0

A third party created an EC2 instance on their own AWS account, and gave me the private SSH key to log in with.

I logged into the EC2 instance, removed .ssh/authorized_keys in the home dir, and replaced it with a file containing my personal SSH key (which the third party doesn't have).

I then scp'ed some sensitive data (intellectual property) onto the instance and left it in the home dir.

Is there any way that the third party can access this sensitive data? If so, how can I protect against this?

Thanks!

Improve this question

2 Answers 2

Reset to default
3

Yes, they can access it by taking a snapshot of the volume then attaching it to an instance, and you can't tell. They can also add an authorised key back onto the volume by detaching it and attaching it to another instance. Basically, if they control the EC2 instance they control everything, and can access anything it accesses.

You will need to encrypt the data using keys held outside of their AWS account, somewhere EC2 can't reach them. If you put them in another AWS account or anywhere the EC2 instance can access them in real time they can still access the data. That means the key is copied in manually when you want to access the data, or when you start the application using the data. I've done this in the past, we had an app we had to enter a password on the console to start it.

I believe the only reliable solution is to have your own AWS account and own instance.

Improve this answer
2
  • Thanks. Yes, my situation is similar to yours, I will need to continuously run a program (written in C++) on a third party's EC2 instance If the third party manages to copy and continuously run this program themselves, (or reverse engineer the binary and get the source code) that would be very financial detrimental to me. I wonder how I can robustly prevent either of these cases With your example, you entered a password on the console, but I wonder if it was possible to somehow reverse engineer the program, if there was a simple "if (password == some_string)" check in the source code Commented Nov 25, 2019 at 20:40
  • We used whole disk encryption on Linux, on-prem, so Linux prompted us for the password on boot. I'm not sure if you can do that in AWS. You might have to do something like a second EBS volume with software based disk encryption, with a password typed into an application when it starts. This is poor for reliability. A better option is your own AWS account and opening appropriate access between the accounts. Commented Nov 25, 2019 at 22:21
2

Yes, they can easily access this data. They can create an AMI of the instance, and use that to launch a copy of the entire server with their own SSH key.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.