I've developed a web application on my local server using AWS PHP APIs. I have an IAM user set up along with a Cognito user pool, and the IAM user has the necessary permissions to create users and check their group affiliations. Currently, my web app needs to use the IAM access key and secret, which I've configured as environment variables in Apache. However, I'm concerned about the security of this approach. I receive monthly notifications from AWS about my keys being compromised, which makes me uncomfortable. Honestly, I'm not very experienced in this area, and I'm worried about going live without addressing this issue. What are my options?
3 Answers
It's concerning that your app is directly managing user creation. Instead, leverage Cognito's user signup process. Continuous issues with compromised keys suggest your application might be leaking them. For now, focus on securing your setup before launching. It sounds like you could benefit from migrating to Cognito for user management and just handle user attributes in your callback once they sign up.
If AWS is letting you know that your key has been compromised, your immediate focus should be on securing your credentials rather than just making your app function. A good course of action is to rotate your access keys or, ideally, delete that IAM user entirely. Consider using an EC2 instance with an instance role instead, as it handles the credentials for you automatically.
Without knowing the full setup, one suggestion is to set up a Lambda function that serves as a middleman. This function can handle the calls to your Apache server while securely storing your IAM credentials and validating requests with a token. This way, your AWS resources are better protected.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads