What is the MOST secure way to protect the sensitive information used to bootstrap the instances?
Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
Block user access of the EC2 instance’s metadata service using IAM policies. Remove all scripts and clear the logs after execution.
Explanations:
Storing sensitive data in the AMI and encrypting it with AWS KMS is not the most secure method. The sensitive data would still reside within the AMI, which could be exposed if the AMI is shared or if the KMS keys are not adequately protected.
AWS Systems Manager Parameter Store provides a secure, centralized way to store sensitive data, and using an encrypted string ensures that it remains protected. Assigning the GetParameters permission to the EC2 instance role ensures only the EC2 instance has access to decrypt the data.
Storing the scripts in S3 and encrypting them with KMS is not a fully secure approach, as the instance could still have access to the unencrypted data when the scripts are executed. Clearing the logs after execution does not ensure complete data security during bootstrap.
Blocking access to the EC2 instance’s metadata service via IAM policies would prevent access to instance metadata, but it does not directly address the sensitive data storage issue. Additionally, removing scripts and clearing logs after execution is insufficient to secure the sensitive information.