- Newest
- Most votes
- Most comments
I'm not sure there is a good answer to your question (but I hope that someone else has something better than what I'm offering).
It's not clear what risk you're trying to protect against other than not storing the credentials in clear text.
One possible risk is that someone might be able to copy the disk image that the instance is running and extract the previously written file from that image. You can protect against some of that risk by encrypting the volume. However, an attacker with a level of permission to use the AWS console (or APIs) to make a copy of the disk will probably also have access to the encryption key as well.
Another risk is that there is a malicious process on your instance that can scan the disk to look for unencrypted credentials. Or might be able to read the file while it exists. Here, disk encryption is not going to protect the data because the disk encryption is transparent to the instance so all processes can read and write files according to their permissions in the instance.
Similarly, a process with high enough permissions will be able to read the credentials from the memory of another process so even not writing the credentials to disk may not protect you.
In short: If there is a malicious actor (person or process) with enough credentials within your environment the protections that you can use are very minimal.
You might consider writing the file to disk already encrypted; but that assumes that you have a secure method of sharing the encryption key between the process that is writing the file and the process that is reading it. Again, a malicious process on the instance will be able to read the encryption key and therefore gain access to the credentials.
I would strongly recommend that you enable encryption of the disk; it's a good security measure and costs nothing to do. Otherwise, without knowing the attacks that you're trying to protect against it's difficult to provide more advice - and even the advice above isn't terribly useful.
Thank you very much for such a detailed answer. Based on the information received, I have already built a certain sequence of my further actions. Tell me please. I am interested in such a question - is there a way to encrypt processes in RAM on AWS using some tools. Offers AWS some built-in tools or solutions from its partners. And I have long been interested in the answer to this question - are all processes running in RAM on AWS virtual machines encrypted or are they not encrypted at all. If there is a link to the technical documentation on this topic, I will be very grateful for the help. Thanks
Relevant content
- asked 2 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 9 months ago
As you mentioned in the original question, Nitro Enclaves might be the way to solve that because it allows you to create an isolated execution environment within your instance. I say might because your application may have to pass data into the Enclave or extract data from it so you need to consider how you will do that securely. Because this is a complex topic I'd encourage reaching out to your local AWS Solutions Architect for an in-depth conversation.