使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Setting initial passwords or taking user input on Amazon Marketplace

0

We're looking to put an image on AWS Marketplace (EC2). The image is to include a password-based web user interface. What is the correct way to set that password?

Some options come to mind:

  • Set the password to a known value. Require a password change on first login. Hope that the end user does not leave it running unattended with the default password.
  • Set the password to a random value. Communicate it to the end user somehow. If so, how do we communicate it to the end user? Is it possible to find out the account owner's email through an API from a running EC2 instance?
  • Create a bootstrap web application that will authenticate the user by requiring them to provide their EC2 security credentials and then let them specify a password for the actual web application.
  • If there's a way to take user input before instance provisioning, then obviously we can just prompt for a new password. Is there any way to prompt for user input when provisioning an image from AWS marketplace on EC2?

Are any of the above options the right option? Is there a recommended approach? What is the least insecure way to do this?

主題
運算管理與治理AWS 市場
標籤
Linux 佈建AWS 管理主控台Amazon EC2AWS 市場
語言
English
Dataedo
已提問 4 個月前檢視次數 184 次
1 個回答
0

Hello,

Here are a few suggestions for securely setting a password for a web UI included in an AWS Marketplace AMI:

  • The best option would be to have the AMI launch a bootstrap application that prompts the user to set a new password during the initial launch/configuration of the instance. This ensures the password is unique per customer and not shared.
  • You could generate a random password during AMI creation and store it encrypted within the AMI. The bootstrap app would then decrypt, display, and allow resetting the password on the first launch. This prevents a static default password.
  • Consider using IAM roles and temporary security credentials to authenticate to the web UI instead of a static password. The instance could retrieve short-lived credentials on launch to securely identify the user.
  • Avoid storing passwords or credentials directly within the AMI if possible. Leverage external/dynamic sources like parameter store instead where the instance can look up secrets on launch.

The key is allowing the customer to set their own unique password per instance to avoid reusing defaults and ensure each deployment has its own isolated credentials

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

Thanks

Abhinav Chauhan
已回答 4 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容