如何以安全的方式管理AWS Elastic beantalk数据库密码 [英] how to manage aws elastic beanstalk db password in a secure way

问题描述

我们在eb env之外有一个数据库实例，密码存储在属性文件中，该文件将与jar一起压缩并上传并部署.这不是很安全，因为密码实际上是随身携带的. (与以前在服务器上存储密码的部署方式比较，它通过JNDI与其他连接信息一起被拉出).有没有更好的方法可以更安全地管理数据库密码?

we have a db instance outside our eb env, and password is stored in a properties file which will be zipped along with jar and got uploaded and deployed. this is not very secure as the password is literally carried around. (compare to old way of deployment where password is store on the server gets pulled out with other connection info through JNDI). is there any better way to manage db password in a more secured way?

推荐答案

我同意Rodrigo M的观点，即AWS Parameter Store是一个好主意.这是一个小方法:

I agree with Rodrigo M that AWS Parameter Store is a good idea. Here is a small how-to:

Elastic Beanstalk在EC2上运行.在EC2上运行AWS CLI时，它会自动具有分配给EC2的任何IAM角色的权限.因此，这意味着您可以创建一个IAM角色，该角色授予EC2实例获取秘密的权限，然后在启动时在您的应用程序代码中获取它.

Elastic Beanstalk runs on EC2. When you run AWS CLI on EC2, it automatically has the permissions of any IAM roles which are assigned to EC2. So this means that you can create an IAM role which gives EC2 instances the permission to get the secret, then get it in your application code on startup.

IAM:例如，将AmazonSSMReadOnlyAccess策略附加到aws-elasticbeanstalk-ec2-role.这会带你去.可能会有更多限制性和安全性的方法来执行此操作，例如，这里有一个示例 https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-使用仅允许访问命名参数而不是所有参数的策略的策略的参数存储和IAM角色任务.

IAM: For example, attach the AmazonSSMReadOnlyAccess policy to the aws-elasticbeanstalk-ec2-role. This will get you going. There might be more restrictive and secure ways to do this, for example, there's an example here https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/ of a policy which only allows access to a named parameter, instead of all of them.

有一个SDK，可让您从应用程序中使用AWS CLI.请参阅 https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SSM.html .

There is an SDK which allows you to use AWS CLI from your application. See https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SSM.html.

npm install aws-sdk

然后在您的代码中:

const AWS = require('aws-sdk');
const ssm = new AWS.SSM({'region': 'us-east-1'});

var params = {
  Name: 'db-pw',
  WithDecryption: true
};
ssm.getParameter(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else {
    const dbPw = data.Parameter.Value;
  }
});

今天对我进行了一些测试.在我看来似乎还可以，但是我不是安全专家，因此在产品中使用安全性方面之前，我将先与同事检查安全方面.

This worked for me in a little test today. It seems OK to me, but I'm not a security expert so I will check the security aspects with colleagues before using it in prod.

这篇关于如何以安全的方式管理AWS Elastic beantalk数据库密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！