Supplying non-AWS credentials to EC2 instance on launch

Question

We have an EC2 instance is coming up as part of autoscaling configuration. This instance can retrieve AWS credentials using the IAM role assigned to it. However, the instance needs additional configuration to get started, some of which is sensitive (passwords to non-EC2 resources) and some of which is not (configuration parameters).

It seems that the best practice from AWS is to store instance configuration in IAM and retrieve it at run-time. The problem I have with this approach is that configuration is sitting unprotected in S3 bucket - incorrect policy may expose it to parties who were never meant to see it.

What is a best practice for accomplishing my objective so that configuration data stored in S3 is also encrypted?

PS: I have read this question but it does not address my needs.

Answer 1

AWS does not provide clear guidance on this situation, which is a shame. This is how I am going to architect the solution:

• Developer box encrypts per-instance configuration blob using the private portion of asymmetric keypair and places it in an S3 bucket.
• Restrict access to S3 bucket using IAM policy.
• Bake public portion of asymmetric keypair into AMI.
• Apply IAM role to EC2 instance and launch it from AMI
• EC2 instance is able to download configuration from S3 (thanks to IAM role) and decrypt it (thanks to having the public key available).

The private key is never shared sent to an instance so it should not be compromised. If the public key is compromised (e.g. if the EC2 instance is rooted), then the attacker can decrypt the contents of the S3 bucket (but at that point they already have root access to the instance and can read configuration directly from the running service).

Answer 2

[…] incorrect policy may expose it to parties who were never meant to see it.

Well, then it's important to ensure that the policy is set correctly. :) Your best bet is to automate your deployments to S3 so that there's no room for human error.

Secondly, you can always find a way to encrypt the data before pushing it to S3, then decrypt it on-instance when the machine spins-up.