Amazon announced the launch of the AWS Secrets Manager, which makes it easy for customers to store and retrieve secrets using an API or the AWS Command Line Interface (CLI). Furthermore, customers can rotate their credentials with the built-in schedule feature or custom Lambda functions. The AWS Secrets Manager enables users to centralize the management of secrets of distributed services and applications.
AWS Secrets Manager is one of multiple new tools and services Amazon is providing for security and compliance. This particular service simplifies the management of database credentials, passwords, or API Keys. At the AWS Summit in San Francisco, Amazon’s CTO Werner Vogel said:
You never, ever again have to put a secret in your code. Secrets Manager allows us to build systems that are way more secure than we could ever do in the past.
Users of AWS Secrets Manager can manage access to secrets using a fine-grained set of policies, control the lifecycle of secrets, and secure and audit secrets centrally. Furthermore, this a managed service with a pay-as-you-go model and available in most regions.
A typical way of storing secrets is to use the AWS Secrets Manager console. The user can save a secret like a database credential or other secrets following through a wizard process.
The wizard will guide the user to select the type of secret, specify the name and description, configure the rotation of the secret, and enable to review the details. Furthermore, in the final review step, the user will also see some sample code in languages, Java, JavaScript, or Python for storing and retrieving the secret. Once the user has successfully stored the secret, they can edit the data or the rotation details. The rotation capability with Secret Manager is either set by the user through a given schedule, or by a Lambda function with permissions to rotate the secret. Using a lambda function, users are given more flexibility for rotation of secrets.
Other public cloud providers like Microsoft and Google offer central management of secrets. Similar to AWS Secrets Manager, Azure Key Vault provides storing and managing secrets with policies, and ability to access them using .NET code. However, Azure Key Vault lacks a built-in rotation capability or direct integration with Azure Functions. With Azure Key Vault, the rotation of secrets is a manual process or automated by API calls or scripts. Azure Key Vault does offer more than managing secrets; it includes management of encryption keys. The Google Cloud Platform offers control of secrets through Cloud KMS, which also enables users to store and manage secrets including policies and rotation. Also, this service, like Azure Key Vault, includes management of encryption keys. Amazon, however, has a separate service for key management with Key Management Service (KMS). HashiCorp also offer a vendor-agnostic solution to secrete management with their open source (and commercial) Vault project.