Where is the most secured place to store Amazon AWS Id and secret key?

Question

I am developing an application using ASP.NET. I wonder Where is the most secured place to store Amazon AWS Id and secret key?

I thought about two possibilities: In the actual AmazonAPI.cs (class) itself as a private member. Second, as a appSettings variable in the web.config?

I must supply these credentials with the API call in order to use AWS API for .NET. I don't use a web service to make the call. The call is made via a .cs class file that I've made particularly for the purpose of encapsulating Amazon API calls.

Can you please: Provide a sample code that will demonstrate how to make it done (a good way is like the one found here) - There might be a better way if using ASP.NET 4.0, but I'm not sure. Again, I want to encrypt the following in web.config:

<appSettings>
 <add key="AWSAccessKey" value="" />
 <add key="AWSSecretKey" value="" />
</appSettings>

Thanks.

BTW: there is also an option to use IAM User Temporary Credentials - did you know anything about it?

Answer 1

Since it is very easy to encrypt/decrypt a section of the web.config, I would go for this solution: http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

Answer 2

You should not store AWS Access Keys and Secrets on your code. AWS uses IAM Roles which instances assume to gain permissions to solve this directly. AWS provides EC2 instances with the IAM roles when they are deployed.

Using IAM Roles to Delegate Permissions to Applications that Run on Amazon EC2 http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-usingrole-ec2instance.html

Edit: The current versions of the AWS SDK encourage you to either:

A) Use EC2 role credentials (recommended)

When you deploy your code to an EC2 instance, the code will automatically run in the context of the role. So you add permissions to the IAM Role you assign to your EC2 instance.

B) Use credential files

When using roles in production, you can use this technique whilst developing locally / on your local machine. This approach lets you use different accounts too. Just add more profile sections to your configuration as you need them.

1. Create a credential file in c:\aws_service_credentials called credentials (no extension)
2. Add the following to your app.config
   <configuration> <appSettings> <add key="AWSProfileName" value="development"/> <add key="AWSProfilesLocation" value="C:\aws_service_credentials\credentials"/> </appSettings> </configuration>
3. Add your a credentials file in the right folder (e.g., C:\aws_service_credentials\credentials)
   [development] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html to setup your credentials.

Make sure you create profile files in a folder that your process can access (e.g., Everyone permission on the folder and files). If you're running your app as an admin this probably isn't a problem, but is if you run the app as a service or background app. By default a folder created in C:\ isn't open to be read by everyone, so add the permissions if you're lacking them.

C) Add credentials to your app config directly (not recommended)

This approach is not recommended because if your app config can be shared and your keys compromised.

<add key="AWSAccessKey" value="key"/>
<add key="AWSSecretKey" value="secret"/>
<add key="AWSRegion" value="eu-west-1" />

Answer 3

if you store the key in the .cs class then if you change it you will have to recompile and then redeploy. If you store in the web.config then you can change the key easily. If you host in public repositories (github or bitbucket) then you wouldn't want to store in the web.config unless it is encrypted as people will see your key

so the considerations are:

1. being able to change your key
2. possibility of others changing your key

there is no right or wrong answer but my preference would be web.config

Paul