AWS Secrets Manager :- Secure Secret Management

Introduction

In modern cloud environments securely managing sensitive information like database credentials, API keys and other secrets is crucial. AWS Secrets Manager simplifies the process of securely storing, managing and retrieving these secrets. This comprehensive guide will delve into the functionalities of AWS Secrets Manager including creating and managing secrets and integrating Secrets Manager with other AWS services for secure access. By the end of this tutorial you will have a solid understanding of AWS Secrets Manager and how to leverage it for secure secret management in your cloud infrastructure.

Key Features

1. Secure Storage :- Secrets Manager encrypts secrets using AWS Key Management Service (KMS).

2. Automatic Rotation :- Automatically rotates secrets for supported AWS services without application downtime.

3. Fine-Grained Access Control :- Uses AWS Identity and Access Management (IAM) policies to control access to secrets.

4. Audit and Monitoring :- Integrates with AWS CloudTrail to log and monitor secret access and management activities.

5. Integrated with AWS Services :- Easily integrates with AWS services like Amazon RDS, Amazon Redshift and more.

Use Cases

1. Database Credentials :- Securely store and rotate database credentials.

2. API Keys :- Manage and secure API keys for third-party services.

3. Configuration Data :- Store sensitive configuration data securely.

4. OAuth Tokens :- Securely store and manage OAuth tokens.

Setting Up AWS Secrets Manager

Step 1 :- Creating a Secret

1. Sign in to the AWS Management Console and open the AWS Secrets Manager console.

2. Choose Store a new secret.

3. Select the secret type :-

   • For this example select Credentials for RDS database.

4. Enter the secret details :-

   • Username : admin

   • Password : mypassword

   • Database : Choose your database from the list.

Example JSON configuration :-

    {
      "username": "admin",
      "password": "mypassword",
      "engine": "mysql",
      "host": "mydb.cluster-xyz.us-west-2.rds.amazonaws.com",
      "port": 3306,
      "dbname": "mydatabase"
    }

5. Encryption Key : Use the default AWS managed key or select a custom key.

6. Choose Next.

Step 2 :- Configuring Secret Rotation

1. Enable automatic rotation and specify the rotation interval (e.g. 30 days).

2. Select a Lambda function to handle the rotation. If you don’t have one you can create a new function :-

   • Create a new Lambda function based on the provided template for the secret type.

Step 3 :- Specifying Tags and Permissions

1. Add tags to organize and manage your secrets.

2. Configure permissions :-

   • Define which IAM roles and users can access or manage the secret.

Step 4 :- Storing the Secret

1. Review the secret details.

2. Choose Store to save the secret.

Managing Secrets

Retrieving a Secret

You can retrieve secrets programmatically using AWS SDKs or the AWS CLI.

Using AWS CLI

aws secretsmanager get-secret-value --secret-id my-database-secret --query SecretString --output text

Using AWS SDK (Python Example)

import boto3
import json

def get_secret():
    secret_name = "my-database-secret"
    region_name = "us-west-2"

    # Create a Secrets Manager client
    client = boto3.client('secretsmanager', region_name=region_name)

    # Retrieve the secret
    get_secret_value_response = client.get_secret_value(SecretId=secret_name)

    secret = get_secret_value_response['SecretString']
    return json.loads(secret)

secret = get_secret()
print(secret['username'])
print(secret['password'])

Updating a Secret

You can update secrets through the AWS Management Console, AWS CLI or AWS SDK.

Using AWS CLI

aws secretsmanager update-secret --secret-id my-database-secret --secret-string '{"username": "admin", "password": "newpassword"}'

Using AWS SDK (Python Example)

import boto3

def update_secret():
    secret_name = "my-database-secret"
    region_name = "us-west-2"
    secret_value = {
        "username": "admin",
        "password": "newpassword"
    }

    # Create a Secrets Manager client
    client = boto3.client('secretsmanager', region_name=region_name)

    # Update the secret
    client.update_secret(SecretId=secret_name, SecretString=json.dumps(secret_value))

update_secret()

Deleting a Secret

Deleting a secret is straightforward but should be done with caution. AWS Secrets Manager retains the secret for a recovery window (default is 30 days) before permanently deleting it.

Using AWS CLI

aws secretsmanager delete-secret --secret-id my-database-secret

Using AWS SDK (Python Example)

import boto3

def delete_secret():
    secret_name = "my-database-secret"
    region_name = "us-west-2"

    # Create a Secrets Manager client
    client = boto3.client('secretsmanager', region_name=region_name)

    # Delete the secret
    client.delete_secret(SecretId=secret_name, RecoveryWindowInDays=30)

delete_secret()

Integrating AWS Secrets Manager with AWS Services

Amazon RDS

To use Secrets Manager with Amazon RDS ensure that your database engine supports the integration.

1. Create a new secret for your RDS database as described in the setup steps.

2. Configure the RDS instance to use the secret for authentication.

Example :- Configuring RDS to Use Secrets Manager

aws rds modify-db-instance \
    --db-instance-identifier mydbinstance \
    --master-user-password arn:aws:secretsmanager:us-west-2:123456789012:secret:my-database-secret

AWS Lambda

You can use Secrets Manager to retrieve secrets in your Lambda functions securely.

Example :- Lambda Function to Retrieve Secret

import boto3
import json

def lambda_handler(event, context):
    secret_name = "my-database-secret"
    region_name = "us-west-2"

    # Create a Secrets Manager client
    client = boto3.client('secretsmanager', region_name=region_name)

    # Retrieve the secret
    get_secret_value_response = client.get_secret_value(SecretId=secret_name)

    secret = get_secret_value_response['SecretString']
    secret_dict = json.loads(secret)

    # Use the secret in your Lambda function
    db_username = secret_dict['username']
    db_password = secret_dict['password']

    return {
        'statusCode': 200,
        'body': json.dumps('Secrets retrieved successfully!')
    }

AWS ECS

You can use Secrets Manager with ECS to inject secrets into your containerized applications.

Example :- ECS Task Definition with Secrets Manager

{
    "family": "my-ecs-task",
    "networkMode": "awsvpc",
    "containerDefinitions": [
        {
            "name": "my-app-container",
            "image": "my-app-image",
            "essential": true,
            "secrets": [
                {
                    "name": "DB_USERNAME",
                    "valueFrom": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-database-secret:username"
                },
                {
                    "name": "DB_PASSWORD",
                    "valueFrom": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-database-secret:password"
                }
            ]
        }
    ]
}

Best Practices for Managing Secrets

Enable Automatic Rotation

Automatic rotation helps ensure that secrets are regularly updated without manual intervention. Configure Lambda functions to handle the rotation process and avoid application downtime.

Use IAM Policies for Access Control

Define IAM policies to control access to secrets based on the principle of least privilege. Ensure that only authorized roles and users can access or manage secrets.

Audit and Monitor Secret Access

Enable AWS CloudTrail to log all activities related to secrets. Regularly review these logs to detect any unauthorized access or suspicious activity.

Encrypt Secrets

Secrets Manager automatically encrypts secrets using AWS KMS. Ensure that you use strong encryption keys and manage them properly.

Regularly Review and Update Secrets

Regularly review the secrets stored in Secrets Manager to ensure they are up-to-date and still required. Remove any outdated or unnecessary secrets to reduce the attack surface.

Example :- Secure API Key Management

Consider a scenario where you need to manage an API key for a third-party service securely.

Step 1 :- Storing the API Key

1. Open the Secrets Manager console and choose Store a new secret.

2. Select Other type of secret.

3. Enter the secret key-value pairs :-

   • Key : api_key

   • Value : your_api_key_here

4. Name the secret (e.g. my-api-key-secret).

5. Store the secret.

Step 2 :- Retrieving the API Key in an Application

Using AWS SDK (Python Example)

import boto3
import json

def get_api_key():
    secret_name = "my-api-key-secret"
    region_name = "us-west-2"

    # Create a Secrets Manager client
    client = boto3.client('secretsmanager', region_name=region_name)

    # Retrieve the secret
    get_secret_value_response = client.get_secret_value(SecretId=secret_name)

    secret = get_secret_value_response['SecretString']
    secret_dict = json.loads(secret)

    return secret_dict['api_key']

api_key = get_api_key()
print(api_key)

Conclusion

AWS Secrets Manager provides a robust solution for securely managing and retrieving secrets in your cloud environment. By leveraging its features such as automatic rotation, fine-grained access control and integration with other AWS services you can enhance the security and compliance of your applications. This guide covered the basics of AWS Secrets Manager including creating and managing secrets, integrating with AWS services and best practices for secure secret management. With these insights you can effectively manage sensitive information and protect your cloud infrastructure from unauthorized access.

Stay tuned for more insights in our upcoming blog posts.

Let's connect and grow on LinkedIn :Click Here

Let's connect and grow on Twitter :Click Here

Happy Cloud Computing!!!

Happy Reading!!!

Sudha Yadav