By default the aws cli stored key id and secret in plaintext in a well known location.  What could go wrong?!? What if I told you that you could change this and make things at least a little bit harder? There is a setting in the AWS config that allows AWS to source the credentials externally. This can be super handy if you don't want to store those as plain text things. It is called "credential process". We can use this in conjunction with  native openssl to give you a poor mans encrypted aws keys. First we will take the aws credentials and dump them to a temp file this is named key.json #key.json
{ : , : SecretAccessKey NOTAREALSECRET
} "Version" 1 "AccessKeyId" "NOTAREALKEYID, 
" ": " Next we are going to create a script called encrypt.sh, this is going to accept the file that is passed to it and then generate an encrypted file. openssl aes-256-cbc -a -salt - -out .enc -k #encrypt.sh in ${1} ${1} "password" # yes it is just "password" its a demo script! \ # Store this in an environment variable # or something safer than the script. Now we need to write a quick script that will decrypt the encrypted blob and just echo it out. There is a built in on openssl that does just that.  Also a proper shebang at the top of the file is crucial for aws to be able to run the script properly. openssl aes-256-cbc -d -a - -k #decrypt.sh #!/bin/bash -eu #this will take the encrypted file passed to it decrypt it, and echo it in $1 "password" # yes it is just "password" its a demo script! \ # Store this in an environment variable # or something safer than the script. Lets encrypt the file and prep it. $ ./encrypt.sh key.json # creates key.json.enc Next we are going to setup our aws profile to read the creds from the external process. This means that we will need to update `~/.aws/config` and pass the full path of the script and the full path of the encrypted blob. [profile mine-encrypted]
credential_process = /Users/MYUSERNAME/decrypt.sh /Users/MYUSERNAME/key.json.enc #~/.aws/config Finally we are going to tell the current session to use my new profile. export AWS_PROFILE=mine-encrypted Lastly we will verify the whole process worked. aws sts get-caller-identity We can take this in another direction as well.  Let's say there is a process out there that will issue the credentials for you and then stash them in your aws profile. I would like to at least make the storing of those credentials a little bit better.  So here is a whole pretty script that will handle that.   You will provide the shell script with the named account profile that one would reference to use that account. This script also relies on having the decrypt.sh script we talked about earlier. () {
    openssl aes-256-cbc -a -salt - -out .enc -k filestats=( $( ls -Lon ) ) dd =/dev/urandom of= bs= count=1 &>/dev/null
    rm } (){
    id= key= session= json=$(cat << DATA
{ : 1, : , : , : }  
DATA
) } (){
    aws configure profile. .aws_access_key_id aws configure profile. .aws_secret_access_key aws configure profile. .aws_session_token } (){
    aws configure credential_process --profile }
profile= raw_aws=$(grep ~/.aws/credentials -A 5 | awk | awk | tr |sed )
full_json=$(_shape ) [ -f ]; rm >> _encrypt _cleanup _set_encrypted #wrap up and harden local aws keys function _encrypt in ${1} ${1} "password" " " ${1} # to get size if ${1} ${filestats[3]} ${1} function _shape $1 $2 $3 "Version" "AccessKeyId" " " $id "SecretAccessKey" " " $key "SessionToken" " " $session echo " " $json function _cleanup set $1 "xxxx" set $1 "xxxx" set $1 "xxxx" function _set_encrypted set "/Users/ /aws-crypt/decrypt.sh /Users/ /aws-crypt/ .json.enc" $(pwd) $(pwd) $1 " -encrypted" $1 $1 "\[ \]" $profile 'NR == 1 || /^aws/' '{print $3}' '\r\n' ' ' 's/ //' $raw_aws if " .json" $profile then " .json" $profile fi echo " " $full_json " .json" $profile " .json" $profile $profile $profile When we run this script it will look at the aws/credentials file, and pull out the id/key/token, drop those values into a new file, encrypt it, overwrite, then delete the temp file i then "xxxx" out the original values in the creds file. If the profile in question does't not uses session token then simply remove that section of the script. I hope this helps someone out there to at least secure and lock down plain text credentials that are stored in a well known location.  Every small step that we can take to better secure our systems is a small step towards a better security posture. HACK THE PLANET!

AWS Credentials, Stored Safer

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Arduino, Meet Splunk

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

10 Lessons from 10 Years of AWS (part 2)

Arduino, Meet Splunk

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

10 Lessons from 10 Years of AWS (part 2)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps