samedi 8 août 2015

When creating an AMI from an instance store EC2, why do I need to use the -e exclude? Shouldn't --nofilter be used to keep the credentials?

Following the steps in the documentation http://ift.tt/PkkBhZ:

Prepare the bundle to upload to Amazon S3 using the ec2-bundle-vol command. Be sure to specify the -e option to exclude the directory where your credentials are stored.

For my instance my credentials are stored:

  • In environment variables. And also in bashrc so each terminal has access to them
  • In an ini file of my webservers home directory var/www, as per the PHP AWS SDK

If the purpose of is to create an AMI that can be stored in S3 and used to spin up new instances with, don't I want these credentials present on the AMI? Otherwise before I launch each EC2 with this new custom AMI I have to add the credentials to it each time?

Similarly, by default the

By default, the bundle process excludes files that might contain sensitive information. These files include *.sw, *.swo, *.swp, *.pem, *.priv, id_rsa, id_dsa *.gpg, *.jks, */.ssh/authorized_keys, and */.bash_history. To include all of these files, use the --no-filter option. To include some of these files, use the --include option.

Again, wouldn't I want to include all of these things?

I am the only one on the AWS account though I have set up an IAM user which I use. Uploading this AMI to S3 with no exclude option and using --no-filter should be fine shouldn't it? It's not like anyone else can access it? So I'm confused why the documentation is advising this.




Aucun commentaire:

Enregistrer un commentaire