AWS KMS, Parameter store and cli credentials - amazon-web-services

I've recently been looking into AWS KMS for storing database passwords and the like. However I've also seen that secure strings in Parameter store can be used for this. In both instances I believe I would need to use the AWS CLI to access these services.
However in a production environment where there might be multiple servers, how are we supposed to go about getting the AWS CLI installed and authenticated on our instances. It feels like the CLI credentials should also be stored in Parameter store creating a bit of a catch 22. As far as I'm aware these should form part of an AMI and I don't want them in source control either.
What's the best approach here?

Related

Detect EC2 role with AWS PHP SDK?

I have as php library I wrote to help with working along side Amazon Web Services. It was built to either look for the default $HOME/.aws/credentials (or be pointed to a similar format file) or to look for the key and secret in the environment before proceeding.
We are now going to be running it on an EC2 and I was shown how you can use roles in conjunction with the EC2 to get and keep much better control on what the server code can and can't do. But I need to modify my code to be able to know when it has proper permissions before proceeding and I don't see anywhere in the docs on assigning an EC2 instance a given role how you know in the SDK that it has the permissions of that role.
Is there some way once I instantiate the SDK to ask something akin to 'hasRole' or 'getRoleArn' or something like that?
SDKs are mapped directly to API calls. So if you know what cli command to call, it makes it much easier to google. So you want the aws sts get-caller-identity most likely.
Doing a google for "PHP sts sdk aws" is then the search you would do. And then you would wind up on this page.
So that way is using the SDK. There are a couple of other ways as well. As you are using ec2 you can use instance meta-data as well.
On another note I do think you should be careful though with leaking the AWS role into your application code. It probably makes more sense to use user identity context, such as with Cogito, and then use different groups with different permission sets. The role on the actual ec2 instance shouldn't be changing (unless you do a re-deploy), so there is no need for your code to check something that won't change during the normal running of the application. You could simply use an environment variable to convey whatever configuration you want to your application.
aws sts get-caller-identity --query 'Arn'
arn:aws:iam::1232412321:role/YourRole

How to store GOOGLE_APPLICATION_CREDENTIALS in an AWS ECS environment on Fargate?

We have an API app that uses Firebase Admin to send messages to devices.
Earlier, we used to specify the service account key using environment variable like GOOGLE_APPLICATION_CREDENTIALS="path_to_file.json".
But now, since we are shifting to AWS Elastic Container Service on Fargate, I am unable to figure out how to put this file in the container for AWS ECS.
Any advice highly appreciated.
Thanks
Solved it by storing the service key as a JSON Stringified environment variable & using admin.credential.cert() instead of defaultAppCredentials.
Refer: https://firebase.google.com/docs/reference/admin/node/admin.credential#cert
I would suggest instead AWS Secrets Manager that is purpose-built for storing secrets. Take a look to his blog post:
https://aws.amazon.com/blogs/compute/securing-credentials-using-aws-secrets-manager-with-aws-fargate/
Even better than using environment variables which have their own downsides, you can leverage AWS Parameter Store which is a secure way to manage secrets in the AWS environment (where secrets are encrypted both in transit and at rest).
You'd need to create an IAM role for Amazon ECS for your code to have access to the Parameter Store.
You may want to check this article: https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/
Use the specific method from_service_account_info as described here. You then pass the content of the credentials json file as a dictionary.

Automatic rotation of AWS access keys

I am looking for ways to automate the rotation of access keys (AWS credentials) for a set of users. There is a seperate process that creates the Access Keys. I need to be able to rotate the keys in an automated way. This link explains a way to do this for a specific user. How would I be able to achieve this for a list of users. Any thoughts or recommendations?
You can use AWS Config to mark the old access keys non-compliant (https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html) and then use CloudWatch Events (my article how to do this) to run a Lambda function that deletes the old key, creates a new one, then send it to the user.
Access keys are generally used for programmatic access by applications. If these applications are running in, says EC2, you should use roles for EC2. This will install temporary credentials on the instance that are automatically rotated for you. The AWS CLI and SDKs know how to automatically retrieve these credentials so you don't need to add them in the application either.
Other compute solutions (Lambda, ECS/EKS) also have ways to provision roles for applications.

What is aws-vault actually used for?

So it says on the github documentation here that
AWS Vault is a tool to securely store and access AWS credentials in a
development environment.
AWS Vault stores IAM credentials in your operating system's secure
keystore and then generates temporary credentials from those to expose
to your shell and applications. It's designed to be complementary to
the AWS CLI tools, and is aware of your
But what does this actually mean? As a developer does this mean to create a kind of lock to prevent anyone from using my code without the aws-vault profile? When should I use this technology? I want to know a bit more about it before I use it.
It actually doesn't have anything related to development.
While working with Amazon managed services we can take advantage of IAM roles but that doesn't work when you're doing it from our local environment or from some other Cloud VM like accessing a S3 bucket. It comes handy when you're doing a lot of work with AWS CLI or even writing terraform for your environment. It is just for a precaution so we don't expose or IAM credentials to external world (you will receive an abuse notification from Amazon whenever your keys are compromised). There are many other ways to make sure your keys don't get compromised like before pushing your code to a version control use git-secrets to make sure you don't push any sensitive information.

Securing AWS RDS credentials for Lambda

Right now I am passing the username and password in as environment variables. The variables are retrieved from a different file so the cloudformation stored using git does not contain the password and username which is good. But, right now they are stored in plaintext when looking at the lambda in the console.
What is the best practice for storing these credentials in the most cloud provider agnostic way? I basically just don't want to use KMS or any other key storing AWS service.
Just for completeness I have also considered storing the password in a dynamodb table. Then I would use IAM to be able to retrieve those credentials. But, those credentials are still stored in plaintext. If this is the best way to retrieve credentials is there a best way to encrypt it or this path not the best.
Thanks for all comments and advice.
We use AWS Secrets Manager for this exact situation. Works perfectly for us.