From b4b3b422eaef926f2d4095e39e416ae211c86e4c Mon Sep 17 00:00:00 2001
From: jbtrystram <jbtrystram@redhat.com>
Date: Tue, 22 Aug 2023 17:13:23 +0200
Subject: [PATCH] docs/aws : Add a section that incites to delete the config
 after 1st boot

The configuraton may contains sensitive data. As any subsequent container may be able to access the s3 bucket it is advised to clear it.
See https://github.com/coreos/fedora-coreos-docs/issues/306

Also remove one level in the s3 config title so it appear in the TOC
---
 modules/ROOT/pages/provisioning-aws.adoc | 35 +++++++++++++++++++++---
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/modules/ROOT/pages/provisioning-aws.adoc b/modules/ROOT/pages/provisioning-aws.adoc
index 98b6a992..ad4fafb4 100644
--- a/modules/ROOT/pages/provisioning-aws.adoc
+++ b/modules/ROOT/pages/provisioning-aws.adoc
@@ -60,7 +60,7 @@ You now should be able to SSH into the instance using the associated IP address.
 ssh core@<ip address>
 ----
 
-==== Remote ignition configuration
+== Remote ignition configuration
 
 As user-data is limited to 16 KB, you may need to use an external source for your ignition configuration.
 A common solution is to upload the config to a S3 bucket, as the following steps show:
@@ -76,8 +76,8 @@ aws s3 mb s3://$NAME-infra
 .Upload the ignition file
 ----
 NAME='instance1'
-USERDATA='/path/to/config.ign' # path to your Ignition config
-aws s3 cp $USERDATA s3://$NAME-infra/bootstrap.ign
+CONFIG='/path/to/config.ign' # path to your Ignition config
+aws s3 cp CONFIG s3://$NAME-infra/bootstrap.ign
 ----
 
 You can verify the file have been correctly uploaded:
@@ -100,4 +100,31 @@ ignition:
       source: s3://instance1-infra/bootstrap.ign
 ----
 
-Then you can launch the instance using the same command as xref:#_customized_example[], passing the minimal configuration you just created.
\ No newline at end of file
+Then you can launch the instance using the same command as xref:#_customized_example[], passing the minimal configuration you just created.
+
+Once the first boot is completed, make sure to delete the configuration as it may contain sensitive data.
+See xref:#_configuration_cleanup[].
+
+== Configuration cleanup
+
+Once the instance have completed the first boot, we recommend cleaning up the configuration files.
+Any container running on the instance could be able to read the config, raising security concerns.
+
+[source,bash]
+.Deleting the Ignition configuration from the s3 bucket
+----
+NAME='instance1'
+aws s3 rm CONFIG s3://$NAME-infra/bootstrap.ign
+----
+
+Optionnally, you can delete the whole bucket:
+[source,bash]
+.Deleting the s3 bucket
+----
+NAME='instance1'
+aws s3 rb s3://$NAME-infra
+----
+
+NOTE: The instance's user data cannot be modified without stopping the instance.
+If you need to have secrets in your ignition configuration you should store it into a s3 bucket and have a minimal configuration in user-data.
+Make sure to clear the s3 bucket when the first boot is completed.
\ No newline at end of file