amazon web services - how to manage aws elastic beanstalk db password in a secure way

Question

we have a db instance outside our eb env, and password is stored in a properties file which will be zipped along with jar and got uploaded and deployed. this is not very secure as the password is literally carried around. (compare to old way of deployment where password is store on the server gets pulled out with other connection info through JNDI). is there any better way to manage db password in a more secured way?

Answer 1

I agree with Rodrigo M that AWS Parameter Store is a good idea. Here is a small how-to:

Elastic Beanstalk runs on EC2. When you run AWS CLI on EC2, it automatically has the permissions of any IAM roles which are assigned to EC2. So this means that you can create an IAM role which gives EC2 instances the permission to get the secret, then get it in your application code on startup.

IAM: For example, attach the AmazonSSMReadOnlyAccess policy to the aws-elasticbeanstalk-ec2-role. This will get you going. There might be more restrictive and secure ways to do this, for example, there's an example here https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/ of a policy which only allows access to a named parameter, instead of all of them.

There is an SDK which allows you to use AWS CLI from your application. See https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SSM.html.

npm install aws-sdk

then in your code:

const AWS = require('aws-sdk');
const ssm = new AWS.SSM({'region': 'us-east-1'});

var params = {
  Name: 'db-pw',
  WithDecryption: true
};
ssm.getParameter(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else {
    const dbPw = data.Parameter.Value;
  }
});

This worked for me in a little test today. It seems OK to me, but I'm not a security expert so I will check the security aspects with colleagues before using it in prod.