I am wondering if its safe enough to put the AWS Api Credentials (or credentials in general) in a .conf file? I dont think so and want to ask if there is any easy to use approach to encrypt and decrypt the credentials. I am using JAVA with Eclipse IDE. Does anyone have a hint for a newbie in this section?
What is the ".conf" file? Is it a configuration file for an application? If that's the case, then no, it's not safe enough.
Amazon has a document describing best practices for access keys. Their recommendation for applications is to attach a role to whatever is running the application (EC2 / ECS / Lambda).
The biggest benefit of using a role is that the credentials it provides are temporary: they have a maximum lifetime of 12 hours, and a default lifetime of 1 hour. So if someone manages to extract them from your server, they won't be able to do long-term damage (unlike the "permanent" access keys associated with users).
While that helps, you still need to restrict the scope of those credentials (ie, don't use wildcards in their permission policies). And you should be monitoring your deployment for invalid credential use (ie, an API call that is made from somewhere outside of your VPC).
If you're talking about credentials for development use, AWS already has a place to store those. However, you don't need to store credentials anywhere if you use AWS Single-SignOn, which gives you limited-lifetime credentials for CLI/SDK use.
And if you're talking about credentials for a mobile application, look into Cognito and AWS Amplify.