Right way to store sensitive credentials for web app

Question

I have a Java web app running on EC2 under Tomcat (a WAR) that requires various sensitive configuration parameters - for example, the credentials associated with various other AWS services. I had been setting these as environment variables, but then discovered that running Tomcat as a service removes almost all environment variables. So currently I use a simple configuration file to store these values.

I don't believe this is a wise choice going forward, however, and would like to find an alternative. What is the right way to handle this kind of sensitive information?

I think this would be better suited for security.stackexchange.com — kasperd, May 29 '14 at 11:18

score 1 · Answer 1 · answered May 22 '14 at 03:55

1

IAM Roles are going to be your best friend here. The official docs here will point you in the right direction. There's also a post on the AWS security blog about it here.

answered May 22 '14 at 03:55

bobmagoo

358
2
8

Thank you. This seems like a very good solution for me. I had briefly looked a IAM, but didn't appreciate that it could be used in this way. – ChrisM May 30 '14 at 17:48
Of course, if that answers you're question I'd appreciate it if you marked this as the answer. – bobmagoo Jul 08 '14 at 06:44

Right way to store sensitive credentials for web app

1 Answers1