Are Elastic Beanstalk's environment variables an appropriate place to store secret values?

python security deployment elastic-beanstalk

The point of keeping secrets out of source code is so they don't go into source control. This is particularly useful in open source projects.

When deployed, it doesn't matter if the secret's in a file or envvar. What's important is that only the OS user that your program is running as can read it. This is the default for envvars, which is convenient.

Root can always read everything. So Amazon can know your secret values if they want, because they are root (though they have policies against reading your stuff).

They do support pricey hardware security modules (HSM) though, which would make your keys unreadable. Of course, they could still use the HSM to decrypt your stuff, just never get the actual key.

There's also Key Management Service from AWS, which is like a software HSM

So either you need to trust Amazon, or host stuff yourself, or colocate.

Related

Why does `zfs list` and `zpool list` report very different sizes for my raidz2 pools?
server 2016 active directory and hyper-v same server
Rsync -avzHP follows hardlinks instead of copying them as hardlinks
How to calculate max_connections for PostgreSQL and default_pool_size for pgbouncer?
How to avoid GRUB errors after running apt-get upgrade - Ubuntu
Urdu fonts not rendering properly in Chrome
How can a Debian package install Python modules from PyPI
List all versions of a package
How do I configure Ubuntu for a public computer?
Automatically disable wifi (wireless) when wired?
Is it normal for compiz to consume 40% of my CPU with no other programs running?
How can I force unattended-upgrades to run on demand?