AWS instance end Credentials


Good afternoon. I want to apologize for the possibly wrong question. I am not a native English speaker and my question may be misunderstood. But I will try to ask my question as correctly as possible in order to find a way to solve it. There is a client-server application. The client has an instance. The server is in the Enclaves. In order for the client to connect to the server, the client must send a request to Credenshales. On the client, the script creates a file that temporarily creates credentials for such a connection. These credentials are copied from the server's memory and copied into this file. (temporarily) This file is then deleted. I would like to somehow protect myself and somehow encrypt this file or find an alternative SAFE solution how to bypass this process and use other tools that Amazon AWS has. Is it possible to somehow automate this process and make the transfer of credentials that the client takes from the server and inserts into its application. Because the credentials are temporarily stored unencrypted, I think this is a serious vulnerability for my application. It is enough for me to give an idea to solve my problem. Then I'll try to figure it out myself. AWS contains a fairly large amount of materials and it is very difficult to find the right topic. I am sure that in his tools he will be able to offer a solution to my problem. Thanks.

2 Answers

I'm not sure there is a good answer to your question (but I hope that someone else has something better than what I'm offering).

It's not clear what risk you're trying to protect against other than not storing the credentials in clear text.

One possible risk is that someone might be able to copy the disk image that the instance is running and extract the previously written file from that image. You can protect against some of that risk by encrypting the volume. However, an attacker with a level of permission to use the AWS console (or APIs) to make a copy of the disk will probably also have access to the encryption key as well.

Another risk is that there is a malicious process on your instance that can scan the disk to look for unencrypted credentials. Or might be able to read the file while it exists. Here, disk encryption is not going to protect the data because the disk encryption is transparent to the instance so all processes can read and write files according to their permissions in the instance.

Similarly, a process with high enough permissions will be able to read the credentials from the memory of another process so even not writing the credentials to disk may not protect you.

In short: If there is a malicious actor (person or process) with enough credentials within your environment the protections that you can use are very minimal.

You might consider writing the file to disk already encrypted; but that assumes that you have a secure method of sharing the encryption key between the process that is writing the file and the process that is reading it. Again, a malicious process on the instance will be able to read the encryption key and therefore gain access to the credentials.

I would strongly recommend that you enable encryption of the disk; it's a good security measure and costs nothing to do. Otherwise, without knowing the attacks that you're trying to protect against it's difficult to provide more advice - and even the advice above isn't terribly useful.

profile pictureAWS
answered a year ago

Thank you very much for such a detailed answer. Based on the information received, I have already built a certain sequence of my further actions. Tell me please. I am interested in such a question - is there a way to encrypt processes in RAM on AWS using some tools. Offers AWS some built-in tools or solutions from its partners. And I have long been interested in the answer to this question - are all processes running in RAM on AWS virtual machines encrypted or are they not encrypted at all. If there is a link to the technical documentation on this topic, I will be very grateful for the help. Thanks

answered a year ago
  • As you mentioned in the original question, Nitro Enclaves might be the way to solve that because it allows you to create an isolated execution environment within your instance. I say might because your application may have to pass data into the Enclave or extract data from it so you need to consider how you will do that securely. Because this is a complex topic I'd encourage reaching out to your local AWS Solutions Architect for an in-depth conversation.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions