Hello, welcome to another episode of Back to Basics.
My name is Hari Singeredi.
I'm a Solutions Architect here at AWS.
Today we are going to talk about managing and protecting secret information needed for your applications to perform its function.
These information could be your database passwords,
your IAM access keys, your SSH keys or any other information your application needs to perform its regular function.
Here I want to call out two best practices from AWS well architected framework security.
First one is store and retrieve these secure secrets.
Second one is audit and rotate these secrets securely and frequently.
Let's take you have an application that needs to communicate with the database.
So to open a connection to the database,
it needs database connection information, like the database server name, database port number, and secrets information like database username and database password.
So let's take a look at the architectural considerations first.
So there are a few things that you need to ask yourself.
First, where do you store these secrets securely?
Second, how does your application get access to these secrets?
Third, how often do you rotate these secrets?
And finally, when you rotate these secrets, how does your application know about the latest version of these secrets?
AWS Manager lets you store text in the protected data portion of the secret.
In this scenario, these could be your database username, password, and all other database correction information.
And data protection is a key security best practice, always encrypt data at rest.
So to achieve this, Secrets Manager encrypts the protected text of a secret by using AWS Key Management Service or KMS.
You can either use the default CMK for Secrets Manager or you can call it created CMK.
A common anti-pattern that we see is hard coding credentials in your application source code.
It's not a good idea because if somebody has access to your application source code, they now have access to your data.
AWS Secrets Manager allows for programmatic retrieval of secrets.
So to retrieve secrets, you simply replace plaintext secrets with code to pull in those secrets at runtime using Secrets Manager APIs.
You can also use AWS IAM permission policies to control access to your secret.
you can attach a policy to the role used by your application to give it read-only permissions on the database secrets.
And as I mentioned earlier, data protection is very important.
Secrets manager by default only accepts requests from hosts using open-standard TLS and perfect
forward secrecy and also ensures encryption of your secret while in transit.
Now, that storage and retrieval of the secret is set up, let's take a look at the second
security best practice, which is audit and rotate the secrets periodically.
Periodic rotation of secrets is really important from a security perspective.
If you don't change your secrets for a long period of time, the secrets become more likely to be compromised.
As a security best practice, we recommend that you regularly rotate your secrets.
You can configure Secrets Manager to automatically rotate without any manual intervention and on a specified schedule.
Secrets uses AWS Lambda functions to rotate the credentials.
Secrets Manager out of the box comes fully configured and ready-to-use rotation support for Amazon RDS databases,
Amazon Aurora, Amazon DocumentDB, and Amazon Redshift.
If you need to rotate credentials for any other service than what I just mentioned,
you can also define and implement rotation using a custom Since your application is already configured to pull the latest credentials,
it will get the latest credentials next time it tries to access the database.
So if we take a look at the high-level overview of the pattern, you store your credentials in Secrets Manager.
Secrets Manager will take care of the rotation and maintaining the latest set of credentials for you.
always pulls the latest set of credentials from Secrets Manager at runtime.
And of this is happening securely and automatically.
Check out the resources below for more details and thanks for tuning in.
