How to Offload Security Credentials for Databases to AWS Secrets Manager

Introduction

Regarding credentials to connect to any system, we always prefer to store them in the safest place. But it questions where we can store it and how to protect it. Considering AWS environments where we launch databases with the help of AWS RDS services, the managed service from AWS where it’s getting ready with selected SQL-based database engines.

Databases are always protected by the first layer of security, i.e., username and password, apart from IAM-level security for the databases in the case of AWS.

But when they need to be accessed, we are supposed to enter the credentials every time it is required to do while accessing.

It’s better to store it, but sometimes some applications need auto access to the database. In that case, there must be auto provisioning where people always hard code them in an application which is not the best security practice AWS recommends.

What is AWS Secrets Manager?

In the world of cloud computing, securing sensitive information and credentials is of utmost importance. AWS Secrets Manager is a powerful tool offered by Amazon Web Services (AWS) that simplifies the management of secrets, such as API keys, database passwords, and other critical pieces of information. By centralizing secrets management and providing secure access, AWS Secrets Manager offers a robust solution for safeguarding sensitive data in the cloud.

To help keep your secrets secure, Secrets Manager can automatically rotate them on a schedule. When it rotates a secret, Secrets Manager updates the credentials in the secret and the database or service so that you don’t have to manually change the credentials. Secrets Manager uses a Lambda rotation function to communicate with Secrets Manager and the database or service.

AWS Secrets Manager has built-in rotation support for secrets for the following:

1. Amazon RDS databases
2. Amazon Document DB databases
3. Amazon Redshift clusters

In this blog post, we will explore the Use case, functions, features, benefits, and best practices of AWS Secrets Manager, followed by the conclusion.

Use cases

The following diagram depicts a scenario step-wise for the built-in AWS RDS service use case.

Fig.1: AWS secrets manager accessed by the business app for RDS access.

Step 1: Database admin creates a set of credentials for RDS database access by business application, and the administrator also configures those credentials with the permission required.

Step 2: Database admin stores the secrets as a BusinessAppCreds in the secrets manager, which encrypts the same.

Step 3: The business application accesses the database then the application queries to secrets manager for the secret named BusinessAppCreds.

Step 4: Secrets manager retrieves the credential by decrypting it and providing it to the business app.

Step 5: The business application uses the retrieved information to access the database service.

Understanding functions of AWS Secrets Manager

AWS Secrets Manager is a fully managed secrets management service enabling you to securely store, manage, and retrieve secrets. It eliminates the need to hardcode credentials within applications or manage them manually, reducing the risk of accidental exposure or unauthorized access. Secrets Manager supports many secret types, including database credentials, API keys, and encryption keys.

Let’s understand the fundamental concepts (Secret, Version, Rotation, Rotation Strategy) on which a secret manager works.

1. Secret    A secret stored in Secrets Manager comprises secret information, the secret value, and metadata about the secret. The secret value can be either a text or a binary value. The AWS KMS key for an encryption key, which Secrets Manager requires for encryption and decoding the secret value. Secrets Manager encrypts the secret in process and saves it in an encrypted state. Secrets Manager employs IAM permission controls to ensure only authorized users can access or alter a secret.
2. Version
   Versions of a secret contain replicas of the encrypted secret value. When you update the secret value or rotate the secret, Secrets Manager generates a new version. Secrets Manager does not save a chronological history of secrets with revisions. Rather, it labels three distinct versions to keep track of them:AWSCURRENT is the current version;AWSPREVIOUS is the prior version;and AWSPENDING is the pending version (during rotation).
3. Rotation           The technique of frequently changing a secret to render it challenging for an attacker to obtain the credentials is known as rotation. You might set up an auto rotation for your confidential information in Secrets Manager. When Secrets Manager rotates a secret, the secret credential and the database or service are updated.
4. Rotation Strategy   This technique refreshes credentials in one password for one user. The user must be granted authorization to change their password. This strategy is the most basic rotation approach and is suitable for most use scenarios. Open access to databases is not tumbled when the secret is rotated. There is a small amount of time between when the password in the database updates and when the secret is changed when rotation occurs. During this period, there is a low chance that the database may reject calls that employ rotated credentials.

Key Features and Benefits

1. Centralized Secret Storage:
   Secrets Manager provides a secure and centralized repository for storing secrets, allowing you to consolidate sensitive information in a single location.
2. Automatic Rotation:
   Secrets Manager supports the automatic rotation of secrets, such as database passwords, eliminating the need for manual updates and reducing the risk of compromised credentials.
3. Integration with AWS Services:
   Secrets Manager seamlessly integrates with other AWS services like Amazon RDS, Amazon Document DB, and Amazon Redshift, enabling secure retrieval of credentials for these services.
4. Fine-Grained Access Control:
   Secrets Manager allows you to define granular access policies, ensuring that only authorized entities can retrieve or modify secrets. e. Auditability and Logging: The service provides detailed logs and auditing capabilities, allowing you to track secret usage and monitor changes made to secrets over time.
5. You may pay as you proceed:    You will be charged according to the number of secrets you administer in Secrets Manager and the number of API calls you make using Secrets Manager. You can provide an exceptionally accessible secrets management solution without the initial and continuing investments.
6. Secrets may be easily replicated throughout many areas:
   AWS Secrets Manager simplifies the replication of secrets across several AWS regions to assist with multi-region operations and recovery from disaster scenarios.The multi-Region secrets capability reduces the difficulty of replicating keeping track of secrets across several regions, permitting you to simply access and read secrets as required.

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Solutions Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.