The Cloud era has brought a perilous challenge of managing application secrets, encryption, and access to any resource in the Cloud. Securing and rotating secrets regularly and properly, both in the Cloud and on-premise, can have a significant challenge.
As part of traditional method, we love keeping configurations in text files, we store the database credentials or sensitive data, for example securing remote login stored in the ~/.ssh/ directory, the private key might commonly be found in a file called id_rsa, and the public key might be in a file called id_rsa.pub..Then commit, push and everything goes to the code repo.
The traditional concept has its own flaws like changing the passwords, human errors like creating a public repo, publicly available code repo etc.
Amazon Web Service’s Secrets Manager makes it effortless for organizations to store and retrieve the secrets using an API and Command Line Interface.
What is AWS Secrets Manager
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
API keys and secrets are difficult to handle safely, and probably something we avoid thinking about.
Benefits of AWS Secrets Manager
- Rotate secrets safely
- Manage access with fine-grained policies
- Secure and audit secrets centrally
- Pay as you go
When CI/CD pipelines moved to the public cloud, credential management did not evolve with them. AWS Secrets Manager is a comprehensive solution for secure secret storage. The organizations can define a secret just once for your whole AWS account, then we give our consumers permission to use the secrets.
Steps:
- The database administrator creates a set of credentials on the Personnel database to use with an application called MyCustomApp(sample application created in my training account). The administrator also configures those credentials with the required permissions to access the Personnel database.
- The database administrator stores the credentials as a secret in Secrets Manager named MyCustomAppCreds. Secrets Manager encrypts and stores the credentials within the secret as the protected secret text.
- When MyCustomApp needs to access the database, the application queries Secrets Manager for the secret named MyCustomAppCreds.
- Secrets Manager retrieves the secret, decrypts the protected secret text, and returns it to the client application over a secureHTTPS with TLS channel.
- The client application parses the credentials, connection string, and any other required information from the response and then uses the information to access the database server.
Kindly note that Secrets Manager can natively rotate credentials for supported AWS databases without requiring additional programming. However, if organizations wants to rotate the secrets for other databases or services, Cloud Comrade has the expertise in creating custom Lambda function to define how Secrets Manager interacts with the database or service.
How to Centralize The Rotation of RDS Key Using Automation
In this example the RDS credentials on Workload Application Account will be stored in Shared Services Account (Landing Zone). The credentials will be rotated periodically.
How to Centralize The Rotation of API Key Credentials Using Automation
In this example the API Key credentials from Application Workload Account will be stored in the Shared Services Account (Landing Zone). The credentials will be rotated periodically.
Secrets Manager lets us manage a secret entry (name and metadata) separately from its value, and it integrates with other AWS services that we already use:
- Secret entry management: Manual (Web console, AWS CLI) or with an infrastructure management tool (Terraform, CloudFormation etc.)
- Secret value management: Manual (Web console, AWS CLI) or automatic (secret rotation Lambda function).
- Access control: AWS IAM policies (for both applications and human operators).
- Secret encryption: Amazon KMS automatically encrypts the secret value. Use either the account’s default KMS key, or a customer-managed KMS key.
- Auditing: AWS CloudTrail and CloudWatch Events.
Cloud Comrade has strong expertise in automating AWS Secrets Manager and allows you to consolidate the secrets into one place, and use them securely from Jenkins.
