Are You Sure That Your Secrets Are Safe With Cloud? Introducing AWS Secrets Manager

Are you using cloud computing services in AWS? Sooner or later, you will need to grapple with the issue of secure storage and management of secret data, such as credentials. Sure, you can always save your authentication details to a plain text file or an encrypted ZIP archive and upload to an S3 bucket with strict access control. It is an option, but one that may be challenging to apply and tedious to manage. In fact, it is also not as secure as you may think. Not to mention the scalability issues involved. But no reasons to worry, Amazon has got you covered.

The company has recently launched a dedicated tool that allows you to quickly rotate, manage, and retrieve database credentials, API keys, and other secret data. Ladies and Gentlemen, let me introduce to you AWS Secrets Manager.

What is AWS Secrets Manager?

Imagine that your application needs database access with password protection. You will need to find some way to store DB credentials securely. This excludes keeping them in a configuration file or on the application’s instance. Moreover, to ensure compliance with your company’s security policy, these credentials will probably have to change on a monthly basis.

Here comes our protagonist, AWS Secrets Manager.

The Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, passwords, and other secrets. It is not limited to the AWS cloud, as you can leverage it to store and manage credentials for third-party and on-premises services.

The only difference is that for this type of services, you will need to use Lambda function to rotate credentials because they usually have a unique way to configure their secrets. In that case, Secrets Manager uses the Lambda function for consistency. For instance, if you want to rotate password for Facebook, you will need to write a function that will rotate it using the Facebook’s API. Again, this only applies to non-RDS secrets.

AWS Secrets Manager – typical applications

There are several scenarios where AWS Secrets Manager may be particularly valuable:

• With Secrets Manager, you can manage secrets such as database credentials, on-premises resource credentials, SaaS application credentials, third-party API keys, and SSH keys.
• Another use of the Manager is to store JSON documents that allow you to manage any text blurb of up to 4 KB.
• Secret Manager also enables you to replace the credentials hardcoded in your code with an API call to retrieve them programmatically. Since there are no secrets stored in your instances or your code, there are less likely to be compromised.

How to use AWS Secrets Manager?

The following diagram shows the most basic scenario for AWS Secrets Manager, where the service stores credentials for a database when later those credentials are used by an application that needs to access the database.

1. In the first step, the administrator creates a set of credentials with permissions required for the application to use the database.
2. Next, the administrator stores the credentials as a secret in AWS Secrets Manager. The credentials are encrypted and stored.
3. When the application needs to access the database, it queries Secrets Manager.
4. Secrets Manager retrieves and decrypts the protected secret and returns it to the application over a secured channel.
5. The application uses the credentials to access the database.

The secrets stored in the Secrets Manager are encrypted with the Key Management Service key of your choice and the access to those secrets can be granularly controlled with Identity and Access Management policies for individual roles or users.

Creating a secret with AWS Secrets Manager

Before we create any secret in AWS Secrets Manager, we need proper permissions to do that. The minimum set required is as follows:

• Permissions granted by the SecretsManagerReadWrite AWS managed policy;
• Permissions granted by the IAMFullAccess AWS managed policy, but only if you need to enable rotation for the secret;

• kms:CreateKey if you want Secrets Manager to create a custom KMS CMK key for you;
• kms:Encrypt if you use a custom KMS key to encrypt your secrets instead of the default Secrets Manager CMK for your account.

1. Once you verify your permissions, you can sign in to the AWS Secrets Manager console and choose the option Store a new secret.

2. You will then be able to decide what type of credentials you want to store. You can choose between the RDS database credentials, other database credentials, and different types of secrets.

Note that the supported databases are MariaDB, MySQL, PostgreSQL, Oracle, and SQL Server.

Let’s choose a different secret type, and type in some secret key/value pairs.

3. You can choose the KMS encryption key to protect your secrets or create a new one here. Leave the DefaultEncryptionKey for now.

4. Next, you have to provide the Secret name and an optional Description. There’s not naming convention here so that I will leave this one to your imagination.

5. Now you’ll have to configure automatic rotation for the secret. You can disable, enable, select interval, and choose Lambda function to rotate the password. Keep in mind that since you are configuring another type of secret, you need to provide your function to rotate passwords. As I mentioned before, the service can use third-party application’s API or any other method to change the destination system’s password.

6. Finally, you can review your secret.

7. Now, view a code sample that illustrates how to retrieve the secret in your application.

Please note that the first secret rotation will happen immediately upon storing this secret. As a result, for your applications to retrieve it from AWS Secrets Manager, they will need to be updated.

Basic operations

Once you define the secret, you can either use the sample code provided by Amazon, write your code, or use AWS CLI to play with your secrets.

First, using the following command:

aws secretsmanager describe-secret --secret-id <value>

you can see the properties of your secret.

You can also simply list all of your secrets with this command:

aws secretsmanager list-secrets

However, I believe that the most interesting command will be this:

aws secretsmanager get-secret-value --secret-id <value>

It returns your secret as a SecretString, ready to parse and use.

Note! If you want to store binary data in Secrets Manager, you will not be able to upload it to the management console. The only option is to use SDK or AWS CLI.

What are AWS Secrets Manager best practices?

There are a few.

• Always remember that your security is only as strong as its weakest link. Keep in mind that all sensitive information should be stored as a part of an encrypted secret’s value, either in the SecretString or SecretBinary Do not save any secret information in the Description field.
• Keep in mind that when you use Lambda to rotate keys, it may log some sensitive information. Ensure that you do not log any information that may compromise your secrets to CloudWatch. For instance, if you decide to log such information during development for testing or debugging purposes, make sure to remove those lines before moving the code to production. Double check if you deleted any historical logs that may contain sensitive information.
• Remember that if you use AWS CLI to invoke operations on Secrets Manager, you need to protect your shell. Ensure that commands and the console output are not logged. Do not pass any sensitive information directly to the command, but use external files instead.
• A foolproof tip. Always lock your computer when you walk away from your console. Don’t let that silly mistake happen to you.

AWS Secrets Manager pricing

Last, but not least, let’s examine the pricing model. It is pretty straightforward; you pay $0.40 per secret per month, and then $0.05 per 10,000 API calls.

When you store your first secret, you start a 30-day free trial period, which enables you to rotate, manage, and retrieve secret free of charge over a 30-day period.

AWS Secret Manager at your service

AWS Secrets Manager is a newly-minted service, officially released on April 4^th this year, after months of anticipation. Finally, Amazon has delivered their long-awaited solution that allows you to store and retrieve information within your cloud application securely. You no longer have to struggle with S3 private buckets and credentials. AWS Secret Manager has landed, and it is here to help you keep all sensitive information in the AWS. Encrypted, and safe & sound.