bash - Is it secure to store EC2 User-Data shell scripts in a private S3 bucket? -


i have ec2 asg on aws , i'm interested in storing shell script that's used instantiate given instance in s3 bucket , have downloaded , run upon instantiation, feels little rickety though i'm using iam instance role, transferring via https, , encrypting script while @ rest in s3 bucket using kms using s3 server side encryption (because kms method throwing 'unknown' error).

the setup

in user-data field

i input following user data field when creating launch configuration want asg use:

#!/bin/bash  apt-get update apt-get -y install python-pip apt-get -y install awscli cd /home/ubuntu aws s3 cp s3://super-secret-bucket/instance-init.sh . --region us-east-1 chmod +x instance-init.sh . instance-init.sh shred -u -z -n 27 instance-init.sh

the above following:

  • updates package lists
  • installs python (required run aws-cli)
  • installs aws-cli
  • changes /home/ubuntu user directory
  • uses aws-cli download instance-init.sh file s3. due iam role assigned instance, aws creds automagically discovered aws-cli. iam role grants instance permissions necessary decrypt file.
  • makes executable
  • runs script
  • deletes script after it's completed.

the instance-init.sh script

the script stuff setting env vars , docker run containers need deployed on instance. kinda so:

#!/bin/bash  export mongo_user='mymongousername' export mongo_pass='top-secret-dont-tell-anyone'  docker login -u <username> -p <password> -e <email> docker run - e mongo_user=${mongo_user} -e mongo_pass=${mongo_pass} --name mycontainername quay.io/myquaynamespace/myappname:latest


very handy

this creates handy way update user-data scripts without need create new launch config every time need make minor change. , great job of getting env vars out of codebase , narrow, controllable space (the instance-init.sh script itself).

but feels little insecure. idea of putting master db creds file on s3 unsettling least.

the questions

  1. is common practice or dreaming bad idea here?
  2. does fact file downloaded , stored (albeit briefly) on fresh instance constitute vulnerability @ all?
  3. is there better method deleting file in more secure way?
  4. does matter whether file deleted after it's run? considering secrets being transferred env vars seems redundant delete instance-init.sh file.
  5. is there i'm missing in nascent days of ops?

thanks in advance.

what describing using instantiate docker containers our registry (we use v2 self-hosted/private, s3-backed docker-registry instead of quay) production. fwiw, had same "this feels rickety" feeling describe when first treading path, after year of doing -- , compared alternative of storing sensitive configuration data in repo or baked image -- i'm confident it's 1 of better ways of handling data. now, being said, looking @ using hashicorp's new vault software deploying configuration secrets replace "shared" encrypted secret shell script container (say 5 times fast). thinking vault equivalent of outsourcing crypto open source community (where belongs), configuration storage.

in fewer words, haven't run across many problems similar situation we've been using year, looking @ using external open source project (hashicorp's vault) replace our homegrown method. luck!


Comments

Post a Comment

Popular posts from this blog

python - Mongodb How to add addtional information when aggregating? -

i beginner , wrote line pipeline works, wanna add other information output, screen name , or number of tweets.i tried add under $group gave me syntax error everytime here pipeline: def make_pipeline(): # complete aggregation pipeline pipeline = [ { '$match': { "user.statuses_count": {"$gt":99 }, "user.time_zone": "brasilia" } }, { "$group": { "_id": "$user.id", "followers": { "$max": "$user.followers_count" } } }, { "$sort": { "followers": -1 } }, { "$limit" : 1 } ]; i using on example : { "_id" : objectid("5304e2e3cc9e684aa98bef97"), "text" : "first week of school on :p", "in_reply_to_status_id" : null, "retweet_count" : null, ...
Read more

java - Spring Data JPA: Why findOne(id) executing delete query internally? -

i have 1 application using @manytomany annotation link 2 different entities 1 parent entity. not sure if have implemented properly. when execute .findone() on parent entity's repository find it, @ first fetch data along executing delete queries internally delete record mapping table (a table jpa creates after adding @manytomany annotation.). following generated sql queries , code snippet: java class @entity @table(name = "inventory") public class inventory { @id long id; // many other properties @manytomany(fetch=fetchtype.lazy) private list<stream> streams; @manytomany(fetch=fetchtype.lazy) private list<subject> subjects; } there no other annotation i've put in stream , subject entity class link inventory class. when run app, create following tables: inventory stream subject inventory_stream inventory_subject (inventory_stream , inventory_subject, 2 tables created automatically, don't k...
Read more

java - Incorrect order of records in M-M relationship in hibernate -

Image
i have 4 records in bridge table in mysql database. using @manytomany in hibernate, accurate order of employees incorrect incorrect of projects. following required material figure out doing mistake. this source. @entity @table(name="project") public class projectbean { @id @generatedvalue @column(name="project_id") private int projectid; @column(name="title") private string projecttitle; @manytomany(mappedby="projects") private collection<employeebean> employees; public projectbean() { employees = new arraylist<employeebean>(); } //getters & setters } @entity @table(name="employee") public class employeebean { @id @generatedvalue @column(name="employee_id") private int employee_id; @column(name="first_name") private string ...
Read more