Security, automation and peace of mind with AWS Secrets Manager

Recently, AWS presented AWS Secrets Manager. This new service allows us to protect the necessary confidential data to access your apps, services and IT resources. We can also rotate, manage and easily recover database credentials, API keys and other confidential data during all its life cycle. Moreover, it allows us to control access to confidential data through specific permissions. Also, we can audit the rotation of confidential data, in a centralised way, for AWS Cloud resources, third-party services and local resources.

One of the most common problems identified by code analysis tools is the presence of passwords written directly in configuration files. This can lead to security attacks and system intrusions.

Just like AWS’s CTO, Werner Vogels, said during the San Francisco Summit,

with this new service you will never have to put a secret on your code.

What can I do?

What can I store?

Five Basic Steps:

AWS Secrets Manager - CAPSiDE

  1. The database credentials are created.
  2. The secret is stored at SM and rotation is activated as a best security practice.
  3. The application checks the secret with SM.
  4. SM sends the secret back through a secure channel and decrypts it.
  5. MyCustomApp can connect to the database.

AWS Secrets Manager advantages & functionalities

Thanks to AWS Secrets Manager, storing secrets in the same application code or in configuration files will be no longer necessary. Users and applications recover confidential data through calls to the AWS Secrets Manager API, eliminating the need of including this information in the same code.

One of the most interesting options of this new service is that you will not need to change the secret manually or update it for all clients. An AWS Lambda function will do all the steps to rotate your secrets automatically.

Moreover, a collection of popular AWS services makes this service even more complete and safer:

AWS Secrets Manager - CAPSiDE

What are the differences with parameter store?

How much does it cost?

Price-wise, costs are the following:

For example, let’s say we have two secrets to store: a database password and a third-party service API key. You will only pay for each stored secret and for the number of requests you send to the API.

It’s something to consider when it comes to the design of your app to avoid additional costs. A PHP application which queries the database for each request is not the same as, for example, an application in a tomcat with a pool of established connections.

AWS Secrets Manager - CAPSiDE

AWS Secrets Manager – hands on lab:

1. The secret: type, username, password and resource to which it will have access

AWS Secrets Manager - CAPSiDE

2. Name and description of the secret

AWS Secrets Manager - CAPSiDE

3. Setting automatic rotation

AWS Secrets Manager - CAPSiDE

4. Confirmation and code for recovering secret in the application

AWS Secrets Manager - CAPSiDE

AWS Secrets Manager - CAPSiDE

As a result of using AWS Secrets Manager, it will be no longer necessary to have the username and password in the code. Through the following script, written in Python (compatible with 2.x versions), we can connect to the database and read its data by using the credentials stored in AWS Secrets Manager.

# Use this code snippet in your app.
import boto3
from botocore.exceptions import ClientError
import json
import MySQLdb


def get_secret():
    secret_name = "test/RDS"
    endpoint_url = "https://secretsmanager.eu-west-1.amazonaws.com"
    region_name = "eu-west-1"
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name,
        endpoint_url=endpoint_url
    )

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        if e.response['Error']['Code'] == 'ResourceNotFoundException':
            print("The requested secret " + secret_name + " was not found")
        elif e.response['Error']['Code'] == 'InvalidRequestException':
            print("The request was invalid due to:", e)
        elif e.response['Error']['Code'] == 'InvalidParameterException':
            print("The request had invalid params:", e)
    else:
        # Decrypted secret using the associated KMS CMK
        # Depending on whether the secret was a string or binary, one of these fields will be populated
        if 'SecretString' in get_secret_value_response:
            secret = get_secret_value_response['SecretString']
            print "El secreto completo en JSON es",secret
            # Get the user name, password, and database connection information from a config file.
            database = json.loads(secret)['dbname']
            user_name = json.loads(secret)['username']
            password = json.loads(secret)['password']
            host = json.loads(secret)['host']

            # Use the user name, password, and database connection information to connect to the database
            db = MySQLdb.connect(host, user_name, password, database)
            cursor = db.cursor()
            cursor.execute("Select * from MyGuests limit 1")
            print "En la DB hay un total de ",cursor.rowcount," registro, que son :"
            for row in cursor.fetchall():
               print row
            db.close()
        else:
            binary_secret_data = get_secret_value_response['SecretBinary']
        # Your code goes here.
get_secret()

Remember that, for an EC2 instance to have access to AWS Secrets Manager, it will need to have the necessary role!

For this example, we asked for the following information: username, password, host, gate, database name and the records stored in it. In this case: name, surname and email of a CAPSiDE “employee”.

AWS Secrets Manager - CAPSiDE

I am sure that you might have heard of the new GDPR over the last few months. AWS Secrets Manager can also help you fulfil the GDPR requirements at a password level. On the other side, why would you wait to secure your applications once they are done if you can do it from the beginning?

Keeping a secret has never been so cheap and safe. What are you waiting for to use AWS Secrets Manager? At CAPSiDE we can help you configuring it and adding up another layer of security and automation.

TAGS: API, aws, aws, AWS CLI, AWS SDK, AWS Secrets Manager, GDPR, password, Secret, secreto

speech-bubble-13-icon Created with Sketch.
Comments
Asmita Singh | November 15, 2018 12:16 am

This is one of the best services from AWS in recent past, atleast per me. Great job, great idea!

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*