A few weeks ago, Amazon released their AWS Secrets Manager for public use. This is a very welcome announcement. Despite the fact that everyone knows security and encryption are important in cloud applications and infrastructure, simple security measures are often overlooked. More people and applications use plain-text passwords and hand-modified config files than you would think, often with the mindset that “we’ll secure it later.” This is a big security risk, as anyone with access to the config file now knows the password, so an easy-to-use secret management can be a real game changer.
Generally, secret management requires knowledge, infrastructure, time, and additional complexity to ensure your security needs were met. It also usually involves an additional tool like Hashicorp Vault, Chef Vault, or git-crypt. AWS also has a tool to manage encryption keys called Key Management Service, which some people use for secret management, but is really more suited for encryption and decryption.
Now with AWS Secrets Manager, secrets and credentials can be stored securely, while still being easily accessed from other AWS services. Setup is very quick, and doesn’t require any new instances or installation of software or tools. You also don’t need to know details about encryption or best practices, and the solution is much less complex than most free tools.
So what kinds of things will this service help with? The biggest benefit is for applications and services that have moved to a microservices architecture, where individual pieces of the application that live in AWS are all talking to each other via APIs or message queues. For example, if you’re using Amazon’s RDS service, credentials for your database can be encrypted, accessed via the API or AWS CLI, automatically rotated, and accessed based on IAM policies. There’s also built-in Lambda integration, so you can run scripts to customize things like your secret rotation policy.
Pricing for this service is along the same general lines as other AWS services. Currently, each secret costs $0.40 to store, and costs $0.05 for every 10,000 API calls to access those secrets. Considering the time and effort it normally takes for proper secret management, this can be a very cost-effective way to store secrets for use in your AWS environment.
Data breaches happen all the time — in 2018 alone, there have already been breaches involving Facebook, Under Armour/MyFitnessPal, and Saks Fifth Avenue. There is no better time than now to review your system and account security. AWS Secrets Manager is a quick and easy way to implement some security best practices for your microservices-based applications so you and your team can securely store and rotate secrets that might have normally been in plain-text or sitting in a config file. We look forward to implementing this in our own AWS accounts!