Comments on: Storing AWS Credentials on an EBS Snapshot Securely http://shlomoswidler.com/2010/07/storing-aws-credentials-on-an-ebs-snapshot-securely.html Cloud Developer Tips: Practical tips for developers of cloud computing applications. Tue, 31 Jan 2012 07:15:49 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: shlomohttp://shlomoswidler.com/2010/07/storing-aws-credentials-on-an-ebs-snapshot-securely.html/comment-page-1#comment-611 shlomo Wed, 30 Mar 2011 14:57:01 +0000 http://www.shlomoswidler.com/?p=190#comment-611 @Ian Harris,Agreed. Using IAM to create restricted-access credentials is a best practice, and should be employed whenever API access is required. @Ian Harris,

Agreed. Using IAM to create restricted-access credentials is a best practice, and should be employed whenever API access is required.

]]> By: Ian Harrishttp://shlomoswidler.com/2010/07/storing-aws-credentials-on-an-ebs-snapshot-securely.html/comment-page-1#comment-610 Ian Harris Wed, 30 Mar 2011 14:06:30 +0000 http://www.shlomoswidler.com/?p=190#comment-610 This is an excellent guide. We've used this approach and taking it one step further. If you know exactly what the AWS user needs to do you can restrict that user's actions by using keys that belong to an IAM user configured just for those actions.For example if, as part of instance boot, you have a requirement to download from S3 you could auth using an IAM user restricted to using just that bucket to list and get objects. If your instance is then compromised (even as root) the keys present can do no more damage than show what is already on the instance.The utility of the approach is limited by your use case but it's a handy way to stop a compromised instance allowing someone to get the keys to the kingdom. This is an excellent guide. We’ve used this approach and taking it one step further. If you know exactly what the AWS user needs to do you can restrict that user’s actions by using keys that belong to an IAM user configured just for those actions.

For example if, as part of instance boot, you have a requirement to download from S3 you could auth using an IAM user restricted to using just that bucket to list and get objects. If your instance is then compromised (even as root) the keys present can do no more damage than show what is already on the instance.

The utility of the approach is limited by your use case but it’s a handy way to stop a compromised instance allowing someone to get the keys to the kingdom.

]]> By: Henri Sackhttp://shlomoswidler.com/2010/07/storing-aws-credentials-on-an-ebs-snapshot-securely.html/comment-page-1#comment-401 Henri Sack Wed, 18 Aug 2010 17:13:48 +0000 http://www.shlomoswidler.com/?p=190#comment-401 Thank you for this tip. I've been searching for such solution for a while !... Thank you for this tip.
I’ve been searching for such solution for a while !…

]]>