How to Share a Secret (Key), on AWS
AWS Secrets Manager was launched by Amazon Web Services in April 2018. Secrets Manager is an application that you can use with AWS cloud accounts to store, retrieve and retrieve credentials – all via API or AWS Command Line Interface. There is no risk in manually rotating your encryption keys or using hand-code processes to control them automatically.
Before AWS Secrets Manager you had very few options if you lost control over your authentication service. Perhaps you had the password written in an address book and kept in the safe of a trusted agent. Or you had a backdoor that could be used to turn your keys into a preset. People have been thinking about keeping secrets safe for decades.
AWS Secrets Manager is charged with the massive task of distributing something that is supposedly “secret” to the right people. There are many secrets that need to be shared, and there are many ways to do it securely.
It is crucial to manage your secrets
AWS Security admins know the challenges that come with managing different secrets and credentials. Most accounts are secured by rotating and requesting credentials for the service and Amazon databases.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Get started training. There is no 100% reliable way to extract the credentials and transfer them while still maintaining security. You can’t forget to implement security measures such as rotating keys and passwords regularly.
Managers and users tend to be resentful of security measures. Let’s face facts. They can be a pain. Your security professionals are constantly concerned about potential vulnerabilities. They see the potential solutions as risky. Your company is at risk when you ask database administrators for credentials, embed them in environment variables, or make them available to the application.
Secrets Manager is a pretty darn effective program
Amazon’s entry in the secret-sharing market is fully managed and managed by the giant. The security of stored secrets and credentials can be tied directly to your Identity and Access Management access (IAM) on your AWS account. Secrets Manager can also be integrated with AWS Key Management Systems (KMS). This allows you to further encrypt all your cloud-stored data.
Secrets Manager also includes a secret rotation feature that allows you to rotate passwords and API keys automatically. This can be wired with a Lambda Function for assistance with the rotation.
Secrets Manager is a cost-based decision. It will cost $0.40 per secret per month and $0.05 for 10,000 API calls. AWS offers more cost-effective and even free options to protect sensitive data. Your organization may need to pay premium.
You don’t want secrets to be shared? There are other options.
AWS Secrets Manager may not be exactly what you need for your AWS credentials and secret management, but there is always the tried-and true distribution of Access Keys. It is not a good idea to be arbitrary with your admin-level Access Keys. There are many resources that will help you distribute keys that won’t make your accounts vulnerable.
Amazon offers suggestions for best practices in managing access keys. The entire General Reference Document for AWS can be viewed. But the bottom line is to only grant accesses that you need. They emphasize that access keys should not be kept insecure and should only be created when absolutely necessary. The Temporary Security Credentials (IAM Rights) can also help to keep things safe by granting people the access they need, rather than long-term access.
IAM roles can be he