Securely storing AWS access credentials in an on-premise server
Solution 1:
One way or another you'll have to have some credentials on the server that will be used to retrieve the AWS keys. At least try to restrict it by IP. Here is one way to do it:
- Create a dedicated IAM User for each server and an IAM Role.
- The IAM Role has all the privileges your tasks need while the IAM User has ho privileges other than
sts:AssumeRole
for that IAM Role. - Here is the trick: in the IAM User's
sts:AssumeRole
policy useCondition: { IPAddress: ... }
to restrict its use only to your server's IP. See here for more details.
You may ask why I suggest IAM User and a separate IAM Role - it's because the IPAddress condition must be specified for each Permission in the policy. If you apply it to sts:AssumeRole
you've got a single place where you control it. If you'd attach all your permissions/policies directly to the IAM User you'll have to specify the same condition over and over again for each permission.
Hope that helps :)