I am using Amazon web services in my php application. Is it safe to store the secret aws access tokens in a config.php file that are linked to my php web service?
I have been unable to download the file to look at the content, but isn’t it possible to use a packet sniffer or something and be able to read the key and pass phrase?
I know Amazon recommends using a token vending machine to create temporary credentials, instead of using the aws creds directly, but we are hoping to be able to skip implementing one.
Unless your config.php file will output the tokens when it is run, you should be safe. To take extra precaution, you could place the config.php file below the root directory of your website so that the user isn’t even able to try to run that file.
Your php is being executed on the server, and as long as no output is being sent to the client that contains the tokens, the contents of that file will never be sent to the client. Therefore, they would have no way of reading the file because the contents never leave the server, just the output from running the script.