Securely storing AWS access credentials in an on-premise server

amazon-web-services amazon-iam

Solution 1:

One way or another you'll have to have some credentials on the server that will be used to retrieve the AWS keys. At least try to restrict it by IP. Here is one way to do it:

  • Create a dedicated IAM User for each server and an IAM Role.
  • The IAM Role has all the privileges your tasks need while the IAM User has ho privileges other than sts:AssumeRole for that IAM Role.
  • Here is the trick: in the IAM User's sts:AssumeRole policy use Condition: { IPAddress: ... } to restrict its use only to your server's IP. See here for more details.

You may ask why I suggest IAM User and a separate IAM Role - it's because the IPAddress condition must be specified for each Permission in the policy. If you apply it to sts:AssumeRole you've got a single place where you control it. If you'd attach all your permissions/policies directly to the IAM User you'll have to specify the same condition over and over again for each permission.

Hope that helps :)

Related

How to create global company policy that will set user photos from folder in WS AD
high CPU usage of MySQL and recommendation from Mysqltunner
How to instruct linux not to swap out hot pages of mmaped files?
Can I use both LDAP and LDAPS on the same server​?
Can't change linux user password with php script [closed]
Force host to use alternate DNS servers on unresolvable queries with dnsmasq
Fixing the Secure Channel Windows 2012 -- the trust relationship between workstation and domain fails?
Arrange base plots and grid.tables on the same page
How to capture video using JMF, but without installing JMF
pass array to oracle procedure
Is there way to create tuple from list(without codegeneration)?
How to save images into Database