AWS Secrets Manager: A Guide to Securing Your Secrets

AWS Secrets Manager is a service that enables the storage, retrieval, and secure management of sensitive information (like API keys and database passwords). The service automatically rotates secrets and integrates with other AWS services to simplify security management. This feature does away with the requirement of hard coding secrets within the application, which lowers security risks and enhances secret management.

• Credentials are securely stored and kept safe while at rest using AWS KMS encryption.
• Secrets are automatically rotated, making the management of secrets easier while concurrently making the system more secure.
• Fine-grained access control with AWS IAM enables high security.
• Service integration with RDS, Lambda, ECS, EC2 and others.
• Centralized management of secrets for many AWS accounts and regions.
• Secrets can be audited and monitored with AWS CloudTrail and Amazon CloudWatch.

Security and Encrypted Access

• Secrets are protected using AWS KMS to guarantee that the data is secured in transit and at rest.
• Secrets can be accessed through very restricted IAM permission controls.
• All access and changes to the AWS account can be tracked when linked with other services like CloudTrail.

Secret Rotation

• For Amazon RDS and other services, credential rotation is automated so relevant credentials are never stale.
• Other types of secrets can have custom rotation Lambda functions configured.
• Rotation schedules will differ from organization to organization to comply with security policies.

Secret Retrieval and Management

• Provides a secure API, AWS SDKs and Command Line Interface (CLI) for dynamic retrieval of secrets.
• Secrets are stored either as key value pairs, JSONs or plain text.
• Store multiple versions of secrets and allow rollback to older versions as required.

Step 1: Create Secret

1. Open the AWS Secrets Manager console.

2. Press Store a new secret.

3. Select what type of secret you want to configure:

• Database credentials like RDS, MySQL, PostgreSQL etc.

• Sensitive data such as API keys, OAuth tokens, etc.

• Custom secrets in the form of key value pairs.

4. Input the secret values and specify how they will be encrypted.

5. Give a friendly name and optional tags.

6. Set up automatic rotation (where necessary) and press save.

Step 2: Get a Hold of a Secret

From CLI AWS

From SDK AWS (Example in Python)

Step 3: Set Up Automatic Rotation for Secrets

1. Enable rotation either at the time of secret creation or afterwards.

2. For supported services use AWS provided Lambda rotation functions.

3. For non AWS services define custom Lambda functions.

4. Set rotation time (for example every 30 days) and validate rotation.

Step 4: Control Access to Secrets and Other Resources

• Create an IAM policy to allow access to particular users, roles or services.

• Use AWS Organizations to manage secrets centrally from multiple accounts.

• Track access and usage patterns along with abnormal behavior using AWS CloudTrail and Amazon GuardDuty.

Step 5: Secrets Management in Application

• Carry out secrets retrieval dynamically instead of using hardcoded values in environment variables.

• Utilize SDK from AWS to safeguard the secrets usage in apps.

• Set containerized workloads (ECS, EKS, Lambda) to use secrets during the application runtime.

• During frequent credential changes enable auto rotation.
• Apply restrictive least privilege IAM policies for access.
• Limit stored credentials and sensitive data only to what is strictly needed.
• Utilize AWS CloudTrail and Amazon GuardDuty to keep track of unauthorized access.
• Monitor secrets on a regular basis and conduct periodic scrutiny of unused accounts and/or credentials.
• Use AWS KMS to provide further layers of security encryption.
• Conduct multi-account secret management through AWS Organizations.

• Securely managing database credentials for Amazon RDS.
• Keeping API keys and OAuth tokens for external services.
• Safeguarding application secrets in containerized workloads such as ECS, EKS and Lambda.
• Complying with security regulations by automatically rotating credentials for different accounts.
• Decentralized secrets management for diverse applications and multiple AWS accounts.

 

• Free Trial: At no additional charge with a 30 day free trial

• Storing Secrets: $0.40 fee applies per every secret stored monthly.

• Requests to API: Applied $0.05 fee for every 10,000 requests to the API.

• Rotation of Secrets: No additional fee if rotatory functions are provided by Amazon.

Adjustments of AWS Secrets Manager enable an organization to easily automate credential management activities and increase security while mitigating the hazards of secrets leak within AWS infrastructure.

Ready to transform your business with our technology solutions? Contact Us  today to Leverage Our DevOps Expertise.