Can I tell you a Secret? – AWS Secret Manager
The pace at which the IT is changing, it brings the challenges of manages application secrets, encryption, and access to any resource in the cloud. One of the major challenges that people working on cloud face is to keep a track of secrets after resource provisioning. In large and complex application that uses numerous secret keys it is difficult to manage and can leave the application vulnerable.
AWS Secret Manager can help you manage your keys and passwords through a simple and user-friendly process. It allows you to easily store, rotate and manage credentials throughout the life-cycle of an application.
Feature and Benefits
- Secret Rotation
With AWS secret manager, it has become very easy to rotate your keys through automation. This helps your organization to be compliant by following this practice on a schedule. You can apply several different strategies through Lambda function. Secret manager will follow a set of pre-defined steps to set a new secret in the data-store or service, test it, and store it. You can configure your services to use the new version of this secret key using API calls. This is supported by RDS and have a built-in Lambda function for it.
- Integration with AWS Services
AWS services support integration with Secret Manager through API calls. This eliminates the use of third-party tools to manage the keys. Secret manager also store and manage API keys, OAuth tokens and more.
- Fine grained access management
Control the access to credentials by attaching IAM policies.
- Security of secrets
AWS secret manager supports the encryption of the keys and uses the trusted industry-standard Advanced Encryption Standard encryption algorithm(FIPS 197). With the help of AWS KMS you can encrypt your secrets with custom key and store. You can decrypt the secrets using the same custom key used earlier for encryption.
- Compliance with standards
Secret manager follow the security standards such as HIPPA, PCI, ISO 27001, SOC for the auditing and compliance.
- Auditing and logging
Cloudtrail can be enabled to capture the API calls to AWS Secret Manager as events. If you don’t enable the trail, you can still view the recent events in the Cloudtrail console in the Event History.
- Pay-As-You-Go pricing model
Like other AWS resources, AWS Secrets Manager offers a pay-as-you-go pricing model that enables you to pay for the number of secrets stored and the number of API calls made. This allows you to manage your secrets with no ongoing infrastructure maintenance costs or upfront investments.
Supported services and applications
Use AWS Secret manager to manage the credentials of the following,
- RDS Database
- Redshift Clusters
- Self-managed databases
- Other keys
Roles in AWS Secret Manager
- Secrets Manager administrator – Administers the Secrets Manager service and control permissions to individuals who can then perform the other roles listed here.
- Database or service administrator – Administers the database or service with secrets stored in Secrets Manager. Determines and configures the rotation and expiration settings for their secrets.
- Application developer – Creates the application, and then configures the application to request the appropriate credentials from Secrets Manager.
Methods to Retrieve Secrets
One of the key services (pun intended) is Key Management service by AWS which helps encrypting data at rest either in EBS volumes or S3 buckets or secrets stored in parameter store of AWS. KMS also has features in built to enable automatic rotation of keys at pre-defined intervals thus adding and additional layer of security in case a key does get compromised. For companies looking to comply with strict industry standards for data at rest they can use AWS KMS which is FIPS 140-2 Level 2 compliant. Further companies can use AWS cloud hardware security Module (HSM) which is FIPS 140-2 Level 3 compliant.
- Secret Management Console
- Open the Secrets Manager console.
- From the list of secrets in your account, choose the name of the secret to view.
- The Secret details page appears. The page displays all the chosen secret configuration details except for the encrypted secret text.
- In the Secret value section, choose Retrieve secret value.
- Choose Secret key/value to see the credentials parsed out as individual keys and values. Choose Plaintext to see the JSON text string encrypted and stored.
- AWS CLI or AWS SDKs
You can use the following commands to retrieve a secret stored in AWS Secrets Manager: