Menu
My lambda function is responsible for ssh connecting to some of our EC2 instances. Currently I just have our key file stored in the lambda's deployment package, but this is obviously not desirable solution for production. I have already researched a couple ways, such as storing the key in a private S3 bucket, and storing it as an encrypted environment variable. However, I'm not thrilled about pulling the key from the S3 bucket all the time, and the encrypted environment variable seems like something that wouldn't persist across future lambda functions as well. What are some other industry standard ways of storing private keys for lambda use?
412
You can store encrypted secrets in Secrets Manager or in Parameter Store. For certain types of secrets, you can have them auto-rotated in Secrets Manager. Limit which IAM roles have access to the secrets and you can reduce potential misuse.
Also, be aware of options available to avoid the need to SSH to EC2 instances:
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
