1

I deployed an app in Heroku and AWS EC2. I also created a AWS S3 for my storage for uploading images and videos. Suddenly Heroku has emailed me that my application was affected by a recent vulnerability and my Access key for AWS S3 was stolen (Probably because of a bot that mine access key, also my repository is private so I don't know how this happened), I'm glad I saw it early and I was able to delete my keys and generate a new one. Basically my code for uploading images is this.

Access key from a .json file in my code.

{
  "accessKeyId": "xxxxxxxxxxxxx",
  "secretAccessKey": "xxxxxxxxxxxxxxxxxxxx",
  "region": "us-east-2"
}

My Middleware

const multer    = require('multer');
const AWS       = require('aws-sdk');
const multerS3  = require('multer-s3');

AWS.config.loadFromPath('./resources/AwsS3Key.json');
var s3 = new AWS.S3();

const s3Storage = multerS3({
    s3     : s3,
    bucket : 'entrenami-app-bucket',
    acl    : 'public-read',
    key    : function (req, file, callback) {
        callback(null, file.originalname);
    }
});
module.exports.s3Upload  = multer({ storage: s3Storage });

I then attached my middleware to my express router for uploading image or videos.

It was written in AWS documentation that I shouldn't put my access key with my source code. So I added it to gitignore. Now how would I access my access key when I deployed my app in AWS EC2 or Heroku? I have no Idea how to access my key using ENV variable, Please help me, I've been reading the documentation but I can't wrap my mind around it. Thank you in advance.

Sherwin Ablaña Dapito
  • 928
  • 1
  • 15
  • 33

1 Answers1

3

As i understand, you placed your key as static resource, so anybody could download it. As far as i am know heroku give you ability to create env variable for you app. So you should create AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and probably AWS_DEFAULT_REGION (it is not described there but used for python boto) as it shown in aws sdk docs. The process of creation is well explained in heroku docs. AWS SDK will check this variables on application start. This is appliable if we talking about server side app.

In other case you have 3 options:

  1. Using Amazon Cognito Identity to authenticate users and supply credentials

  2. Using web federated identity

  3. Hard coded in the script (NOT RECOMENDED)

as it described in this amazon article.

Ruslan Neruka
  • 463
  • 5
  • 12
  • Thank you mate for clearing it up. I can't wrap it up around my head earlier. So I took the steps one by one and set the Environmental variable in EC2 for my node app to access my AWS S3 key. I'll try the heroku tomorrow. and yep that was dumb of me putting the key with my source code I didn't realize it can be stolen inside heroku, anyway Thank you again. – Sherwin Ablaña Dapito Jul 13 '17 at 15:25