Security, automation and peace of mind with AWS Secrets Manager
Recently, AWS presented AWS Secrets Manager. This new service allows us to protect the necessary confidential data to access your apps, services and IT resources. We can also rotate, manage and easily recover database credentials, API keys and other confidential data during all its life cycle. Moreover, it allows us to control access to confidential data through specific permissions. Also, we can audit the rotation of confidential data, in a centralised way, for AWS Cloud resources, third-party services and local resources.
One of the most common problems identified by code analysis tools is the presence of passwords written directly in configuration files. This can lead to security attacks and system intrusions.
Just like AWS’s CTO, Werner Vogels, said during the San Francisco Summit,
with this new service you will never have to put a secret on your code.
What can I do?
- Keeping secrets (Passwords, API keys, etc.) in a KMS encrypted storage service.
- Recovering secrets from your applications using AWS CLI and AWS SDK.
- Automatically and harmlessly rotate your secrets without disrupting your application.
- Audit and monitor your secrets’ life cycles.
What can I store?
- Database credentials.
- Third-party API keys.
- On-premises resources credentials.
- SSH keys.
- SaaS application credentials.
- And, generally, any data you consider a secret.
Five Basic Steps:
- The database credentials are created.
- The secret is stored at SM and rotation is activated as a best security practice.
- The application checks the secret with SM.
- SM sends the secret back through a secure channel and decrypts it.
- MyCustomApp can connect to the database.
AWS Secrets Manager advantages & functionalities
Thanks to AWS Secrets Manager, storing secrets in the same application code or in configuration files will be no longer necessary. Users and applications recover confidential data through calls to the AWS Secrets Manager API, eliminating the need of including this information in the same code.
One of the most interesting options of this new service is that you will not need to change the secret manually or update it for all clients. An AWS Lambda function will do all the steps to rotate your secrets automatically.
Moreover, a collection of popular AWS services makes this service even more complete and safer:
- AWS Secrets Manager is responsible for storing and encrypting secrets by using keys provided by AWS Key Management Service (KMS).
- Using Lambda functions, we manage to rotate secrets safely, with the desired frequency.
- CloudTrail and CloudWatch allow to monitor and access logs so we can guarantee that their use and any change in them are registered. If we need to be alerted, the Simple Notification Service (SNS) can be of help.
- Finally, access control to secrets is done with the AWS Identity and Access Management (IAM) service. You can give Read Only or Fully Manage and Configure access through policies and tags.
What are the differences with parameter store?
- It integrates and enables the automation of secret rotation.
- Integration with services (currently, RDS: MySQL, PostgreSQL and Amazon Aurora).
How much does it cost?
Price-wise, costs are the following:
- $0.4 for stored secret.
- $0.05 for every 10000 requests.
For example, let’s say we have two secrets to store: a database password and a third-party service API key. You will only pay for each stored secret and for the number of requests you send to the API.
It’s something to consider when it comes to the design of your app to avoid additional costs. A PHP application which queries the database for each request is not the same as, for example, an application in a tomcat with a pool of established connections.
AWS Secrets Manager – hands on lab:
1. The secret: type, username, password and resource to which it will have access
2. Name and description of the secret
3. Setting automatic rotation
4. Confirmation and code for recovering secret in the application
As a result of using AWS Secrets Manager, it will be no longer necessary to have the username and password in the code. Through the following script, written in Python (compatible with 2.x versions), we can connect to the database and read its data by using the credentials stored in AWS Secrets Manager.
Remember that, for an EC2 instance to have access to AWS Secrets Manager, it will need to have the necessary role!
For this example, we asked for the following information: username, password, host, gate, database name and the records stored in it. In this case: name, surname and email of a CAPSiDE “employee”.
I am sure that you might have heard of the new GDPR over the last few months. AWS Secrets Manager can also help you fulfil the GDPR requirements at a password level. On the other side, why would you wait to secure your applications once they are done if you can do it from the beginning?
Keeping a secret has never been so cheap and safe. What are you waiting for to use AWS Secrets Manager? At CAPSiDE we can help you configuring it and adding up another layer of security and automation.