100 Days of AWS — Day 17- AWS Secret Manager
To view the complete course, please enroll it using the below link(it’s free)
https://www.101daysofdevops.com/courses/100-days-of-aws/
Welcome to Day 17 of 100 Days of AWS. The topic for today is AWS Secret Manager.
AWS Secret Manager helps you to store, rotate, manage and retrieve access to secrets such as database credentials, API keys and other secrets throughout their lifecycle. It also provides built-in integration for secret rotation for MySQL, PostgreSQL and Aurora on RDS. Rotation for other types of secrets can easily be done using Lambda function. In order to retrieve secrets you need to call a Secret Manager API. It uses versioning so that applications don’t break when secrets are rotated.
Advantage
- Safe rotation of secrets: Secret Manager easily rotate secrets and enables applications or user to retrieve the most recent secret without doing the code deployment.
- Central location for securing and auditing: Secret Manager is integrated with CloudTrail and CloudWatch which lets you to monitor and logs secrets easily.
- Fine grained permission control: Access to secrets is fine grained using AWS Identity and Access Management policies. You can use resource-based policies for cross-account access.
In order to create secret these are the steps you need to follow:
- Go to the secret manager console https://us-west-2.console.aws.amazon.com/secretsmanager
- Click on Store a new secret. In the next screen you will see Secret Manager give you five options for storing secret. For this blog I am choosing “Credentials for Amazon RDS database” but please choose it based on your requirement. In the credentials field give User name and Password. You can encrypt your Credentials either using default KMS encryption key or you can create your own key. Finally select the database where you want to implement the secret.
- In the next screen, give your secret some name and click Next
- This is the most important screen, here you can configure automatic rotation. Here I have configure it to rotate it after every 30 days but you can configure it based on your requirement
- In the review screen if the configuration looks good, click on Store.
- In the backend, its going to use CloudFormation to create resources such as Lambda function(to rotate secrets)and IAM Role(to interact with resources)
NOTE: If you turn on automatic rotation, the first rotation will happen immediately when you store this secret.
- Please make sure your application is updated to use this code. You can find this code on the review screen.
- You can retrieve the secret from the command line
aws secretsmanager get-secret-value --secret-id <secret id>
aws secretsmanager get-secret-value --secret-id mysqldb-pass- Now you can go to CloudTrail https://us-west-2.console.aws.amazon.com/cloudtrail/ and search for Event name GetSecretValue to get the detailed information when someone try to get the secret.
- You can also configuration CloudWatch rule when someone try to delete the secret. Go to CloudWatch https://us-west-2.console.aws.amazon.com/cloudwatch/ . Click on Events → Rules and Create rule
- Under Service Name select Secrets Manager and Event Type as AWS API Call via CloudTrail. For Specific operation(s) add DeleteSecret. Under Targets select the SNS topic. To create SNS topic https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html
- In the next screen, give your rule some name and click on Create rule.
- Now if you try to delete the secret, you will get an alert like this
- You can configure an IAM policy to allows read access to specific resources (secrets) that you create in AWS Secrets Manager.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:us-west-2:XXXXX:secret:mysqldb-pass-uKbpxU"
]
},
{
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
}
]
}