Let's consider a scenario where your company's Trainee Engineer stores an access key with an access key ID and secret access key in a Text file on a custom Amazon Machine Image(AMI). The company uses the access key to access Amazon DynamoDB tables from instances created from the AMI.Do you consider this as a security risk? If yes, As a mentor what will be the security best practice for this scenario?
(A).Pass the access key to the instances through instance user data.
(B).Obtain the access key from a key server launched in a Private Subnet.
(C).Put the access key in an Amazon S3 bucket and retrieve the access key on boot from the Instance.
(D).Create an IAM role with permission to access the Table and launch all instances with the new role.
**Note - *
(1).Access keys should not be stored on the EC2 Instance directly.
(2).The Best Practice is to use IAM Roles attached to the instance, which allows the instance to securely access other AWS services without storing credentials.
(3).If access keys must be used, They can be stored in AWS Secrets Manager or Parameter store and retrieved at runtime, but avoid hard-coding them or using environment variables for for security reasons.
**Best Practice - *
Use IAM Roles: Always prefer using an IAM role attached to the instance to access other AWS services. This is the most secure and recommended approach by AWS.
Avoid Hardcoding Access Keys: Never hardcode access keys in your application code, environment variables, or configuration files on the instance.
Use Secrets Manager or Parameter Store: If you must store sensitive information like access keys, use AWS Secrets Manager or Parameter Store and have your instance retrieve them securely at runtime.
Rotate Credentials: Ensure that any long-term credentials you use are rotated regularly, but it's better to avoid long-term credentials altogether in favor of IAM roles and temporary credentials.
Finally the Answer is - D
(D).Create an IAM role with permission to access the Table and launch all instances with the new role.
Top comments (0)