AWS Secrets Manager

  • Similar to systems manager parameter store.
  • Charge per secret stored and per 10,000 API calls.
  • Automatically rotate secrets.
  • Apply the new key password in RDS for you.
  • Generate random secrets.
  • Allows us to protect and store secrets, of AWS services, IT resources, and applications.
  • Allows us to centrally manage secrets used to access resources inside and outside AWS.
  • Automate rotation of your secrets without code deployment.
  • Allows us to secure our secrets using fine grain permissions and encryption with AWS KMS.
  • Secret types that can be stored
    • RDS Database
      • Database types
        • MY SQL
        • POSTGRES SQL
        • ORACLE 
        • MARIA DB
        • SQL SERVER
      • Information stored in secrets
        • Username and password
        • Server address
        • Database name and port
    • Redshift cluster
    • Document DB database
    • Other databases
    • API keys
  • Secrets are encrypted using an AWS KMS key.
    • It uses a customer master key(CMK) which is a logical representation of a master key, which holds Key material to encrypt data. CMK’s can only encrypt up to 4KB of data.
  • It is a best practice to configure automatic rotation of secrets. For example, it is the best practice to rotate your secrets every 30, 60, 90 or a custom number of days with 365 days being maximum.
    • Create lambda or use an existing lambda to perform secret rotation.
  • AWS secrets manager versus AWS systems manager
    • AWS secrets manager is used for storing data base, credentials, API, keys, and for rotation of keys.
    • AWS systems manager (parameter store) has wider use cases, used to perform maintenance updates on EC2 INSTANCES, USED TO STORE CONFIGURATION, VARIABLES AND LICENSE KEYS.

Comments

Post a Comment