I have deployed my Django application to Elastic Beanstalk with the intention of using its environment variable configuration interface to store my API keys instead of storing them in my source (as described here https://stackoverflow.com/a/17878600).
After doing this, I found out that what Beanstalk calls environment variables aren't actually shell environment variables (as mentioned here https://stackoverflow.com/a/24564832/378638) and are stored on the instance in a configuration file (as described here https://stackoverflow.com/a/24566283/378638).
This seems like a security issue to me. Doesn't this defeat the purpose of keeping the secret keys out of the source? I understand they are no longer in the repo, but they are still accessible on the instance.
Am I misunderstanding the risk? I am sysadmin by inheritance so please excuse my ignorance here. Should I just load the Beanstalk variables as shell environment variables via the configuration file and move on since the file is only accessible via root, or is my concern valid? Thank you.
Best Answer
The point of keeping secrets out of source code is so they don't go into source control. This is particularly useful in open source projects.
When deployed, it doesn't matter if the secret's in a file or envvar. What's important is that only the OS user that your program is running as can read it. This is the default for envvars, which is convenient.
Root can always read everything. So Amazon can know your secret values if they want, because they are root (though they have policies against reading your stuff).
They do support pricey hardware security modules (HSM) though, which would make your keys unreadable. Of course, they could still use the HSM to decrypt your stuff, just never get the actual key.
There's also Key Management Service from AWS, which is like a software HSM
So either you need to trust Amazon, or host stuff yourself, or colocate.