Monday, January 24, 2011

Is it secure to store the cert/key on a private AMI?

Are there any major security implications to bundling a private AMI which contains the private key/certificate & environment variables?

For resiliency I'm creating an EC2 image which should be able to boot and configure itself without any intervention. After boot it will attempt to:

  • Attach & mount specific EBS volume(s)
  • Associate a specific Elastic IP
  • Start issuing backups of the EBS volume(s) to S3

However, to do this it will need the private key/pem files and will need certain environment variables to be available on start-up. Since this is a private AMI I'm wondering if it will be "safe" to store these variables/files directly in the image so that I don't need to specify any user-data information and can therefore start a new instance remotely (from my iPhone, if needed) should the instance be terminated for any reason.

From serverfault Phillip Oldham

  • I can't really think of a more secure way to do it, since a private AMI is protected by the same AWS levels of security as your EC2 account.

    An alternative would be to store the keys in a source code repository and check them out when you start up the EC2 instance; although you're then sending the keys across the wire, you can encrypt the traffic(e.g. with svn:ssh or https for Subversion).

    From gareth_bowles

  • A private AMI is safe, I wouldn't worry about anyone hacking your S3 data. However, a running server is as safe as you made it and you should assume that it is hackable. Therefore, your keys, which are really the key to Everything on your account, should not be left lying around.

    Make sure that the startup scripts delete the keys from the disk and do not retain them, unless there is a really good reason.

    If your server uses other AWS services and needs the keys to access them, consider having multiple AWS accounts for various services, and consolidate their billing for your convenience.

    You can also use external management services like RightScale, Scalr or Eucalyptus.

    From Shalom Carmel

  • AMIs which are directly stored in S3 will be encrypted by Amazon and signed with your keys (see "The creation process for an AMI that uses an instance store as its root device does the following:" in http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/index.html?ComponentsAMIs.html).

    However, AMIs stored in EBS volumes are based on snapshots, which are not encrypted: aws.amazon.com/ec2/faqs/#Do_you_offer_encryption_on_Amazon_EBS_volumes_or_snapshots

    In either case, you should take a critical look at the permissions on the S3 bucket containing your AMI. By default the bucket will only be accessible by your account, but you may also want to add further protection using S3 ACLs.

    From
Posted by Mu Cat at 7:55 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)