windows – 将敏感凭据放入AWS实例的userdata属性中

我将敏感凭据注入userdata并且不确定这是否安全.

我正在使用userdata属性来运行一个脚本,该脚本在联机时将实例连接到域

像这样传递信用：

$ADUser = 'me'
$ADPassword = 'Pass'
$ADPassword  = $ADPassword | ConvertTo-SecureString -AsPlainText -Force
$ADCred = New-Object System.Management.Automation.PSCredential -ArgumentList $ADUser,$ADPassword

Add-Computer -Credential $ADCred -DomainName mydom.local -NewName testing
Restart-Computer -force

我正在使用New-EC2Instance cmdlet启动它并将此脚本作为userdata传递

我的凭据是否可以在aws日志中显示错误输出？或者别的地方？在将证书注入PS命令之前,凭证是安全的,我担心它在AWS中的位置.

不要将凭据和其他敏感数据放在用户数据脚本中.

AWS文档强调：

Important

Although you can only access instance metadata and user data from within the instance itself,the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. Therefore,you should take suitable precautions to protect sensitive data (such as long-lived encryption keys). You should not store sensitive data,such as passwords,as user data.

资料来源：http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

相反,为EC2实例创建IAM角色,并赋予其执行需要执行的操作的权限.然后,启动EC2实例时,将IAM角色分配给EC2实例(以后不能分配).

windows – 将敏感凭据放入AWS实例的userdata属性中

相关文章