Elastic Beanstalk Environment Variables in VPC
Question
I have an Elastic Beanstalk instance for a Django app. I want to set environment variables, however, I know that it is less secure than using something like AWS Secrets Manager.
However, if my instance is in a private subnet in a VPC, does this mean that no one can access those environment variables? Or should I nevertheless use something like AWS Secrets Manager?
Thanks!!
1 answers
solution1
0 ACCPTED 2020-07-20 05:41:23
However, if my instance is in a private subnet in a VPC, does this mean that no one can access those environment variables?
Not sure what do you mean. The EB env variables will be available in the EB console, which means that they can be access using AWS CLI, EB CLI or SDK. Only your instances will be in private subnets, not the EB service itself.
However, you can use IAM to control who has access the EB service and what actions they can perform. This is especially important if you have multiple users in your account.
Or should I nevertheless use something like AWS Secrets Manager?
This or AWS Systems Manager Parameter Store are usually considered as better alternatives over EB environmental variables. They will still not be in a private subnets, but you can control access to them using IAM rules.
However, if you decide to use AWS Secrets Manager or Parameter Store you will have to upgrade both your EB instances and your application.
Specifically, EB instances will require IAM role to access the secrets. Since you are using NAT gateway no changes to the VPC will be required.
Also your application will need to get the secrets using AWS CLI or SDK from the respective service. Depending how you want to handle this, there are many scenarios possible, which are out of the scope for now in my view.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.