I'm new to AWS CLI, but one thing that is bothering me a bit, is the fact that I need to store my credentials in a file. I have several buckets on S3, and I create an account for my application, which will have only access for this bucket. However, if my server is hacked, the attacker could easily read my .aws/credentials file and destroy everything within my bucket. Then, my company would be in huge problems, since we rely on AWS a lot!
Is there any suggestion to increase the security of this scenario ?
I can totally understand that if my server is hacked, and has sudo acess, my chances are slim, however, I would like to make more difficult as possible to prevent any damage.
Issue 1:
If your server is an EC2 instance, then you don't have to store credentials in a file.
Instead, use IAM roles and instance profiles with your EC2 instances. When you do this, do not configure credentials for the AWS CLI. When you execute commands with the CLI, the CLI will collect temporary credentials off-server and use them.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
If you do this, then should someone gain unauthorized access to the server, there won't be any credential files for them to take away. To do any damage, they would have to do it right there on the server.
Issue 2:
To prevent damage to the bucket, enable bucket versioning. By doing this, if someone deletes objects and/or changes them, you have the old versions available to access.
Also, if you really need to delete objects, then enable MFA deletion. When enabled, MFA must be used when objects need to be deleted. Without using the MFA device, deletion objects is prohibited.
For anyone accessing the bucket, give them minimal permissions. Be careful blindly allowing
s3:*. If they only need to read objects, just give thems3:GetObject.You should do offsite backup. Everyday (in example) you will copy all your data to different location to different provider and in case of disaster you can recover from this.