA Sep 08 '16 at 12:50

2 Answers2

3

Issue 1:

is the fact that I need to store my credentials in a file

If your server is an EC2 instance, then you don't have to store credentials in a file.

Instead, use IAM roles and instance profiles with your EC2 instances. When you do this, do not configure credentials for the AWS CLI. When you execute commands with the CLI, the CLI will collect temporary credentials off-server and use them.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

If you do this, then should someone gain unauthorized access to the server, there won't be any credential files for them to take away. To do any damage, they would have to do it right there on the server.

Issue 2:

To prevent damage to the bucket, enable bucket versioning. By doing this, if someone deletes objects and/or changes them, you have the old versions available to access.

Also, if you really need to delete objects, then enable MFA deletion. When enabled, MFA must be used when objects need to be deleted. Without using the MFA device, deletion objects is prohibited.

For anyone accessing the bucket, give them minimal permissions. Be careful blindly allowing s3:*. If they only need to read objects, just give them s3:GetObject.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28
  • My VM's are not EC2 instances, for now! :) Your answer is really good Matt! Thanks a lot for it man! – Valter Silva Sep 08 '16 at 14:44
  • While I fully advocate for using Instance roles, your statement isn't entirely correct. Credentials are *still* available to any potential hackers via the EC2 metadata service. So, you're technically correct that there will be no file to steal, but the credentials will *still* be available. – EEAA Sep 08 '16 at 20:59
0

You should do offsite backup. Everyday (in example) you will copy all your data to different location to different provider and in case of disaster you can recover from this.

Ondra Sniper Flidr
  • 2,653
  • 12
  • 18