Ok, but here's the question where do I store the api key/secret that allows me to connect to AWS Secrets Manager? I mean, I can hide all connection secrets in the cloud, but if a malicious user gains access to (example: .env.production) which has the key to access the secrets storage, how am I more safe?
Thanks for the excellent video. Can you please explain: how to prevent the access from the command line ? since If the server somehow was compromised and an attacker is in the server --> I want to make his life hard as possible and not allow access from the command line. I assume that it is to give the container some permission level that will allow access to the secrets component, is it correct ? many thanks
Thanks for the comment. If an attacker has access to an EC2 instance in AWS, I’m not sure you could completely remove access to the command line. The best protection for that would be to block the port for command line access (eg. port 22 for SSH). That’s probably the best way.
Ok, but here's the question
where do I store the api key/secret that allows me to connect to AWS Secrets Manager?
I mean, I can hide all connection secrets in the cloud, but if a malicious user gains access to (example: .env.production) which has the key to access the secrets storage, how am I more safe?
Thanks for the excellent video.
Can you please explain: how to prevent the access from the command line ? since If the server somehow was compromised and an attacker is in the server --> I want to make his life hard as possible and not allow access from the command line. I assume that it is to give the container some permission level that will allow access to the secrets component, is it correct ?
many thanks
Thanks for the comment. If an attacker has access to an EC2 instance in AWS, I’m not sure you could completely remove access to the command line. The best protection for that would be to block the port for command line access (eg. port 22 for SSH). That’s probably the best way.
Quality post! If this was a cats video, you would have 1M views already
Ha, thanks! I’m more of a dog person, so I’ll ask my dog if she wants to be in the next one.
If my python application is running on ec2 instance will be need an iam role with permissions to read secret??
Yep. The IAM role manages permissions for the AWS resource regardless of the code (or programming language) running.