Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keeping a secret key secret with Amazon Web Services

I'm playing around with using amazon web services in my personal project. I've grabbed their AWS SDK for .NET and I'm using that, but I'm a little confused.

  1. Access to the web service (in this case, SimpleDB, though I don't think that's really material to the question) is authorized via a private/public key pair.

  2. The AWS SDK for .NET API used to create a client object requires the private key:

    AWSClientFactory.CreateAmazonSimpleDBClient(publicKey, privateKey);
    
  3. This is a client application, so the code would be running entirely on the client.

  4. Suggesting that the client would need to have access to my private key to have access to the SimpleDB. But amazon repeatedly and emphatically states that my private key must not leave my control.

This doesn't make sense to me, so I figure I must be missing something.

Is a client-side application the wrong model for the amazon web services in general, for using their AWS SDK for .NET, or am I missing something that makes a client application perfectly reasonable? Is there a good way to work around this without creating a proxy service of my own that would authenticate clients and forward their requests to the SimpleDB?

like image 309
Greg D Avatar asked Feb 10 '10 20:02

Greg D


People also ask

What is secret key in AWS?

To access AWS, you will need to sign up for an AWS account. Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them by using the IAM console at https://console.aws.amazon.com/iam/ .

What is the most secure way to store passwords on AWS?

Encrypt your secret data Secrets Manager encrypts the protected text of a secret by using AWS Key Management Service (AWS KMS). Many AWS services use AWS KMS for key storage and encryption. AWS KMS ensures secure encryption of your secret when at rest.

What is secret ID in AWS Secret Manager?

Secret. The name of the secret, a description, a resource policy, and tags. The ARN for an encryption key, an AWS KMS key that Secrets Manager uses to encrypt and decrypt the secret value. Secrets Manager stores secret text in an encrypted form and encrypts the secret in transit.


1 Answers

You don't need to implement a proxy that fronts the remote (AWS) service. Just implement a simple, small, authenticated service which returns to the client the URL and headers to use when contacting AWS. Your authenticated webservice keeps the AWS secret, and only provides the signed request URL and headers to the client, which then goes and makes the actual work call using that returned information.

This way, you avoid the overhead during the AWS call of having to go through your own servers, saving latency, bandwidth, tied up sockets on your server, failure handling complexity, etc. You just take a lightweight hit up front for the client to get the proper instructions.

like image 112
Yetanotherjosh Avatar answered Oct 03 '22 08:10

Yetanotherjosh