Bootstrapping an EC2 Spot Instance

Question

I'm considering using EC2 Spot Instances in an automated fashion (ie create a script that will request EC2 Spot Instances that will run unattended).

For this specific use case, I'm happy to lock down the security group such that there are no incoming connections allowed on the Spot Instances.

The only output of the script is to communicate with an RDS server.

I'm after a solution that allows me to spin up a request for a spot instance, and load the software required, including access to a database living on the RDS.

My primary concern is how to deliver the code in a secure way (including the DB Credentials).

What are the security concerns that need to be considered, and which method will provide the lowest risk?

My thoughts so far:

• Having no incoming connections should mitigate common threats

• Passing data to EC2 user-data is still a risk (storing passwords, or access to code doesn't sound like a good idea to me)

• In user-data, supply private details via S3 link that is set to expire (difficult to do with spot instances as I don't know when the Instance will be created)

• Create script to limit access to user-data

• Do I need to think of a more elaborate way to get data back from the newly created spot instance, and then log into said instance and send data via ssh?

Answer 1

Haven't tested it, but it should work.

Use IAM roles

We designed IAM roles so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles...

1. Create a private S3 bucket.
2. Store your credentials in the private S3 bucket.
3. Create an IAM Role and give it a policy that allows it to access the private S3 bucket.
4. When you create your spot instance, apply the IAM role.
5. Using ec2 user-data, use a bootstrap script.
   • call curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access to access the s3 security credentials.
   • Use the s3 credentials to download your database credentials from the s3 bucket created in #1.
6. You now have securely delivered your credentials to your instance.

Answer 2

You can safely store encrypted database credentials in user data using KMS to encrypt and decrypt the credentials.

Setup:

1. Create an IAM role with permissions to allow kms:Decrypt on resource * (example below).
2. Encrypt (using other AWS credentials) your database credentials by calling encrypt.
3. Put the encrypted database credentials in the spot instance user data in the launch configuration.
4. Associate your spot instance with the IAM role created in 1 above in the launch configuration.

Spot instance startup:

1. Read the encrypted database credentials from the user data
2. Decrypt the database credentials using a call to decrypt

Note that all the SDKs will automatically try to access KMS with instance role credentials unless you configure specific credentials.

Example IAM policy document since I can't put code in the middle of a numbered list:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1429854706000",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}