12

How can I securely store AWS credentials on personal machines?

In detail:

Everybody in our team requires AWS security credentials for doing administrative tasks (credentials are separated by role). These credentials are usually stored in plaintext in some config files on disk. I think this is very insecure, especially considering that credentials are distributed over team members, end up in backup etc.

I would much prefer storing these credentials in encrypted form (similar to ssh keys, for example). Is there some automated way of doing so? Or do I need to hack up some bash script that uses for example openssl to encrypt data?

There is much information on the web regarding how to secure credentials on an EC2 instance. There's even this Amazon IAM roles functionality, but it also applies only to EC2.

030
  • 5,731
  • 12
  • 61
  • 107
arnuschky
  • 418
  • 4
  • 11

2 Answers2

4

Great question-and depending on the person answering, you will probably have a couple of routes to go. I will give you an example of what we use:

  1. Create IAM roles based on user (developer, infrastructure, security, audit, etc) -customize policy to allow or deny specific actions based on user access.

Example: allow all ec2 actions for administrator. Or only allow access based on a tag or subnet for a developer, etc.

  1. Launch ec2 Linux instance(s) using specific IAM roles. Launch an instance for either each specific role or user (adjust instance size/type according to need, budget, etc)

  2. Configure security group for each instance to only allow either specific subnets or individual IPs, so you can lock down traffic ingress to SSH.

  3. Set a custom user/password for SSH or join to domain.

  4. Have each user logon or SSH to the Linux instance assigned to their role or user access.

  5. API keys and access are now inherited from the instance IAM role itself-making the need for storing user keys irrelevant. Just make sure to lock down security group, only grant access to specific users on the Linux box. The user should be able to write scripts using the AWS API/use the API tools functionality as normal.

We have been using this method for about a year now-with additional security tweaks, like leased access time, bought into AWS HSM and it works great.

Hope this helps you or someone else out there.

Scott Moore
  • 551
  • 1
  • 4
  • 11
  • Nice idea, thanks! Didn't think of that. No option for us at the moment due to the involved costs, but I'll keep it in mind. – arnuschky Sep 20 '14 at 19:40
4

https://github.com/realestate-com-au/credulous may be worth investigating. From the project description:

credulous is a command line tool that manages AWS (IAM) Credentials securely. The aim is to encrypt the credentials using a user's public SSH Key so that only the user who has the corresponding private SSH key is able to see and use them. Furthermore the tool will also enable the user to easily rotate their current credentials without breaking the user's current workflow.

There's an introductory blog article at http://techblog.realestate.com.au/protecting-your-aws-keys-with-credulous/.

mvermaes
  • 671
  • 5
  • 7