AWS credentials seem terribly insecure. Why?



  • In my ~/.aws/credentials I have the following:

        [default]
        aws_access_key_id = <something>
        aws_secret_access_key = <something-else>
    

    This file has permissions 0600 but doesn't require anything from me if you walked up to my computer, typed on my keyboard while my back is turned, you could have these values by copying them to a thumbdrive, copying them to /tmp and grabbing them later.

    With ssh I have keyfiles, but the private key requires a passphrase to use it. I can do ssh-add which will store this in memory and allow we to use ssh all day long without typing the passphrase every time. Admittedly, using ssh-add does lower the security on my machine to that of the AWS credentials, but if I reboot, security is back in place. If my machine dies and it has to go to the shop, my ssh keys are still safe, but my aws credentials aren't.

    Why is this acceptable? Why didn't AWS use an ssh type setup to begin with? Why do I need 2 factor on my AWS login if this plaintext version of my keys is sitting on my computer? Seems like there are 2 padlocks on the same door but the door is only pushed closed, not actually "locked".

    Are my concerns overblown?


    I know some people create ssh keys without passphrases, something I think is foolish, and something that essentially boils down to this same security-minus AWS mechanism. I'm not one of those people.



  • I'd like to invoke The 10 immutable laws of computer security. The scenario you describes falls under #3:

    If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

    Yes, the barrier to a passphrase-protected ssh file is higher than to the plaintext AWS credentials, but only very marginally. As has been said in the comments to the question, someone with physical access to your computer can do far, far worse things to your security than stealing some revokable credentials.

    So, the answer is: They are perfectly secure. Your machine should be well shielded and not run untrusted code. If it does, any further protection than the 0600 permissions won't help you. The credentials are in plaintext because adding layers of encryption on top does not add any real security, it only complicates implementation of clients accessing these credentials.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2