Home > OS >  Should I hard code IAM credentials for CloudWatch logging within client apps?
Should I hard code IAM credentials for CloudWatch logging within client apps?

Time:10-13

I have an IAM User that has programmatic access to the CloudWatch Log APIs via access / secret keys. I'm using the following policy to restrict it's access to just a specific LogGroup.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogGroups",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:us-west-2:223237870883:log-group:/myappname/dev/client/uwp"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-west-2:223237870883:log-group:/myappname/dev/client/uwp:log-stream:*",
                "arn:aws:logs:us-west-2:223237870883:log-group:/myappname/dev/client/uwp"
            ]
        }
    ]
}

The keys will be shipped with a mobile app into the Android/iOS/Windows/macOS app stores. Each app has it's own key/Policy (the above is for the UWP app) that constrains it to its own CloudWatch LogGroup I create via CloudFormation.

My question is on the keys themselves. I can either put them in a configuration file or I can hard-code them into the binaries. I was going to hard-code them since I can't change the config files after the fact anyway - if I wanted to change them I'd need to ship a new version of the app regardless. It seemed like hard-coding them in the app make it a bit more difficult for someone to try and steal.

Worse case if they are stolen is that they flood me with CloudWatch logs. Is there anything I can do to try and prevent that? I tried to looking at Amplify and how it handles this but didn't see anything that stood out there.

Are there any problems with the approach that I've taken from a security perspective or is this pretty much par for the course?

As a side-note, I had integrated Visual Studio App Center logging originally but didn't want to deal with building a process to aggregate logs from App Center for clients and CloudWatch for my back-end. App Center seemed to work the same way - access key/client key with nothing that really stopped someone from stealing and logging outside of the app.

Appreciate any guidance anyone can offer on your experiences with this kind of thing. Not looking for the right answer. Wanting to see what other approaches folks have taken to see if I'm completely off the beaten path or not.

CodePudding user response:

Yes, you can prevent shipping credentials by hiding the credentials behind an API endpoint, which you can then rate-limit, secure, rotate access to with each app deployment etc.

While the worst case is that they can flood you with logs, if you already have a backend API, it is better to have a dedicated logging endpoint between you and Cloudwatch.

I wouldn't worry too much however, you're granting the least privilege which is the most important factor.

  • Related