[austinjp]

I'm somewhat naive regarding S3. If data is in RAM, can you prevent it being swapped to disk and read by an unauthorised user?

(I guess "RAM" and "disk" are virtual entities, but hopefully the spirit of the question still applies.)

[ladon86]

As the sibling comment to mine points out, the fact that the instance has access to S3 means it's not actually secure - they could just use the aws-cli to copy the file back down again. My comment about deleting the file from disk was a bit silly and doesn't add any true security.

Really, you need to just make sure that the instance is secure. The point of this whole setup is not to make secrets unobtainable if someone compromises your app server; it is to prevent you from checking in production database passwords and secrets to your code repository.