Hacker News new | comments | show | ask | jobs | submit login
IAM roles for EC2 instances – Secure Access to AWS APIs from EC2 (aws.typepad.com)
36 points by jedberg 1783 days ago | hide | past | web | 12 comments | favorite

This is super exciting for most AWS users, who had to solve this problem in some sort of "hacky" way.

No more bullshit "drop your globally usable AWS keys directly into config files and application code"

yes please!

Speaking of hacky places to hide API keys, I've just learned you can also put your other non-AWS API keys in the "user data" field on an instance and retrieve them using this http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/AE...

Now if those other API providers could also have automatically rotating temporary API keys where the key exchange is secure we'd be set!

This is really useful. Great thing. Setting the AWS key/secret for app securely has been a constant headache. This would reduce so much painful points and be more secured.

This is a good feature, but it seems now the temporary AWS access keys of the IAM role will be accessible to any application running on the EC2 instance, not just the one with the config files like before. I wonder if this will create any unexpected security issues? New kinds of trojans?

Also, I hope Boto (the Python AWS API) will support this soon.

I think the philosophy is that the trust boundry is your host, not your uid. We seem to be migrating towards "one instance per application" from of the traditional "one uid/proc per application". For the great majority of use cases this is going to be the simpler, and safer assumption.

Another concern is the EC2 Instance Metadata Service does not support SSL.

This is true, but I'm not sure if I understand how SSL support for this would increase security since the request and the response go no further than our internal network.

There is no doubt that IAM is the best thing to happen to Amazon AWS in a long time. The ability to have read-only and more importantly write-only access to SQS/S3/SimpleDB is brilliant. What is still needed though is a way to securely manage the keys/certificates on the actual server. Maybe Amazon could build a key store that only unlocks from certain processes at certain times and logs access attempts.

Real logging of IAM access and key/role usage would be much appreciated for auditing. Tough now to figure out who is doing what, from where, and with what permissions.

Restricting AWS API access from sources outside the AWS network would also be pretty useful.

It would be interesting to talk with you about what you actually want from the on-instance key store...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact