Amazon Web Services

Store keys in a private AWS S3 bucket?

There is an authentication server that creates user accounts in the database, handles mail confirmation, password reset, and so on. It generates JWT tokens using the RSA algorithm, that is, it needs a key-pair.

There is a web server for which some endpoints require authorization. To validate a token, it needs a public key. In general, everything is standard.

In addition to them, there are several other services that require a public key, but this is not important. Imagine that there is only one such service. I plan to deploy the whole thing in production through AWS ECS, that is, each service will be packaged in a container, and ECS will orchestrate.

In dev on the local machine, I simply generate a key pair and give the authentication server access to both keys and the web server access to the public key via bind mount. That is, the keys are stored on the host in some directory that is mounted into containers. Services read keys from files in the "mounted" directory.

The question is how to organize this business in production. I don't want to pack the keys in images, but using bind mount would be inconvenient, since ECS can launch new authentication and web server containers and deploy them both to existing and new EC2 instances if there is no more space on existing ones . And new instances will then have to have keys on their file systems, which is problematic to organize.

A much more convenient approach, as I see it, is to upload the keys to a private AWS S3 bucket, and give the services roles that allow them to read the necessary keys from there. Then new containers will automatically pick up the roles and, accordingly, gain access to the keys. Does this approach have disadvantages?

What other ways are there?

I can't find best practices for this situation anywhere, even though it's common. If there is, please click.