Cloud

29Aug 2022

Customer Support Manager

Location: Indonesia
Function: Specialist

Position Summary
A Customer Support Manager supports the company’s customer support activities by directing and overseeing team members, resolving customer questions or complaints, and developing and growing the team with programs and procedures to enhance productivity and performance.

Job Description

  • Provides day-to-day leadership to ensure a high-performance, customer service-oriented work environment that supports achieving the department’s goals and objectives.
  • Improve customer service experience and facilitate organic growth.
  • Communicates and negotiates with stakeholders and external parties on application support related matters.
  • Take ownership of an escalated customer’s issues and follow problems through to resolution.
  • Keep accurate records and document customer service actions and discussions.
  • Assessing service statistics and preparing detailed reports on your findings.
  • Keep ahead of industry developments and apply best practices to areas of improvement.
  • Negotiate with service provider on the cost and scope of changes.

Requirements

  • Bachelor’s degree in Computer Science or Information Technology
  • Minimum 3 years working experience as a CSM
  • Excellent knowledge of AWS Cloud and cost optimization
  • Strong technical analysis skills
  • Smart thinker, innovator, decision-maker
  • Excellent knowledge of management methods and techniques
  • Excellent communication, presentation and project management skills
  • Proficiency in English

Interested candidate may send your resume to kenneth@cloudcomrade.com or shanti@cloudcomrade.com.

29Aug 2022

Sales Executive

Location: Indonesia
Function: Specialist

Position Summary

We are looking for Cloud Sales & Solution Executive to work with our customers and prospects. The role is focused on selling and implementing IAAS Solution – AWS, Google, Microsoft and Alibaba Cloud related consulting, solution, professional and managed services.

Job Description

  • Develop sales pipeline, follow through on leads, managing and closing sales opportunities.
  • Ability to conceptualize complex proposal pricing with company’s profitability in mind.
  • Lead new customer acquisition and ensure existing customer retention.
  • Engaging prospects and customer to convince them of the value running new and existing workloads and automation leveraging on AWS, Google, Microsoft and Alibaba Cloud.
  • Cultivate and head a mature sales engagement process.
  • Work independently on pricing, proposals and tender responses.
  • Act as the sales and solution lead with Cloud Comrade’s partner’s including AWS, Google, Azure and Alibaba Cloud

Requirements

  • Minimum 3 years working experience in an IT services environment with sales management background.
  • Exposure to aws, gcp or other cloud-based infrastructure platforms.
  • Experience in selling to senior management.
  • Experience articulating the impact of technology o business drivers.
  • Strong communication (written and verbal) and presentation skills.
  • Possess in-depth knowledge of the sales cycle.
  • Proven track record of sales achievements.

Interested candidate may send your resume to kenneth@cloudcomrade.com or shanti@cloudcomrade.com.

29Aug 2022

Operations Manager

Location: Indonesia
Function: Site Reliability Team (SRT)

Position Summary
Manage, and maintain servers and infrastructure on the Cloud including storage and network, operating systems (OS), web servers and databases in order to deliver resilient, secure & trusted solutions for customer day to day workloads. Lead the L1 and L2 teams to deliver excellent customer relationships and service quality. Build customer engagement by providing timely service, responsive problem solving and proactive communication.

Job Description

  • Lead SRT team.
  • Establish, manage & maintain servers and infrastructure for customers to ensure adherence to Service Level Agreements (SLAs).
  • Manage cloud environments in accordance with security guidelines in place.
  • Debug cloud initiatives as needed in accordance with best practices.
  • Maintain a professional and positive relationship with customers to ensure continued partnership with Cloud Comrade.
  • Read and maintain a wealth of documentation in regards to everything that a Cloud Engineer needs to know in order to effectively and correctly perform the tasks of the Cloud Engineer and the team.
  • Create effective automations that reduce the amount of manual work and increase effectiveness and cost efficiency of accounts.
  • Review processes and innovate so that more efficient & new ways of working lead to more profitable & satisfied customers.

Requirements

  • Diploma or Bachelor Degree in a computer science or related discipline.
  • Minimum 3 years working experience as a SRT team leader and 3 years working experience in an IT environment as a cloud engineer or cloud consultant.
  • 5 years exposure to AWS/GCP or other cloud-based infrastructure platforms.
  • Multicultural (including U.S. & Singapore) customer connection.
  • Proficient in the use and administration of MS Windows Server.
  • Experience with Linux, Windows system administration and web server configuration and monitoring.
  • Experience in backup software, shell scripting, and a programming language.
  • Experience in Big Data, Docker and Continuous Deployment.
  • Experience with SAP B1 HANA, AWS services like EC2, S3, RDSCloudFront, CloudFormation, SES, Route 53.
  • Experience working with Firewalls, NIPS and Endpoint Protection products/software and debugging network capture tools.
  • Intermediate English Proficiency (Speaking and Listening) and basic English proficiency (writing).
  • Any AWS, GCP or Azure related certification will be highly regarded.

Interested candidate may send your resume to kenneth@cloudcomrade.com or shanti@cloudcomrade.com.

02Jun 2022

As part of Singapore Government five-year plan to embark on a cloud-first journey to migrate majority of their on-premise infrastructure to the commercial cloud, EMA has selected Cloud Comrade as their partner to leverage on our endorsed capabilities to ensure a smooth migration. 

Cloud Comrade has earned the highest standards of Microsoft by attaining Gold Cloud Platform Competency. Our high level of competence and expertise with Microsoft technologies as well as best-in-class capabilities for deploying the Microsoft business solutions allow us to design and deploy a strategy that aligns with EMA’s main goals. 

“By migrating to a cloud platform, EMA is able to optimize their workloads with flexibility to scale. The time saved from certain automatic functions such as backup and patching allows the company to spend more time in innovation. In addition to the enhanced security available on the platform, migration to Microsoft Azure Cloud on GCC allows EMA to further protect their data with leading ICT capabilities that are augmented by robust cybersecurity measures and systems.

Being a statutory board, it is also important for EMA to ensure that compliance requirements are met in which Microsoft Azure Cloud have specialized offerings aligned with the regulations. The single screen also allows users to easily manage and monitor their IT infrastructure.” – Wong Chee, Assistant Director of IT Infrastructure EMA.

The Process

As part of the project kick-off, Cloud Comrade embarked on the planning journey by first fully understanding EMA’s IT infrastructure and finalizing the details. Our solutions architecture then design the infrastructure followed by deployment, testing and validation. The deployment was separated into 3 stages; infrastructure foundation,  UAT deployment and Production deployment.. Once the deployment is completed, various testings and validation commenced; such as backup, recovery and performance testing. The project was then completed with transition to EMA’s managed services.

To understand more about how Microsoft Azure Cloud can help your company achieve agility and resilience, speak to one of our comrades and find out more

About Energy Market Authority

The Energy Market Authority (EMA) is a statutory board under the Ministry of Trade and Industry. Our main goals are to ensure a reliable and secure energy supply, promote effective competition in the energy market and develop a dynamic energy sector in Singapore. Through our work, EMA seeks to forge a progressive energy landscape for sustained growth. For more information on EMA, visit https://www.ema.gov.sg.

About Cloud Comrade

Cloud Comrade (https://cloudcomrade.com) is a Singapore-based cloud computing consultancy company with a regional footprint in Indonesia and Malaysia. The company offers a comprehensive range of services from strategy and design to deployment, migration, and management of customers’ IT infrastructure. Cloud Comrade partners with the best solution providers in the field of cloud computing and is a preferred Amazon Web Services (AWS) consulting partner in ASEAN, as well as a managed service provider for AWS, Google, and Alibaba Cloud. For more information on Cloud Comrade, visit cloudcomrade.com.

06May 2022

Cloud technology began as a backup storage option. But in recent years, it has evolved and grown to become an all-inclusive computing platform that has fundamentally transformed the way organizations use, store, and share information. 

As we move into a new normal, it is clear that cloud computing is set to be a key enabler of the digital future. Amid a hybrid work revolution, businesses continue to move workloads and data to the cloud to enable employee productivity and collaboration on-the-go. 

As the number of endpoint devices increases and the surface area for cyber breaches expands, the security posture of the cloud is something that organizations can’t afford to compromise. However, figures are sobering.  In 2021, there has been a 50% rise in cyber attacks per week on corporate networks compared to 2020.

As enterprises scale up their use of the cloud, they also need to rethink how they protect their business-critical data and applications. In fact, a research found that almost all breaches in the cloud stem from misconfiguration, rather than from attacks that compromise the underlying cloud infrastructure. For organizations who need help with ensuring an intelligent, effective security stance for cloud, AWS Premier Consulting Partners such as Cloud Comrade can provide the support you need for your cloud journey and assist you in building a resilient, secure, and high-performing cloud infrastructure. 

Leave your cloud security to us

In the rapidly changing security landscape of today, many businesses face challenges with regards to cloud security which can directly bring about business risks. 

AWS’ industry-first Level 1 Managed Security Services are uniquely designed to help protect and monitor your essential AWS resources. They are delivered to you as a fully managed service available for purchase in AWS Marketplace in the Managed Security Service (MSSP) solution area, or directly from AWS Partners that provide Managed Security Services. 

Cloud Comrade is one such AWS partner that can help you take care of ten specific 24/7 security service areas, each with technical and operational requirements defined by AWS security experts. These requirements were designed to help MSSPs to deliver protection, monitoring, and response services for essential AWS resources.

The ten security service areas are:  

  • AWS infrastructure vulnerability scanning: Routine scanning of AWS infrastructure resources for known software vulnerabilities.
  • AWS resource inventory visibility: Continuous scanning and reporting of all AWS resources and their configuration details, updated automatically with newly added or removed resources.
  • AWS security best practices monitoring: Detects when AWS accounts and the configuration of deployed resources do not align to security best practices.
  • AWS compliance monitoring: Scanning AWS environments for compliance standards on two or more of the following: CIS AWS Foundations, PCI DSS, HIPAA, HITRUST, ISO 27001, MITRE ATT@CK, and SOC2.
  • Monitor, triage security events: A combination of automated tooling and security experts continuously monitor aggregated AWS resource logs across network, host, and API layers to analyze and triage security events.
  • 24/7 incident alerting and response: Notification of high priority security events and expert guidance on recommended remediation steps 24/7.
  • Distributed Denial of Service (DDoS) mitigation: A system backed by technology and security experts monitoring 24/7 for DDoS attacks against your AWS applications.
  • Managed Intrusion Prevention System (IPS): From known and emerging network threats that seek to exploit known vulnerabilities.
  • Managed Detection and Response (MDR) for AWS-based endpoints: A combination of technology and cloud security experts working to continuously detect, investigate, and remove threats from within AWS endpoints.
  • Managed Web Application Firewall (WAF): A firewall managed service designed to protect web-facing applications and APIs against common exploits.

Skilled expertise in cloud security, without the complexity 

To help customers secure their cloud without increasing complexity or adding unnecessary cost, Cloud Comrade provides AWS Managed Security Services through a combination of AWS-native and third-party security technology. Where possible, this allows customers to utilize familiar or previously purchased tools. 

Together with AWS Solution Architects, Cloud Comrade helped ERGO Insurance conduct an exhaustive study on the requirements to implement the Document Management System (DMS) on AWS. The solution also included AWS Security best practice by combining secure network architecture and 3rd party tools such as Trend Micro Deep Security. Amazon Simple Storage Service (S3) was used to securely deploy the DMS storage at a minimal cost. The Encryption in transit and at rest was achieved using Amazon Key Management Service (KSM) and Elastic Load Balancer (ELB) with Amazon Certificate Management (ACM). 

Using DMS on AWS provided ERGO with agility and an advantage over its competitors – something that was not possible with its previous infrastructure. The new infrastructure reduced the costs while maintaining high performance, availability levels, and elasticity as the business grows. 

Gain a peace of mind in the cloud  

From business strategy to process design, and infrastructure management to training and support for your people, Cloud Comrade makes sure that your move to AWS cloud is swift, smooth, and secure. We help protect your AWS environment and provide you with 24/7 monitoring and remediation guidance, so that you can fully operationalize your cloud security to increase staff efficiency, and receive full security visibility across your AWS environment. 

A key benefit of moving to AWS cloud is the ability to innovate and scale at speed – and we ensure that your cloud cybersecurity posture supports rather than hinders that. 

29Mar 2022

The past two years have forced rapid and drastic shifts in businesses worldwide. Amid a global pandemic, organizations suddenly found themselves in a work-from-home model; and even as businesses return to the office, hybrid work is here to stay. 

Chief Information Security Officers (CISOs) are now faced with a new reality. There has been a near-sevenfold increase in spear-phishing attacks since the pandemic began. In addition to enabling a secure and always-connected dispersed workforce, CISOs also need to address new network and data security threats that target remote employees.

Insights from a McKinsey research released in January 2022 highlighted four key cybersecurity challenges that organizations face as they adapt to the new normal; namely, a visibility gap, a fragmentation of technology, a talent gap, and the difficulties in measuring cybersecurity’s Return on Investment (ROI). This article outlines how AWS partners such as Cloud Comrade can provide Managed Security Services to help organizations tackle these issues and drive their business forward in the new normal.

The missing links

A key challenge that organizations have when it comes to cybersecurity is the lack of visibility in their digital infrastructure. This makes it difficult for them to recognize when, where, or why there is a problem. This can be detrimental because when it comes to safeguarding your business critical applications and data, nothing is more time-sensitive or important than threat detection. By bringing dangers out into the open, you’ll be able to minimize the reaction time taken to mitigate the risks. 

CISOs are also faced with the issue of technology fragmentation. This is especially so when it comes to larger organizations; a lot of times, different technology, applications, and providers are used across an organization. In fact, a company may have more than 100 third-party security tools in use, with each contributing to the security complexity. This can cause decision paralysis; IT teams are fearful of reducing the number of security applications, including those that seem redundant, as they are unsure of the impact that can ensue. Afterall, no CISO desires to be the one who cancels the tool that might prevent the next big breach.  

The cybersecurity-talent gap is part of a larger manpower shortage in the technology industry. It is not a new problem, but it’s one that is set to accelerate and affect a growing number of organizations. The International Information System Security Certification Consortium (ISC)² has projected a shortage of 1.8 million cybersecurity professionals in 2022. 

As more organizations transform into digital businesses, a struggle they face is in understanding how to measure the return or value of a dollar spent on cybersecurity. The inability to accurately communicate or measure the ‘actual’ ROI of a cybersecurity investment, and map it to business priorities, would also make stakeholder buy-in difficult. 

Engineering future-ready cybersecurity

When organizations adopt AWS services, the responsibility of security is shared between AWS and the customer. Regardless of the size of your organization, leveraging the expertise of an AWS Partner such as Cloud Comrade is a valuable way to increase your security posture. 

The Managed Security services offered by Cloud Comrade include full security visibility across the AWS environment, such as AWS resource inventory visibility. This entails the continuous scanning and reporting of all AWS resources and their configuration details, which will be updated automatically with newly added or removed resources. Cloud Comrade also provides security events monitoring and triage. A combination of automated tooling and security experts continuously monitor aggregated AWS resource logs across network, host, and API layers to analyze security events. Alerts and remediation guidance are provided to help customers resolve issues in their environments.

To help organizations to overcome the technology-fragmentation challenge, Cloud Comrade can operationalize both native AWS security services such as AWS Security Hub, Amazon GuardDuty, as well as third-party Security Competency (ISV) Partner products. We do so by providing the skill sets needed to implement tooling according to AWS recommended best practices. Where possible, customers can continue to utilize familiar or previously purchased tools.

We have worked closely with AWS security experts to develop offerings combining security tools, skill sets, and processes leveraging native AWS security services, AWS Solutions Implementations, and third-party solutions. A Premier AWS consulting partner such as Cloud Comrade is able to skillfully integrate, join forces, and work alongside your security teams or provide full outsourcing for your AWS security operations – eliminating the headache of cybersecurity talent shortages. We also offer additional security assessment, design, implementation, and training to support your cloud journey and ensure that your security posture supports your key business priorities. 

A strategic approach to security  

When done right, cybersecurity can unleash the full potential of your business. Amid a burgeoning threat landscape, an AWS Premier Tier Consulting Partner like Cloud Comrade can provide the Managed Security Services you need to address the challenges of meeting growing, and more sophisticated, cybersecurity threats. Leave it to us to help you protect your business-critical assets and bolster your security efficacy, so that your IT teams are free to focus on innovation and building your business. 

Click here to find out more about AWS Managed Security Service.

05Nov 2020

The objective of Patch Management is to keep various systems within the network up to date and secure the systems from various kinds of cyber-attacks. Patch Management is the method of installing and managing the latest patches or code changes to fix security vulnerabilities on various systems within a network.

In this blog, lets deep dive into the advantage of AWS Next Generation automated patching over the Traditional Patch management.

Traditional Patch Management

Patch management is critical to the security of computers on a network. But patching is not a one-time process. The security team/ Subject Matter Expert (SME) within any organizations had to create a scheduled scan that will routinely check for missing patches, so that the team/SME can keep the computers on the network up to date.
For example, let’s get back to the good olden days on how Microsoft updates were applied to the systems using WSUS server. The team/SME had to perform a scan to find out which updates are missing from which computers. Each time there is a plan for deploying updates, the team/ SME will have to perform a new scan. Microsoft introduced WSUS server for patch management. The prerequisites were a server running Windows Server 2003 SP1 or greater, IIS 6.0 or greater, .NET 2.0 framework, and Report Viewer 2008 Redistributable 2008. Also, a dedicated team for patch management.
Demerits of Traditional Patch Management:

  1. Manual Process
  2. A dedicated resource/team to keep track of patches, schedule scans and updates
  3. Possibility of human errors (miss out some critical security updates)
  4. Decision on the patches to install and which one to ignore and what the optimum order of installation should be
  5. Testing of patches before implementation requires a testing environment with spare hardware, software and SME ready adds to additional cost
    As the organizations IT Head wish is to have seamless patch management. The businesses are currently moving towards the transformation journey for continuous delivery, AWS adds incredible value towards on-demand infrastructure resources and tools to empower the Devops practices.

AWS Next Gen Patching using Systems Manager

The automated enterprise patch management tools carry out the patching process by deploying or installing agents on target instances (Windows/Linux). These agents provide a connection between the centralized patch server and the computers to be patched. With AWS System Manager, the business can install and configure the SSM agent that can update, manage, and configure the AWS resources. By using the customized SSM document (part of DevOps) Cloud Comrade can ease the intricacy for the security team by running the patch baselines in the multi accounts and multi regions.

AWS Systems Manager key features:

  • Automatic deployment of operating system and software patches.
  • View resource groups recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status.
  • Centralized location where operations engineers and IT professionals can view, investigate, and resolve operational issues related to the resources and to have complete control over operations.
  • Customizable key insights dashboard, providing key insights and analysis into the operational health and performance of your AWS environment.
  • Secure remote management of instances at scale without logging into servers, replacing the need for bastion hosts, SSH, or remote PowerShell.
  • Using session manager, the business can control which users can access each instance, including the option to provide non-root access to specified users.
  • Option for auto-approve select categories of patches to be installed.
  • Maintenance window for patching.
  • With Systems Manager, the business can control configuration details such as server configurations, anti-virus definitions, firewall settings, and more.

In Cloud Comrade, we have strong expertise in centralized multi account and region patching using customized Systems Manager document. Connect with us to know more about AWS Next Gen Automation.

06Oct 2020

In this Cloud Computing world, organizations of all sizes continue to focus on eliminating the need for monotonous tasks and improving processes. However, many organizations still rely on using high valued resources to perform manual tasks. Not only is this a waste of time and money, but it is highly inefficient and will lead to human errors.

Traditional way of AMI:

  • Manually create an AMI from the instance.
  • Launch the instance for security patching and install required software’s
  • Manually share the AMI to other accounts

Currently, many organizations are moving into cloud computing to scale up their business. They spin up more workloads to Amazon Web Services (AWS). But how does the team ensure when a new VM is provisioned: can be scalable, in a reliable manner, error free, with no vulnerabilities.

A golden AMI is an AMI that can be standardized through configuration, consistent security patching, and hardening. It also contains agents to approve for logging, security, and performance monitoring.

AMIs use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions for better performance. Windows AMIs are HVM AMIs.

The old saying goes: if you are doing something more than a couple of times, automate it.

Golden AMI Pipeline

This blog is about building a secured, approved Golden AMI image for providing a reliable, scalable, and approved application stack factory that increases innovation swiftness, reduces effort, and increases the confidence of Securiy team to ensure that the teams are compliant.

Automated Golden AMI Pipeline Process Flow

AMI Factory Pipeline:

  1. Step 1 (optional): Subscribe to the AWS marketplace product you want to distribute 
  2. Step 2: Create a cross-account role in the child account
  3. Step 3: Set up the golden AMI pipeline environment
  4. Step 4 (optional): Set up a compliance check in the child account(s) 
  5. Step 5: Create a golden AMI
  6. Step 6: Approve the golden AMI
  7. Step 7: Review  the golden AMI metadata
  8. Step 8 (optional): Manually trigger continuous vulnerability assessment of golden AMIs 
  9. Step 9: Distribute the golden AMI to child account
  10. Step 10: Decommission the golden AMI

Once you have shared the base golden AMI with development teams, they can consume the latest golden AMI in the simplest way possible, often through automation. They can customize the OS specific golden AMIs with the required software components, but also ensure that the AMIs continue to meet the organization’s requirements. 

The development teams can repeat the above process. Each team within the business can use the golden OS AMI shared by the Security team and can add their own software and produce a new golden AMI that is secured, scanned, distributed, and consumed as necessary.   

To assess different features of the golden AMI pipeline:

  1. Create golden AMI and then distribute the same to a child account.
  2. Manually perform a continuous vulnerability assessment of the active golden AMI.
  3. Deploy an instance of a golden AMI in a governed manner.
  4. Finally, decommission the golden AMI.

Cloud Comrade’s expertise in Automation can help businesses in setting up a consistent template model, which ensures consistency, secured, scalable, and reliable Golden Image pipeline.

08Sep 2020

With traditional deployment, new versions of an application are released using various tools to pull the code from a repository and push it to a production server. Once the code has been pushed, each application process is restarted manually. While this process works, it is by no means an easy process to switch from running in the development environment to the production environment.

There are various issues with this traditional deployment process, for example different environments (development work and production server), application configuration management, and replication of an application environment.

Every software deployment involves processes and practices for successful execution & deployment of the deployment. The complications also increase in an exponential manner based on the project size. The organization should build an automated pipeline to develop, test, and release the software in a manner so that the release is done in an incremental manner thereby having minimal or no impact to the project deployment.

With CI/CD pipeline, it helps the organizations automate steps in your software delivery process, such as initiating code builds, running automated tests, and deploying to a staging or production environment. Some of the benefits of CI/CD Pipeline are cost effective, easy to make real time decision, early bug recognition remove manual errors, provide standardized development feedback loops and enable fast product iterations.

In this below diagram, lets have a look at how automated AWS Code pipeline with Code Commit, Code Build and Code Deploy integrated with AWS Landing Zone for “maker” and “approver” process along with creation of workload application account using Account Vending Machine from child member account.

Code Commit is to securely store the source codes to make easier for the teams to collaborate on code in a secure and highly scalable ecosystem. CodeBuild compiles your source code, runs unit tests, and produces artifacts that are ready to deploy. CodeBuild eliminates the need to provision, manage, and scale your own build servers. S3 bucket for artifacts is also setup with the first AWS CodeCommit repository and shared across all other AWS CodeCommit and AWS CodePipeline resources. For the AWS CodeCommit, CodePipeline, and CodeBuild it’s a best practice to use CloudFormation templates that allow organizations to automate the creation of accounts and resources.

With strong expertise in Automation, Cloud Comrade has proven examples offering their clients an Automated Account Creation with AWS Service Catalog and Cloud Development Toolkit to enhance the organization’s current Landing Zone. 

10Aug 2020

The Cloud era has brought a perilous challenge of managing application secrets, encryption, and access to any resource in the Cloud. Securing and rotating secrets regularly and properly, both in the Cloud and on-premise, can have a significant challenge.

As part of traditional method, we love keeping configurations in text files, we store the database credentials or sensitive data, for example securing remote login stored in the ~/.ssh/ directory, the private key might commonly be found in a file called id_rsa, and the public key might be in a file called id_rsa.pub..Then commit, push and everything goes to the code repo.

The traditional concept has its own flaws like changing the passwords, human errors like creating a public repo, publicly available code repo etc.

Amazon Web Service’s Secrets Manager makes it effortless for organizations to store and retrieve the secrets using an API and Command Line Interface.

What is AWS Secrets Manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

API keys and secrets are difficult to handle safely, and probably something we avoid thinking about.

Benefits of AWS Secrets Manager

  • Rotate secrets safely
  • Manage access with fine-grained policies
  • Secure and audit secrets centrally
  • Pay as you go

When CI/CD pipelines moved to the public cloud, credential management did not evolve with them. AWS Secrets Manager is a comprehensive solution for secure secret storage. The organizations can define a secret just once for your whole AWS account, then we give our consumers permission to use the secrets.

Steps:

  1. The database administrator creates a set of credentials on the Personnel database to use with an application called MyCustomApp(sample application created in my training account). The administrator also configures those credentials with the required permissions to access the Personnel database. 
  2. The database administrator stores the credentials as a secret in Secrets Manager named MyCustomAppCreds. Secrets Manager encrypts and stores the credentials within the secret as the protected secret text. 
  3. When MyCustomApp needs to access the database, the application queries Secrets Manager for the secret named MyCustomAppCreds
  4. Secrets Manager retrieves the secret, decrypts the protected secret text, and returns it to the client application over a secureHTTPS with TLS channel. 
  5. The client application parses the credentials, connection string, and any other required information from the response and then uses the information to access the database server. 

Kindly note that Secrets Manager can natively rotate credentials for supported AWS databases without requiring additional programming. However, if organizations wants to rotate the secrets for other databases or services,  Cloud Comrade has the expertise in creating custom Lambda function to define how Secrets Manager interacts with the database or service.

How to Centralize The Rotation of RDS Key Using Automation

In this example the RDS credentials on Workload Application Account will be stored in Shared Services Account (Landing Zone). The credentials will be rotated periodically.   

How to Centralize The Rotation of API Key Credentials Using Automation

In this example the API Key credentials from Application Workload Account will be stored in the Shared Services Account (Landing Zone). The credentials will be rotated periodically.   

Secrets Manager lets us manage a secret entry (name and metadata) separately from its value, and it integrates with other AWS services that we already use:

  • Secret entry management: Manual (Web console, AWS CLI) or with an infrastructure management tool (Terraform, CloudFormation etc.)
  • Secret value management: Manual (Web console, AWS CLI) or automatic (secret rotation Lambda function).
  • Access control: AWS IAM policies (for both applications and human operators).
  • Secret encryption: Amazon KMS automatically encrypts the secret value. Use either the account’s default KMS key, or a customer-managed KMS key.
  • Auditing: AWS CloudTrail and CloudWatch Events.

Cloud Comrade has strong expertise in automating AWS Secrets Manager and allows you to consolidate the secrets into one place, and use them securely from Jenkins.

Google+