I have a wried question, I have an app and one of the utility of that app is upload and download documents in s3. My question, what is the best practice to store s3 access keys. I have stored in a config.ini file and calling it from my php script. I also know that I can put it on ~/.aws/credentials in linux.
But I want to put it outside the server and access it from their so that even if my server has been hacked (Yes, my server has been hacked once by some Chinese people ) I should not be afraid.
Proposed Idea:
1: I am thinking to make a key server (I want to make it centralised, so that i can use it in my other project), and getting keys by http request with encryption, ip blocking, authorisation mechanism.
2: Store it in some database with proper encryption.
Please suggest it with your ideas.
The best solution for your use case is use AWS IAM Roles. Create a IAM role for access to the S3 bucket and attach that role to the EC2 instance when creating the instance. This will eliminate the use of S3 access keys so you don't have to worry about the keys getting compromised.
Read this for more details
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html