我将敏感凭据注入userdata并且不确定这是否安全.
我正在使用userdata属性来运行一个脚本,该脚本在联机时将实例连接到域
像这样传递信用:
$ADUser = 'me' $ADPassword = 'Pass' $ADPassword = $ADPassword | ConvertTo-SecureString -AsPlainText -Force $ADCred = New-Object System.Management.Automation.PSCredential -ArgumentList $ADUser,$ADPassword Add-Computer -Credential $ADCred -DomainName mydom.local -NewName testing Restart-Computer -force
我正在使用New-EC2Instance cmdlet启动它并将此脚本作为userdata传递
我的凭据是否可以在aws日志中显示错误输出?或者别的地方?在将证书注入PS命令之前,凭证是安全的,我担心它在AWS中的位置.
不要将凭据和其他敏感数据放在用户数据脚本中.
AWS文档强调:
Important
Although you can only access instance Metadata and user data from within the instance itself,the data is not protected by cryptographic methods. Anyone who can access the instance can view its Metadata. Therefore,you should take suitable precautions to protect sensitive data (such as long-lived encryption keys). You should not store sensitive data,such as passwords,as user data.
资料来源:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
相反,为EC2实例创建IAM角色,并赋予其执行需要执行的操作的权限.然后,启动EC2实例时,将IAM角色分配给EC2实例(以后不能分配).