Hacker News new | comments | show | ask | jobs | submit login

I'd like to add two more:

      1) Not giving out your access and secret keys in scripts/buckets.

      2) Always using IAM roles with your EC2

+1 I concentrated on non security related mistakes. security will follow next week... :)

IAM roles is ok as long as you realize that anything and anybody on that instance gets access to those credentials.

how do you avoid 1 - it seems impossible ?

Take a look at hashicorp vault - https://hashicorp.com/blog/vault.html

IAM roles let you assign temporary credentials to machines running scripts. The machine can then hit an internal AWS URL to get the temporary credentials. Many tools know to look for these credentials by default- eg boto checks for credentials in environment variables, config files, and the machines IAM role.

And there's a few tools to emulate the metadata service locally if you need it on dev laptops which makes it use a role as if a server

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact