AWS Secrets Manager
AWS Secrets Manager, why do we use it?
There are much more possibilities with this AWS service. You can find more information about Secrets Manager below and also the most important part, the best practices.
What is it?
In the past, when you created a custom application to retrieve information from a database, you typically embedded the credentials, the secret, for accessing the database directly in the application. When the time came to rotate the credentials, you had to do more than just create new credentials. You had to invest time to update the application to use the new credentials. Then you distributed the updated application. If you had multiple applications with shared credentials and you missed updating one of them, the application failed. Because of this risk, many customers choose not to regularly rotate credentials, which effectively substitutes one risk for another.
Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Important notions about Secrets Manager
Secret
In Secrets Manager, a secret consists of a set of credentials, user name and password, and the connection details used to access a secured service. You want to store these securely, and ensure only authorized users can access them. Secrets Manager always stores the secret text in an encrypted form and encrypts the secret in transit.
IAM Permission
Secrets Manager uses IAM permission policies to ensure only authorized users can access or modify the secret. You can attach these policies to users or roles, and specify which secrets the users can access.
ARN
An Amazon Resource Name (ARN) is a file naming convention used to identify a particular resource in the Amazon Web Services (AWS) public cloud. ARNs, which are specific to AWS, help an administrator track and use AWS items and policies across AWS products and API calls.
How does it work?
- AWS CLI and the AWS Console permit to have access and retrieve manually secrets from Secrets Manager. We give a wiki for using the AWS Console as a temporary solution until the developers of our customers have finished the implementation of Secrets Manager in their applications.
- AWS SDK allows the developers to implement Secrets Manager in their code, therefore, you can retrieve secrets from Secrets Manager automatically. Click here to have access to the wiki for Developers that explain how to implement Secrets Manager in their code and therefore retrieve secrets. This is the best practice to retrieve your secrets.
The arrow and the box in red are the best way to retrieve secrets from another AWS Account.
The services provided by Secret Manager
