AWS Secrets Manager Cheat Sheet

• A secret management service that enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Features

• • AWS Secrets Manager encrypts secrets at rest using encryption keys that you own and store in AWS Key Management Service [customer managed keys]. When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment.
  • You can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI.
  • Secrets Manager natively supports rotating credentials for databases hosted on Amazon RDS and Amazon DocumentDB and clusters hosted on Amazon Redshift.
  • You can extend Secrets Manager to rotate other secrets, such as credentials for Oracle databases hosted on EC2 or OAuth refresh tokens, by using custom AWS Lambda functions.

• A secret consists of a set of credentials (user name and password), and the connection details used to access a secured service.
• A secret also contains metadata which include:
  • Basic information includes the name of the secret, a description, and the Amazon Resource Name (ARN) to serve as a unique identifier.
  • The ARN of the AWS KMS key Secrets Manager uses to encrypt and decrypt the protected text in the secret. If you don’t provide this information, Secrets Manager uses the default AWS KMS key for the account.
  • Information about how frequently to rotate the key and what Lambda function to use to perform the rotation.
  • A user-provided set of tags. You can attach tags as key-value pairs to AWS resources for organizing, logical grouping, and cost allocation.
• A secret can contain versions:
  • Although you typically only have one version of the secret active at a time, multiple versions can exist while you rotate a secret on the database or service. Whenever you change the secret, Secrets Manager creates a new version.
  • Each version holds a copy of the encrypted secret value.
  • Each version can have one or more staging labels attached identifying the stage of the secret rotation cycle.
• Supported Secrets
  • Database credentials, on-premises resource credentials, SaaS application credentials, third-party API keys, and SSH keys. 
  • You can also store JSON documents.
• To retrieve secrets, you simply replace secrets in plain text in your applications with code to pull in those secrets programmatically using the Secrets Manager APIs.
• Secrets can be cached on the client side, and updated only during a secret rotation.
• During the secret rotation process, Secrets Manager tracks the older credentials, as well as the new credentials you want to start using, until the rotation completes. It tracks these different versions by using staging labels.

How Secret Rotation Works

• • The rotation function contacts the secured service authentication system and creates a new set of credentials to access the database. Secrets Manager stores these new credentials as the secret text in a new version of the secret with the AWSPENDING staging label attached.
  • The rotation function then tests the AWSPENDING version of the secret to ensure that the credentials work, and grants the required level of access to the secured service.
  • If the tests succeed, the rotation function then moves the label AWSCURRENT to the new version to mark it as the default version. Then, all of the clients start using this version of the secret instead of the old version. The function also assigns the label AWSPREVIOUS to the old version. The version that had AWSPREVIOUS staging label now has no label, and therefore deprecated.
• Network Setup for Secret Rotation
  • When rotating secrets on natively supported services, Secrets Manager uses CloudFormation to build the rotation function and configure the network connection between the two.
    • If your protected database service runs in a VPC and is not publicly accessible, then the CloudFormation template configures the Lambda rotation function to run in the same VPC. The rotation function can communicate with the protected service directly within the VPC.
    • If you run your protected service as a publicly accessible resource, in a VPC or not, then the CloudFormation template configures the Lambda rotation function not to run in a VPC. The Lambda rotation function communicates with the protected service through the publicly accessible connection point.
  • By default, the Secrets Manager endpoints run on the public Internet. If you run your Lambda rotation function and protected database or service in a VPC, then you must perform one of the following steps:
    • Add a NAT gateway to your VPC. This enables traffic that originates in your VPC to reach the public Secrets Manager endpoint. 
    • Configure Secrets Manager service endpoints directly within your VPC. This configures your VPC to intercept any request addressed to the public regional endpoint, and redirect the request to the private service endpoint running within your VPC.
• You can create two secrets that have different permissions
  • User Secret – can be used to connect to linked services, but it cannot be rotated. The user will have to wait for the master secret to be rotated and propagated for it to change.
  • Master Secret – has sufficient permissions to rotate secrets of linked services. This scenario is typically used when you have users that are actively using the old secret, and you do not want to break operations after you rotate the secret. You can have your users  update their clients first before using the newly rotated credentials.
• Secrets Manager lets you easily copy your secrets to multiple AWS Regions, which includes the primary secret and the associated metadata such as tags, resource policies and secret updates such as rotation.

AWS Secrets Manager Security

• • By default, Secrets Manager does not write or cache the secret to persistent storage.
  • By default, Secrets Manager only accepts requests from hosts that use the open standard Transport Layer Security (TLS) and Perfect Forward Secrecy.
  • You can control access to the secret using AWS Identity and Access Management (IAM) policies. 
  • You can tag secrets individually and apply tag-based access controls.
  • You can configure VPC endpoints to keep traffic between your VPC and Secrets Manager within the AWS network.
  • Secrets Manager does not immediately delete secrets. Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of seven days. Until the recovery window ends, you can recover a secret you previously deleted. 
  • By using the CLI, you can delete a secret without a recovery window.

AWS Secrets Manager Compliance

• • Secrets Manager is HIPAA, PCI DSS and ISO, SOC, FedRAMP, DoD SRG, IRAP, and OSPAR compliant.

AWS Secrets Manager Pricing

• • You pay based on the number of secrets stored and API calls made per month.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Validate Your Knowledge

Question 1

A Security Engineer refactored an application to remove the hardcoded Amazon RDS database credential from the application and store it to AWS Secrets Manager instead. The application works fine after the code change. For improved data security, the Engineer enabled rotation of the credential in Secrets Manager and then set the rotation to change every 30 days. The change was done successfully without any issues but after a short while, the application is getting an authentication error whenever it connects to the database.

What is the MOST likely cause of this issue?

1. The Security Engineer doesn’t have the required AWS CloudHSM permissions. The AWS Secrets Manager encrypts the protected text of a secret by using AWS CloudHSM.
2. Enabling rotation in AWS Secrets Manager causes the secret to rotate immediately.
3. The Security Engineer doesn’t have a SecretsManagerReadWrite permission.
4. IAM DB Authentication was accidentally turned off.

Show me the answer!

Correct Answer: 2

You can configure AWS Secrets Manager to automatically rotate the secret for an Amazon RDS database. Secrets Manager uses a Lambda function Secrets Manager provides. When you enable rotation for a secret with Credentials for RDS database as the secret type, Secrets Manager automatically creates and configures a Lambda rotation function for you. Then Secrets Manager equips your secret with the Amazon Resource Name (ARN) of the function. Secrets Manager creates the IAM role associated with the function and configures the role with all of the required permissions. Alternatively, if you use the same rotation strategy with another secret, and you want to use the same rotation with your new secret, you can specify the ARN of the existing function and use it for both secrets.

If you run your Amazon RDS DB instance in a VPC provided by Amazon VPC and the VPC doesn’t have public Internet access then Secrets Manager also configures the Lambda function to run within that VPC. Secrets Manager also requires that the Lambda rotation function must be able to access a Secrets Manager service endpoint to call the required API operations. If one or more of your resources in the VPC must communicate with the Internet then you can configure the VPC with a NAT gateway to enable the Lambda rotation function to query the public Secrets Manager service endpoint. If you have no requirement to communicate with the Internet, you can configure the VPC with a private Secrets Manager service endpoint accessible from within the VPC.

You can enable rotation for a secret with credentials for a supported Amazon RDS database by using the AWS Secrets Manager console, the AWS CLI, or one of the AWS SDKs. Secrets Manager encrypts the protected text of a secret by using the AWS Key Management Service (AWS KMS).

Enabling rotation causes the secret to rotate once immediately when you save the secret. Before you enable rotation, be sure you update all of your applications using this secret credentials to retrieve the secret from Secrets Manager. The original credentials might not be usable after the initial rotation. Any applications that you fail to update break as soon as the old credentials become invalid.

Hence, the correct answer is: Enabling rotation in AWS Secrets Manager causes the secret to rotate immediately.

The option that says: The Security Engineer doesn’t have the required AWS CloudHSM permissions. The AWS Secrets Manager encrypts the protected text of a secret by using AWS CloudHSM is incorrect because AWS Secrets Manager actually encrypts the secret using AWS KMS, and not AWS CloudHSM.

The option that says: The Security Engineer doesn’t have a SecretsManagerReadWrite permission is incorrect because the scenario said that the Engineer successfully enabled the rotation in AWS Secrets Manager without any issues. This means that the Engineer has all of the required IAM permissions needed.

The option that says: IAM DB Authentication was accidentally turned off is incorrect because this feature simply allows users to connect to Amazon RDS with IAM credentials. The secrets in AWS Secrets Manager are not IAM credentials hence, the IAM DB Authentication is irrelevant in this scenario.

References:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html
https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-rds.html
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

AWS Secrets Manager Cheat Sheet References:

https://aws.amazon.com/secrets-manager/
https://aws.amazon.com/secrets-manager/faqs/
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
Understanding AWS Secrets Manager