When you create a custom application to retrieve information from a database, you would typically embed the credentials, or secret, for directly accessing the database in the application. When the time comes to rotate the credentials, you have to do more than create new ones. You needed to spend time updating the application to use the new credentials. The updated application was then distributed. If you had multiple applications that shared credentials and failed to update one of them, the application would fail. Because of this risk, many customers choose not to rotate credentials regularly, effectively substituting one risk for another.
The diagram below depicts the most basic scenario. The diagram shows how you can save database credentials in Secrets Manager and then use those credentials in an application to access the database.
a. Programmatically retrieve encrypted secret values at runtime
Secrets Manager enhances your security posture by removing hard-coded credentials from your application source code and not storing credentials within the application. Storing the credentials in or with the application exposes them to compromise by anyone who has access to your application or its components. In addition, this process makes rotating your credentials difficult because you must update your application and deploy the changes to every client before you can deprecate the old credentials.
Amazon Secrets Manager allows you to replace stored credentials with a runtime call to the Secrets Manager Web service, allowing you to retrieve them dynamically.
b. Store different types of secrets
Secrets Manager allows you to store text in a secret encrypted secret data component. This usually comprises the database or service’s connection information. These parameters may include the server name, IP address, port number, and the user name and password used to access the service. The protected text doesn’t include:
Secret name and description
Rotation or expiration settings
ARN of the KMS key associated with the secret
Any attached AWS tags
c. Encrypt your secret data
Secrets Manager encrypts a secret’s protected text using AWS Key Management Service. AWS KMS is used for key storage and encryption by many AWS services. When your secret is at rest, AWS KMS assures its safe encryption. Every secret is associated with a KMS key in Secrets Manager. It can be either an AWS-managed key for the account’s Secrets Manager or a customer-controlled key created in AWS KMS.
d. Automatically rotate your secrets
Secrets Manager automatically rotates the secrets without any user intervention, and rotation will happen on schedules
Rotation of the secrets will be implemented using the AWS Lambda function, and this function defines how Secrets Manager performs the following tasks:
Creates a new version of the secret.
Stores the secret in Secrets Manager.
Configures the protected service to use the latest version.
Verifies the new version.
Marks the new version as production-ready.
The below mention types of databases are supported for configuring secrets and ready-to-use rotation
Amazon Aurora on Amazon RDS
MySQL on Amazon RDS
PostgreSQL on Amazon RDS
Oracle on Amazon RDS
MariaDB on Amazon RDS
Microsoft SQL Server on Amazon RDS
3. Steps to Configure AWS Secrets Manager:
Navigate to the AWS Secrets Manager Console
Click on Store a new secret
Select the Secret Type to be stored along with the Credentials and the database details the secret will access
Provide the encryption key as well for encrypting the secret information. Custom keys can also be used for encryption
After selecting all the details, click on Next
Name the secret for identifying easily along with the description.
Mention the tags details
Add Resource permissions to access the secrets across AWS accounts securely if required
There is an option to replicate the secret across regions, select if required.
Click on Next after selecting all the details
On the Next page, configure the automatic rotation interval and the lambda function for rotation. Click on Next, after selecting all the details
On the next page, review all the details and click on Store
On navigating to the Secrets Manager console, will be able to see the secrets have been created successfully
AWS Secrets Manager allows you to replace hardcoded credentials, such as passwords, in your code with an API call to Secrets Manager to retrieve the secret programmatically. Because the secret no longer exists in the code, this helps ensure that it cannot be compromised by someone examining your code. You can also set Secrets Manager to rotate the secret on a predefined schedule. It allows you to replace long-term secrets with short-term ones, significantly lowering the risk of compromise.
The configured secrets can be embedded into any database application to provide an additional layer of security for your databases. AWS Secrets Manager is also in compliance following various security standards protocols like HIPAA, PCI, ISO, SOC, FedRAMP, etc.,
5. About CloudThat
CloudThat is the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
CloudThatis a house of All-Encompassing IT Services on the Cloud offering Multi-cloud Security & Compliance, Cloud Enablement Services, Cloud-Native Application Development, OTT-Video Tech Delivery Services, Training and Development, and System Integration Services. Explore our consulting and expert advisory services here.
1. How will my application make use of these secrets?
To begin with, create an AWS Identity and Access Management (IAM) policy that allows your application to access particular secrets. Then, in the application source code, replace plain-text secrets with code to get these secrets programmatically using the Secrets Manager APIs.
2. How does AWS Secrets Manager handle database credential rotation while minimizing the effect on applications?
AWS Secrets Manager allows you to arrange database credential rotation. This allows you to adhere to security best practices and rotate your database credentials adequately. Secrets Manager utilizes the super database credentials you gave to create a clone user with the same rights but a new password when you start a rotation. Secrets Manager then sends the clone user information to databases and apps, which get the database credentials.
3. Will changing database credentials affect open connections?
No. When a connection is established, authentication takes place. The open database connection is not re-authenticated when AWS Secrets Manager rotates a database credential.
4. How can I find out when AWS Secrets Manager rotates a database credential?
When AWS Secrets Manager rotates a secret, you may set up Amazon CloudWatch Events to get a notice. You may also use the Secrets Manager console or APIs to discover when Secrets Manager last rotated a secret.