Hello,
I’m concerned about the apparent lack of security around EC2 UserData/Metadata mechanism. I want to use the vanilla Amazon Linux AMI across the board in a project on which I’m working, but I’m not too keen on storing important strings (e.g. private ssh key, passwords, etc) in this manner.
Reading this, this and other pages with similar information make me question my plan to use Metadata (not UserData) for sensitive string injection (e.g. private ssh key for github.com ssh-based clone of ansible-pull playbooks).
Is it safer to bake a custom AMI which includes such private information, rather than use UserData and/or Metadata? We were hoping to avoid custom AMIs, but if security deems it, I will go that way.
As I know git isn’t the place for truly sensitive strings like pass phrases, I wonder what is traditionally done for high-security service discovery and configuration, when it comes to passing in passwords or similar. Any thoughts?
Thanks,
Joshua