The best service to secure your secrets.
Amazon was able to create an AWS’ Secrets Manager, which helps users to protect secrets, passwords, and codes needed to access their applications, IT resources, and services. AWS Secrets Manager service enables you to retrieve database credentials and rotate, manage quickly, and API keys and other secrets across the life-cycle.
This service also provides a secret rotation that has built-in integration for Amazon Redshift, Amazon RDS, and Amazon DocumentDB. It also accepts another type of secrets such as the API keys and OAuth tokens. Having this service, the user will also have control access to secrets using secret audit rotation centrally for resources in the AWS Cloud, fine-grained permissions, third-party services, and on-premises.
How can it help users?
For instance, a user will craft a script for servers that will automate the installation process, which needs to make use of the Auto Scaling. The user will need to use WordPress to an external MySQL server. And the user will need to store the MySQL password in plaintext as part of the build script. This may be the simplest way to do it, but not really a secure one. Aside from that area, if there’s a separate environment for development and production, it would be more hassle on the part of the user.
The best solution for this would be the AWS Secrets Manager instead of storing the MySQL password in plaintext. The best usage of this service is for the user to access the secrets using IAM roles and permissions. AWS Secrets Manager acts as a single authoritative data store; it makes the rotation of secrets efficiently and effectively, which is crucial to the process.
Here are the steps on how to use Secrets Manager
- Go to Secrets Manager console, and click “Store A New Secret.”
- Select the chosen type, whether RDS or any of AWS’s other DB services
- Enter the username and password and select the database that you want to use with this secret.
- If you’re storing multiple items, select “Other Type Of Secret.”
- If you’re storing a series of key-value pairs, you can enter the item here, but if it’s a more complex JSON schema, you can enter the entire thing as plaintext under the “Plaintext” tab.
- Click “Next,” give it a name, and any tags you might want to add for organizational purposes.
- On the next screen, the user can configure automatic rotation. This will call a Lambda function of your choosing every month and rotate the key for a new value.
- Click “Next,” and click “Store” to create the secret.
If the user retrieves secrets often (at runtime), the user makes want use of a client-side cache so the user won’t need to send thousands of API requests every second. AWS Secret Manager sets out a few clients-side libraries for working with Secrets Manager, but the user can always implement it themselves.