Use AWS Secrets Manager to centrally manage the secrets lifecycle.
AWS Secrets Manager: What is it?
AWS Secrets Manager may help manage, retrieve, and rotate OAuth tokens, API keys, database credentials, application credentials, and other secrets. Secrets Manager is used by many AWS services to store and utilize secrets.By eliminating the need for hard-coded credentials in application source code, Secrets Manager strengthens your security posture. Anyone with access to your application or its components might possibly compromise it if you store your login information in Secrets Manager. When necessary, you may replace hard-coded credentials with dynamic credentials by making a runtime call to the Secrets Manager service.
You may set up an automated secret rotation plan using Secrets Manager. By enabling you to exchange long-term secrets for short-term ones, this significantly reduces the likelihood of compromise. Since the credentials are no longer stored with the application, rotating credentials no longer requires updating your applications and delivering changes to application clients.
Benefits
- Securely encrypt and audit secrets centrally.
- Limit who can access confidential information.
- Independently rotate secrets.
- Replicating secrets may aid in disaster recovery preparations.
Use cases
Protect your secrets
Organize and save API keys, credentials, and other confidential information in one location.To manage access, implement fine-grained policies
Use AWS Identity and Access Management (IAM) authorization rules to limit who may access your secrets.Automatically rotate secrets
Rotate secrets as needed or on a schedule without redeploying or disrupting active applications.Examine and monitor the usage of secrets.
Link secrets to the monitoring, logging, and alerting services offered by AWS.AWS Secrets Manager features
Keeping secrets safe
AWS Secrets Manager protects secrets while they are at rest using encryption keys that you own and store in AWS Key Management Service (AWS KMS).- When you obtain the secret, Secrets Manager decrypts it and securely transmits it to your local environment over TLS.
- Secrets Manager integrates with AWS Identity and Access Management (IAM) to control access to the secret using resource-based and fine-grained IAM rules.
Automatically rotating secrets without affecting applications
You may use AWS Secrets Manager to rotate secrets on a schedule or as required by using the Secrets Manager interface, AWS SDK, or AWS CLI.Secrets Manager natively supports rotating credentials for clusters hosted on Amazon Redshift and databases hosted on Amazon RDS and Amazon DocumentDB.
You may extend Secrets Manager to rotate secrets used with other AWS or 3P services by modifying example Lambda methods.
Multiple AWS regions automatically duplicate secrets
You may use AWS Secrets Manager to automatically duplicate your secrets to several AWS Regions in order to meet your unique disaster recovery and cross-regional redundancy requirements. Simply indicate which AWS regions a secret needs to be replicated to, and Secrets Manager will securely create regional read replicas; there's no need to maintain a complex solution for this feature. While allowing your multi-Region applications to access replicated secrets in the required Regions, you can rely on Secrets Manager to keep the replicas in sync with the primary secret.Retrieving secrets via programming
Be mindful of hidden security while creating your apps.- Examples of code to call Secrets Manager Secrets Manager offers APIs for widely used programming languages. There are two types of APIs that may be used to retrieve secrets:
- Retrieve one secret by name or ARN.
- To obtain a group of secrets, provide a list of names or ARNs, or filter criteria like tags.
- Configure your Amazon Virtual Private Cloud (VPC) endpoints so that Secrets Manager and your VPC can only communicate inside the AWS network.
- Additionally, to improve availability and reduce latency while getting secrets, Secrets Manager client-side caching libraries may be used.
Examine and monitor the usage of secrets
AWS Secrets Manager allows you to audit and monitor secrets by integrating with AWS logging, monitoring, and notification services. For example, after AWS CloudTrail has been activated for an AWS Region, you may audit when a secret is created or cycled by looking at AWS CloudTrail logs. Similarly, when Secrets Manager rotates your secrets, you may configure Amazon CloudWatch Events to get push alerts; when secrets aren't used for a time, you can configure Amazon CloudWatch to receive email messages using Amazon Simple Notification Service.Observance
Standards for compliance may be met by using AWS Secrets Manager.
- To ensure that your secrets adhere to business security and compliance requirements, use AWS Config Rules.
- The Payment Card Industry Data Security Standard, FedRAMP, HIPAA, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO 9001, and the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG IL2, IL4, and IL5)
0 Comments