Dealing with Amazon Security Keys

For the past few days I have been learning all about Amazon’s security keys. They are fairly complex to learn but work great once I got them figured out. And like most things, I learned how to work with them by doing a project, reading documentation, and using Google. Classes? Training? Who has time for that? I got projects to get done!

First order of business is to understand that Amazon Security Keys – and most security keys – are basically replacements for the archaic and easily hacked user names and passwords we used for years. The reason that security keys are important for AWS is that users and developers are often communicating with AWS via application programming interfaces – API’s – rather than just logging in with a user name and password. These API’s let a user start and stop servers, modify servers, modify services – an entire host of things that cost money and can be used for nefarious purposes. User names and passwords are easily hacked and nobody wants to embed their user name and password in their programs. So security codes are the better solution. They are long, encrypted during transmission, and not at all easily hacked. In fact, as I learned the hard way, if you LOSE the master security code to an Amazon EC2 instance, you can’t get it back. You basically have to stop it, kill it off and create a new instance. Kind of like losing the keys to your truck and having to buy a new truck!

AWS Master Security Key

One of my early lessons was that there is a master security key to access AWS through their command line interface. This allows a user to control AWS services from their own desktop computer without having to log into the AWS web site. This is very handy if you are automating processes such as building web applications or creating an application development pipeline. It is fairly simple to create a new master AWS security key, but if you do then you have to update all your applications that use that security key.

EC2 Instance Security Keys

When you create an EC2 instance – basically a virtual server on AWS – you have to create a master security key to that instance. It is a one-time deal. The only time you can download or access that key is when you first create the instance. It downloads to your desktop. The EC2 instance keeps a public key and the private master key has to be used to log into and control the operating system on that instance. For example, if I want to log into the operating system shell or FTP to that instance, I need the private security key to do so. I can create additional users and security keys so others can use the instance without my security key, but the master security key is like the root password, and can only be generated and downloaded once. Lose that key – which I did – and you might as well kill that instance off and start a new one – which I had to do after fiddling with the problem for a couple of days. Darn it. Maybe a class would have saved me some of that time? Naw, it would have taken weeks to learn that in a class.

Private Key Security

So when you create this private security key, you want to be sure and store them in a safe place, just like the keys to your home or your safe deposit box. I put mine in my iCloud drive so that it is backed up, and changed permission on the file so that I am the only one who can read it and it is read-only so I won’t accidentally delete the key.

Once I got the key problem worked out, things went much more smoothly and quickly. My son Adam and I quickly spun up a WordPress DOCKER instance, I created an Amazon RDS database, connected WordPress to it, and got the basics of one of my sites up and running. And it is FAST FAST FAST! But more on that in another post.