I'm developing a web application on my local server that interacts with AWS PHP APIs. I've created an IAM user and a Cognito user pool, with permissions for the IAM user to create users and check group memberships in the pool. However, my app requires the IAM access key and secret to communicate with the CognitoIdentityProviderClient (using adminGetUser), which I currently set as environment variables in Apache's config. While this setup works, it feels insecure, especially since I frequently receive emails from AWS indicating that my keys have been compromised and need to be refreshed. I'm not very experienced in this area and want to ensure my solution is sound before going live. Any advice would be greatly appreciated!
4 Answers
It sounds like your app might be creating users unnecessarily. Leveraging the Cognito signup process could be a better approach to avoid directly managing IAM keys. If those keys are getting leaked, it might indicate a more significant security vulnerability in your current setup. Make sure to address this before going live!
Are you running your application on an EC2 instance or an AWS-based machine? If that's the case, you can assign the necessary permissions to the instance's role, and AWS will manage the credentials automatically for you.
Actually, I'm running my own server, not in an AWS environment.
You might want to think about implementing a Lambda function that your app could call instead. This function could handle authentication and interact with Apache while keeping your IAM secrets secure. This way, your AWS resources are somewhat shielded from any exposure.
If AWS is notifying you that your key has been compromised, then you should definitely rotate or even eliminate that key entirely. Instead of using an IAM user, consider using an instance role on your EC2 instance if you were on AWS. It automatically manages credentials for you. Just make sure you’re following the principle of least privilege when configuring permissions!
Thanks for the tip! Just to clarify, I'm not using EC2, but I will look into using IAM roles appropriately.
That makes sense! I've already shifted to using Cognito for user signups, so I'm on the right track there. I just need to handle user group and attribute retrieval now.