Issue
I am in need of some help with an assessment.
I have a Java Spring Boot app that needs to connect to an AWS RDS Postgres database that enforces SSL. We have a .pem file for the purpose of connecting to the database. The Spring Boot app resides in a Bitbucket repo, and pipelines are used to build a Docker image and push it to an AWS ECR. The ECR repo is private, and I would like for it to stay that way. From here the thought process is to run a task as a service in ECS and then route to the service from a load balancer, while applying secure practices at these levels.
I've seen a lot of forum comments regarding security best practices on where NOT to keep the .pem file and/or how NOT to copy it to the image. Keeping this in mind based on the steps laid out, what is the best method of ensuring the Spring Boot app can connect to the RDS database with SSL connections forced and still be secure?
Any assistance would be helpful, thanks.
Solution
Store the .pem file in AWS SecretsManager as a binary secret, or store it in a locked-down S3 bucket with KMS encryption. Have the start-up script that is the entrypoint to your docker container copy the file into the container before starting your Spring Boot process.
Alternatively, create an AWS EFS volume, manually connect to the volume once via an EC2 instance in order to copy the file onto the volume, then map the volume into your ECS containers. This method requires less change (possibly no change) to your docker containers, but it is more difficult to update the file when you need to, because you can't do it through the AWS web console.
Answered By - Mark B
Answer Checked By - Cary Denson (JavaFixing Admin)