I have retrieved my ssh private key from AWS Secrets and will be passing it in paramiko for ssh. But since the library accepts only filenames I cannot pass the private key string I retrieved from secrets manager. So I am thinking to write the string to a file in /tmp
.
But I am wondering are there any security implications of writing sensitive data to /tmp
in lambda.
CodePudding user response:
Each Lambda execution environment includes a writeable file system, available at /tmp
. This storage is not accessible to other execution environments.
As with the process state, files written to /tmp
remain for the lifetime of the execution environment.
The /tmp
storage is implemented with either Amazon Elastic Block Store (Amazon EBS) or local storage on the Lambda worker instance.
In this way is somewhat safe to use /tmp
in Lambda, meaning that your /tmp
folder will not be shared with other AWS clients.
Also, if you want to be sure that the data is wiped and not shared between functions in the same account and different customer accounts, you can save your data in the memory.
According the AWS docs:
Lambda scrubs the memory before assigning it to an execution environment, which effectively guards against memory sharing between functions that belong to the same account and different customer accounts. To facilitate execution environment reuse, Lambda does not scrub memory between subsequent invocations on the same execution environment for the same function. You can implement your own memory encryption and wiping process before function termination.
For a overview about Security on AWS Lambda you can take a look in Security Overview of AWS Lambda, in the page 7 we have an overview about Storage and State.
CodePudding user response:
But since the library accepts only filenames I cannot pass the private key string...
This is not entirely true, paramiko.RSAKey.from_private_key can read from string buffers as well:
import io
import paramiko
# Read private key from AWS secrets
private_key = ...
private_key_buffer = io.StringIO()
private_key_buffer.write(private_key)
private_key_buffer.seek(0)
private_key = paramiko.RSAKey.from_private_key(private_key_buffer)
ssh = paramiko.SSHClient()
ssh.connect(pkey = private_key, ...)
This means you don't have to write it to a temporary location in order for the library to read it.
If you still prefer to use /tmp
, keep in mind that this location may persist between invocations of the same functions. Other than this, the /tmp
location will be cleaned when it is assigned to another function execution.