AWS Secrets Manager

  • Similar to systems manager parameter store.
  • Charge per secret stored and per 10,000 API calls.
  • Automatically rotate secrets.
  • Apply the new key password in RDS for you.
  • Generate random secrets.
  • Allows us to protect and store secrets, of AWS services, IT resources, and applications.
  • Allows us to centrally manage secrets used to access resources inside and outside AWS.
  • Automate rotation of your secrets without code deployment.
  • Allows us to secure our secrets using fine grain permissions and encryption with AWS KMS.
  • Secret types that can be stored
    • RDS Database
      • Database types
        • MY SQL
        • POSTGRES SQL
        • ORACLE 
        • MARIA DB
        • SQL SERVER
      • Information stored in secrets
        • Username and password
        • Server address
        • Database name and port
    • Redshift cluster
    • Document DB database
    • Other databases
    • API keys
  • Secrets are encrypted using an AWS KMS key.
    • It uses a customer master key(CMK) which is a logical representation of a master key, which holds Key material to encrypt data. CMK’s can only encrypt up to 4KB of data.
  • It is a best practice to configure automatic rotation of secrets. For example, it is the best practice to rotate your secrets every 30, 60, 90 or a custom number of days with 365 days being maximum.
    • Create lambda or use an existing lambda to perform secret rotation.
  • AWS secrets manager versus AWS systems manager
    • AWS secrets manager is used for storing data base, credentials, API, keys, and for rotation of keys.
    • AWS systems manager (parameter store) has wider use cases, used to perform maintenance updates on EC2 INSTANCES, USED TO STORE CONFIGURATION, VARIABLES AND LICENSE KEYS.

Comments

Post a Comment

Popular posts from this blog

Effect : Deny vs No Action

No action allows us to provide granular level control over resources operations. For example, if we use effect, deny For all actions in IAM An, then we use effect allow over some actions in IAM then deniable supersede allow. The way to overcome above issue is to use NoAction on all IAM operations And action on Allowed IAM operations. Example { "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "NotAction" : [ "iam:*" , "organizations:*" , "account:*" ], "Resource" : "*" }, { "Effect" : "Allow" , "Action" : [ "iam:CreateServiceLinkedRole" , "iam:DeleteServiceLinkedRole" , "iam:ListRoles" , "organizations:DescribeOrganization" , "account:ListRegions" ,
Read more

AWS Summaries

Database Summary  RDS(OLTP) SQL My SQL Post Gre SQL Oracle Aurora Maria DB Dynamo DB(No SQL) Redshift OLAP Elastic cache Memcached Redis RDS runs on virtual machines We cannot log into this operating systems however Patching of our RDS Operating system and DB is Amazons responsibility. RDS is not server-less. Aurora surverless is seven less which is an exception. Dynamo DB is server-less. There are two types of backups for RDS Automated backups Database snapshots Read replicas Can be multi availability zones. Use to increase performance Must have backups turned on. Can be in different regions. Can be MySQL,PostgreSQL,Maria DB, Oracle, Aurora, SQL Server is not supported. Can be promoted to master, this will break read replica. Multi availability zone Used for DRG only and not performance. You can force a fail over from one availability zone to another by re-booting the RDS instance. Encryption at Rest Is supported for My SQL, Oracle, SQL server, Postgre SQL, Maria DB and Aurora. Encryp
Read more

Infrastructure Setup using Cloud Formation Templates

Services Required to create CICD Code Build Build code and deploy image in jfrog Code Pipeline Has (Continuous Integration Continuous Deployment)CICD flow Cloud Formation To deploy and create infrastructure we use yml files. S3 Store our data packages and yml files which are used by CFT. ECS To deploy our application on fargate servers We can also create our manual EC2 instances from pipeline. Secrets Manager Manages all the secrets. ELB/ALB Elastic/Application Load Balancer To map context paths of different services GitHub Stores our code Jfrog Used to store all the docker images Dockerfile Used to create a customised docker image Scanning for Vulnerabilities free code Sonarcube Checkmarx Twistlock Cloudwatch Used to store logs We create log group for each of instances Lambda Functions Used for serverless technologies. Creating a new Environment Create the YML images of the different resources required in the environment. The CFT templates are stored in S3 or can be uploaded from syst
Read more