Use AWS IAM roles

- Remove usage of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
- Add instructions to set up IAM role

docs/deployment-with-docker.rst

@@ -42,6 +42,13 @@ You will probably also need to setup the Mail backend, for example by adding a `
 .. _sentry.io: https://sentry.io/welcome
 .. _Mailgun: https://mailgun.com
 
+Create AWS IAM Role for EC2 instance
+------------------------------------
+As a security best practice, we don't store `AWS_ACCESS_KEY_ID` AND `AWS_SECRET_ACCESS_KEY` on the server. In stead, in order to authorize Django to access your S3 bucket, you need to create an `IAM role`_ and `attach`_ it to the existing EC2 instance or create a new EC2 instance with that role. This role should assume a minimum permission of `AmazonS3FullAccess`.
+
+.. _IAM role: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+.. _attach: https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/
+
 HTTPS is on by default
 ----------------------
 

{{cookiecutter.project_slug}}/config/settings/production.py

@@ -94,8 +94,6 @@ INSTALLED_APPS += ['gunicorn', ]
 # See: http://django-storages.readthedocs.io/en/latest/index.html
 INSTALLED_APPS += ['storages', ]
 
-AWS_ACCESS_KEY_ID = env('DJANGO_AWS_ACCESS_KEY_ID')
-AWS_SECRET_ACCESS_KEY = env('DJANGO_AWS_SECRET_ACCESS_KEY')
 AWS_STORAGE_BUCKET_NAME = env('DJANGO_AWS_STORAGE_BUCKET_NAME')
 AWS_AUTO_CREATE_BUCKET = True
 AWS_QUERYSTRING_AUTH = False

{{cookiecutter.project_slug}}/env.example

@@ -15,8 +15,6 @@ DJANGO_SECRET_KEY=CHANGEME!!!
 DJANGO_ALLOWED_HOSTS=.{{ cookiecutter.domain_name }}
 
 # AWS Settings
-DJANGO_AWS_ACCESS_KEY_ID=
-DJANGO_AWS_SECRET_ACCESS_KEY=
 DJANGO_AWS_STORAGE_BUCKET_NAME=
 
 # Used with email