git-secrets and AWS credential management

We’ve seen a few account compromises on campus resulting from AWS IAM credentials checked into a public Github repository.

I encourage our customers to implement Amazon’s git-secrets package, which will automatically scan your code for keys and reject a git check-in if they’re found.

But if you’re not putting keys in your code, where should they go? A few suggestions:

  1. If you’re running from an EC2 instance, you can use an EC2 role to grant access to any API calls originating from that instance. This is my preferred method because no key management is required.
  2. Create local profiles that store credentials outside your application. “aws configure” will get you started with the AWS CLI.
  3. Populate your environment variables, again pulling the data out of your code.

Amazon documents their best practices for managing AWS access keys, which includes more options and more detail.

Besides handling credentials carefully, it’s useful to give your application the least privileges it needs. I recommend creating a dedicated IAM user or role for each application and granting it only the permissions it needs. Attackers tend to be most interested in credentials that allow them to launch EC2 instances. If your application doesn’t need that capability, you can dramatically limit the potential for attack.