We have a web app which can upload files to S3. For this to be possible a configuration file is required which contains the access key id and the access secret key of my AWS account.
I am not the sys admin of the box that runs the web app. So basically this person can just grab my access secret key and eg start, stop and terminate EC2 instances, etc.
How can I keep my secret key a secret in this situation?
EDIT: To clarify, this is not about not trusting the sys admin, otherwise such a person would not get root access to the boxes (s)he maintains. Trusting a sys admin doesn’t mean I have to give him/her my credit card details, the keys to my house and car, etc. That’s just ridiculous.
This thing is, Amazon in giving an overview of security processes ( http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1697 ) mentions:
” Within EC2, the host administrator and cloud administrator can be separate people, permitting two man rule security policies to be enforced. “
I don’t see how the two can be separate though if the host administrator requires the access secret key in order to be able to upload to S3.
Unfortunately, I don’t have time to post detailed instructions here but I strongly recommend that you look at how to set policies for a bucket and the access policy language. You should be able to allow unauthenticated uploads to a given bucket only from a particular IP address (associated with your EC2 instance). You could also create a second AWS account which has no access at all except to upload to that bucket. That way, even if they administrator ran off with your creds, they wouldn’t get anything useful.