Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Setting initial passwords or taking user input on Amazon Marketplace

0

We're looking to put an image on AWS Marketplace (EC2). The image is to include a password-based web user interface. What is the correct way to set that password?

Some options come to mind:

  • Set the password to a known value. Require a password change on first login. Hope that the end user does not leave it running unattended with the default password.
  • Set the password to a random value. Communicate it to the end user somehow. If so, how do we communicate it to the end user? Is it possible to find out the account owner's email through an API from a running EC2 instance?
  • Create a bootstrap web application that will authenticate the user by requiring them to provide their EC2 security credentials and then let them specify a password for the actual web application.
  • If there's a way to take user input before instance provisioning, then obviously we can just prompt for a new password. Is there any way to prompt for user input when provisioning an image from AWS marketplace on EC2?

Are any of the above options the right option? Is there a recommended approach? What is the least insecure way to do this?

Argomenti
ComputazionaliGestione e amministrazioneMarketplace AWS
Tag
Provisioning di LinuxConsole di gestione AWSAmazon EC2Marketplace AWS
Lingua
English
Dataedo
posta 4 mesi fa184 visualizzazioni
1 Risposta
0

Hello,

Here are a few suggestions for securely setting a password for a web UI included in an AWS Marketplace AMI:

  • The best option would be to have the AMI launch a bootstrap application that prompts the user to set a new password during the initial launch/configuration of the instance. This ensures the password is unique per customer and not shared.
  • You could generate a random password during AMI creation and store it encrypted within the AMI. The bootstrap app would then decrypt, display, and allow resetting the password on the first launch. This prevents a static default password.
  • Consider using IAM roles and temporary security credentials to authenticate to the web UI instead of a static password. The instance could retrieve short-lived credentials on launch to securely identify the user.
  • Avoid storing passwords or credentials directly within the AMI if possible. Leverage external/dynamic sources like parameter store instead where the instance can look up secrets on launch.

The key is allowing the customer to set their own unique password per instance to avoid reusing defaults and ensure each deployment has its own isolated credentials

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

Thanks

Abhinav Chauhan
con risposta 4 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente