patternModerate
Should AWS arn values be treated as secrets?
Viewed 0 times
treatedarnsecretsawsshouldvalues
Problem
I have a configuration file that contains AWS resource ARNs stored in a git repo. This includes some ARNs of AWS IAM role resources. Should these be treated as if they are a secret value, and not stored in a repository?
Solution
Well, from a security point of view, it's never bad to give people less information.
But, as long as you have sensible security policies in AWS, there is no reason that an arn has to be considered secret.
For example, if you know the arn of the role I use to access s3 from my EC2 instances, you can't do anything with that information unless I give you permission to assume that role from one of your roles. Between accounts, this is a very explicit and bidirectional action; so it will not happen by accident/without you knowing.
Losing the credentials to an IAM user could let people assume roles and would be terrible, but them knowing the arn alone does nothing for them.
But, as long as you have sensible security policies in AWS, there is no reason that an arn has to be considered secret.
For example, if you know the arn of the role I use to access s3 from my EC2 instances, you can't do anything with that information unless I give you permission to assume that role from one of your roles. Between accounts, this is a very explicit and bidirectional action; so it will not happen by accident/without you knowing.
Losing the credentials to an IAM user could let people assume roles and would be terrible, but them knowing the arn alone does nothing for them.
Context
StackExchange DevOps Q#11101, answer score: 15
Revisions (0)
No revisions yet.