Back to Basics: Secrets Management - 双语字幕
Hello, welcome to another episode of Back to Basics.
My name is Hari Singeredi.
I'm a Solutions Architect here at AWS.
Today we are going to talk about managing and protecting secret information needed for your applications to perform its function.
These information could be your database passwords,
your IAM access keys, your SSH keys or any other information your application needs to perform its regular function.
Here I want to call out two best practices from AWS well architected framework security.
First one is store and retrieve these secure secrets.
Second one is audit and rotate these secrets securely and frequently.
Let's take you have an application that needs to communicate with the database.
So to open a connection to the database,
it needs database connection information, like the database server name, database port number, and secrets information like database username and database password.
So let's take a look at the architectural considerations first.
So there are a few things that you need to ask yourself.
First, where do you store these secrets securely?
Second, how does your application get access to these secrets?
Third, how often do you rotate these secrets?
And finally, when you rotate these secrets, how does your application know about the latest version of these secrets?
AWS Manager lets you store text in the protected data portion of the secret.
In this scenario, these could be your database username, password, and all other database correction information.
And data protection is a key security best practice, always encrypt data at rest.
So to achieve this, Secrets Manager encrypts the protected text of a secret by using AWS Key Management Service or KMS.
You can either use the default CMK for Secrets Manager or you can call it created CMK.
A common anti-pattern that we see is hard coding credentials in your application source code.
It's not a good idea because if somebody has access to your application source code, they now have access to your data.
AWS Secrets Manager allows for programmatic retrieval of secrets.
So to retrieve secrets, you simply replace plaintext secrets with code to pull in those secrets at runtime using Secrets Manager APIs.
You can also use AWS IAM permission policies to control access to your secret.
So in this scenario,
you can attach a policy to the role used by your application to give it read-only permissions on the database secrets.
And as I mentioned earlier, data protection is very important.
Secrets manager by default only accepts requests from hosts using open-standard TLS and perfect
forward secrecy and also ensures encryption of your secret while in transit.
Now, that storage and retrieval of the secret is set up, let's take a look at the second
security best practice, which is audit and rotate the secrets periodically.
Periodic rotation of secrets is really important from a security perspective.
If you don't change your secrets for a long period of time, the secrets become more likely to be compromised.
As a security best practice, we recommend that you regularly rotate your secrets.
You can configure Secrets Manager to automatically rotate without any manual intervention and on a specified schedule.
you.
Secrets uses AWS Lambda functions to rotate the credentials.
Secrets Manager out of the box comes fully configured and ready-to-use rotation support for Amazon RDS databases,
Amazon Aurora, Amazon DocumentDB, and Amazon Redshift.
If you need to rotate credentials for any other service than what I just mentioned,
you can also define and implement rotation using a custom Since your application is already configured to pull the latest credentials,
it will get the latest credentials next time it tries to access the database.
So if we take a look at the high-level overview of the pattern, you store your credentials in Secrets Manager.
Secrets Manager will take care of the rotation and maintaining the latest set of credentials for you.
always pulls the latest set of credentials from Secrets Manager at runtime.
And of this is happening securely and automatically.
There you have it.
Check out the resources below for more details and thanks for tuning in.
解锁更多功能
安装 Trancy 扩展,可以解锁更多功能,包括AI字幕、AI单词释义、AI语法分析、AI口语等
兼容主流视频平台
Trancy 不仅提供对 YouTube, Netflix, Udemy, Disney+, TED, edX, Kehan, Coursera 等平台的双语字幕支持,还能实现对普通网页的 AI 划词/划句翻译、全文沉浸翻译等功能,真正的语言学习全能助手。
支持全平台浏览器
Trancy 支持全平台使用,包括iOS Safari浏览器扩展
多种观影模式
支持剧场、阅读、混合等多种观影模式,全方位双语体验
多种练习模式
支持句子精听、口语测评、选择填空、默写等多种练习方式
AI 视频总结
使用 OpenAI 对视频总结,快速视频概要,掌握关键内容
AI 字幕
只需3-5分钟,即可生成 YouTube AI 字幕,精准且快速
AI 单词释义
轻点字幕中的单词,即可查询释义,并有AI释义赋能
AI 语法分析
对句子进行语法分析,快速理解句子含义,掌握难点语法
更多网页功能
Trancy 支持视频双语字幕同时,还可提供网页的单词翻译和全文翻译功能