TABLE OF CONTENT
1. Introduction to Amazon’s Secret Manager 2. Features3. Steps to Configure AWS Secrets manager4. Conclusion5. CloudThat 6. FAQs 1. Introduction to Amazon’s Secret Manage
If you create a custom app to retrieve data from a database, you would normally embed the credentials or secret for direct access to the database. You need to do more than just create new credentials when it comes time to rotate them. To use the new credentials, you had to spend some time updating the application. The updated application was then distributed. The application would fail if you had multiple applications sharing the same credentials and you failed to update one. This is why many customers don’t rotate credentials often, effectively substituting one risk.
The diagram below shows the most basic scenario. This diagram shows how to save database credentials in Secrets Manager, and then use those credentials to access the database via an application.
a. Programatically retrieve encrypted secret value at runtime
Secrets Manager improves your security by removing hard-coded credentials directly from your application source code, and not storing credentials within your application. The credentials can be stolen from the application and stored with it. This makes them vulnerable to being compromised by other users who have access to the application or its components. This makes it difficult to rotate your credentials because you have to update your application and deploy the changes every client before you can remove the old credentials.
Amazon Secrets Manager allows for the replacement of stored credentials by a runtime call at the Secrets Manager Webservice. This will allow you to retrieve them dynamically.
b. Different types of secrets can be stored
Secrets Manager allows text to be stored in a secret encrypted secret component. This is usually the connection information for the service or database. These parameters can include the server name, IP address and port number as well as the user name and password that is used to access the service. The protected text does not include:
Secret name and description
Rotation or expiration settings
ARN of the KMS Key associated with the Secret
Any AWS tags attached
c. Encrypt your secret data
Secrets Manager encrypts secret text using AWS Key Management Service. AWS KMS is used to store keys and encrypt many AWS services. AWS KMS ensures safe encryption of your secret information when it is in transit. Secrets Manager associates every secret with a KMS Key. It can be an AWS-managed Key for Secrets Manager, or a customer-controlled Key created in AWS KMS.
d. Automatically rotate secrets
Secrets Manager automatically rotates secrets without user intervention. Rotation will occur according to schedules
Rotation of secrets will be done using the AWS Lambda function. This function determines how Secrets Manager performs these tasks:
Creates a new version.
Secrets Manager stores the secret.
Configure the protected service to use its latest version.
Verify the new version.
The new version is now production-ready.
These databases can be used to configure secrets and ready-to use rotations.
Amazon Aurora on Amazon RDS
MySQL on Amazon RDS
PostgreSQL for Amazon RDS
Amazon RDS: Oracle on Oracle
MariaDB on Amazon RDS
Amazon RDS – Microsoft SQL Server
3. Steps to Configure AWS Secrets manager
Navigate to the AWS secrets manager console
Click on “Store a new secret”
Select the Secret Type and Credentials to be stored. The database details that the secret will have access to are also required. Provide the encryption key for encrypting secret information. After entering all details, you can also use custom keys to encrypt your secret information.