Exploring AWS Secret Manager

Image for post
Image for post

In this fast-changing world of Cloud, Containers, APIs and Microservices, keeping and managing IT resources is one challenge and securing them is another.

Credentials management is one of the most overlooked concepts when comes to securing your applications. I have seen organizations keep all passwords in a single spreadsheet or confluence page or on many occasions on a sticky note under the manager’s keyboard 😄

AWS Secret Manager allows you to easily store, rotate, manage credentials throughout the lifecycle of your applications. No more spreadsheets or updating the application code in case of any event just one central location to keep all credentials secure and rotate easily.

Following are some key benefits of AWS Secret Manager

Secrets Rotation

As the name suggests you can configure Secret Manager to automatically rotates your credentials without user intervention on a schedule.

You would need a lambda function to implement it (that’s a topic for another blog post) to summerize lambda function does the following

  • Creates a new version of the secret.
  • Stores the secret in Secrets Manager.
  • Configures the protected service to use the new version.
  • Verifies the new version.
  • Marks the new version as production-ready

AWS RDS fully supports credentials rotation

Secure Centrally

Credentials stored in Secret Manager are encrypted using AWS KMS key created by default. You can also use your custom key to secure your credentials.

Fine-grained Management

You can attach IAM policies to users to access specific secrets. This allows you to control fine-grained access management of the credentials. For example, you can write IAM policies to allow fully credentials management to Administrator Role while allowing only read-only access to the Developer role.

Compliance with Standards

Secret Manager covers the auditing and compliance requirements of security standards such as HIPPA, PCI, ISO 27001, SOC and more.

Auditing and Logging

You can enable CloudTrail logs on API calls to AWS Secret. CloudTrail would also track management console events.

What AWS Secrets Provides

You can manage the credentials of the following services or applications

  • RDS Database — Supports all RDS databases
  • RedShift Clusters
  • DocumentDB — NoSQL DBs
  • Other Databases — Self-managed databases running on EC2 or your own network
  • Other Keys — For APIs keys or similar

How AWS Secret Manager works

Typically AWS Secret Manager can have one or more following roles

Secrets Manager administrator

Administers the Secrets Manager service. Grants permissions to individuals who can then perform the other roles listed here

Database or service administrator

Administers the database or service with secrets stored in Secrets Manager. Determines and configures the rotation and expiration settings for their secrets.

Application developer

Creates the application, and then configures the application to request the appropriate credentials from Secrets Manager.

Accessing Secrets

You can access secrets using the following methods

  • Management Console
  • AWS SDKs
  • Secrets Manager HTTPS Query API

Example Scenario

Image for post
Image for post
AWS Secret Example Scenario

The above slide describes the following scenario

  1. The DBA or Service admin creates a service account credential to use the service for a particular app. For example, DBA creates a username and password for MyWebApp to access the database.
  2. Administrator (DBA or Service or AWS) creates a record in AWS Secret Manager as a secret for an app for example MyWebAppDBCredentials
  3. When an application needs a credential it queries AWS Secret Manager through secure HTTPs and TLS channel, AWS then returns the credentials to the app. for example, the client calls Secret Manager to retrieve entries for MyWebAppDBCredentials.
  4. The app or client parse the credentials and use it in the application as required. For example, in a connection string or API call.

Hope that covers the most of AWS Secret Manager service for the sake of the post length, I have created another post which covers more technical details of working with AWS Secret Manager check it out Working with AWS Secret Manager

I hope you like this post.


About DataNext

DataNext Solutions is a US-based system integrator, specialized in Cloud, Security, and DevOps technologies. As a registered AWS partner, our services comprise of any Cloud Migration, Cost optimization, Integration, Security and Managed Services. Click here and Book a Free assessment call with our experts today or visit our website www.datanextsolutions.com for more info.

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn http://bit.ly/zb-linkedin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store