In this fast-changing world of Cloud, Containers, APIs and Microservices, keeping and managing IT resources is one challenge and securing them is another.
Credentials management is one of the most overlooked concepts when comes to securing your applications. I have seen organizations keep all passwords in a single spreadsheet or confluence page or on many occasions on a sticky note under the manager’s keyboard 😄
AWS Secret Manager allows you to easily store, rotate, manage credentials throughout the lifecycle of your applications. No more spreadsheets or updating the application code in case of any event just one central location to keep all credentials secure and rotate easily.
Following are some key benefits of AWS Secret Manager
As the name suggests you can configure Secret Manager to automatically rotates your credentials without user intervention on a schedule.
You would need a lambda function to implement it (that’s a topic for another blog post) to summerize lambda function does the following
- Creates a new version of the secret.
- Stores the secret in Secrets Manager.
- Configures the protected service to use the new version.
- Verifies the new version.
- Marks the new version as production-ready
AWS RDS fully supports credentials rotation
Credentials stored in Secret Manager are encrypted using AWS KMS key created by default. You can also use your custom key to secure your credentials.
You can attach IAM policies to users to access specific secrets. This allows you to control fine-grained access management of the credentials. For example, you can write IAM policies to allow fully credentials management to Administrator Role while allowing only read-only access to the Developer role.
Compliance with Standards
Secret Manager covers the auditing and compliance requirements of security standards such as HIPPA, PCI, ISO 27001, SOC and more.
Auditing and Logging
You can enable CloudTrail logs on API calls to AWS Secret. CloudTrail would also track management console events.
What AWS Secrets Provides
You can manage the credentials of the following services or applications
- RDS Database — Supports all RDS databases
- RedShift Clusters
- DocumentDB — NoSQL DBs
- Other Databases — Self-managed databases running on EC2 or your own network
- Other Keys — For APIs keys or similar
How AWS Secret Manager works
Typically AWS Secret Manager can have one or more following roles
Secrets Manager administrator
Administers the Secrets Manager service. Grants permissions to individuals who can then perform the other roles listed here
Database or service administrator
Administers the database or service with secrets stored in Secrets Manager. Determines and configures the rotation and expiration settings for their secrets.
Creates the application, and then configures the application to request the appropriate credentials from Secrets Manager.
You can access secrets using the following methods
- Management Console
- AWS CLI
- AWS SDKs
- Secrets Manager HTTPS Query API
The above slide describes the following scenario
- The DBA or Service admin creates a service account credential to use the service for a particular app. For example, DBA creates a username and password for MyWebApp to access the database.
- Administrator (DBA or Service or AWS) creates a record in AWS Secret Manager as a secret for an app for example MyWebAppDBCredentials
- When an application needs a credential it queries AWS Secret Manager through secure HTTPs and TLS channel, AWS then returns the credentials to the app. for example, the client calls Secret Manager to retrieve entries for MyWebAppDBCredentials.
- The app or client parse the credentials and use it in the application as required. For example, in a connection string or API call.
Hope that covers the most of AWS Secret Manager service for the sake of the post length, I have created another post which covers more technical details of working with AWS Secret Manager check it out Working with AWS Secret Manager
I hope you like this post.
DataNext Solutions is a US-based system integrator, specialized in Cloud, Security, and DevOps technologies. As a registered AWS partner, our services comprise of any Cloud Migration, Cost optimization, Integration, Security and Managed Services. Click here and Book a Free assessment call with our experts today or visit our website www.datanextsolutions.com for more info.