I have an existing ASP.NET/ C# web site that I am looking to migrate to AWS. I currently store all 3rd party API tokens/credentials in my web.config file in an encrypted section.
The encryption is done via the normal aspnet_regiis command similar to this:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"
That all works very well.
Moving to the AWS world I understand I could do the same thing using the web.config file but I wanted to know if there is a better, more appropriate way to do this.
The AWS Key Management Service sounds like it is meant to solve this problem but from what I can ascertain it is really just for storing your AWS master keys.
I've seen that people have used the master keys to encrypt a text file that is uploaded to the AWS web server and then using the master keys to decrypt the file when it is required. That file could contain a list of third party keys and so would be one way to solve the problem.
What I am trying to understand, but failing to is, is that the correct way to do it (i.e. storing the third party keys in a text/json/xml file and encrypting with the AWS master key and storing on the server and querying as and when necessary) or is there a way in AWS to enter each of my third party keys into somewhere/something that the web application can query directly?
You have two good choices for storing credentials for Amazon EC2 instances. Both are the Amazon recommended method. Do NOT store credentials on the EC2 instance, in your code or on S3.
Create an IAM role for your EC2 instance, assign desired permissions, assign this role to your instance. The Amazon SDKs will automatically extract these credentials. This is the easiest method.
Create your credentials in IAM, then use EC2 Parameter Store to store you credentials securely.