Data breaches are becoming increasingly common, and one factor driving this escalation is the fact that today’s IT systems are integrated and interconnected, requiring login information from multiple parties and services.
In response, Amazon Web Services has newly launched the AWS Secrets Manager, a service designed to help organizations get a handle on these “secrets” by storing and accessing them in a secure way.
A modern IT system may require any combination of different types of secrets. Some classic examples include credentials for accessing file shares or database logins and passwords, but encryption keys and API keys for software as a service offerings are also increasingly used. Knowing what secrets your organization has and requires is a crucial first step in secrets management.
It is also common for DevOps team members with blended roles to have access to multiple types of systems and credentials that may have been previously segmented between different users. This may be placing more secrets into the hands of more people, so controlling who has access to each secret is also a must.
Another critical best practice is secret rotation. We have long been taught to rotate passwords, and the same goes for any type of service credential.
Automated DevOps systems with stored secrets may be operating silently for long periods of time. The longer any secret exists, the higher the chance that it has been compromised. Frequent rotation helps to reduce the secret lifespan and with that the risk of exposure.
AWS Secrets Manager helps address all of these points. Any type of secret can be stored from database credentials to API keys to pure data blobs. The AWS Identity and Access Management (IAM) features allow for granular control over which users have access to which secrets. Automated secret rotation can be achieved with the built-in rotation feature.
Critically, AWS Secrets Manager allows access to secrets on-demand, keeping them off of the myriad of systems working in any organization.
AWS Secrets Manager operates like a centrally managed password manager, designed to be used by both users and automated systems. It allows you control access to each of your secrets by assigning them to IAM users, giving you the knowledge of what secrets exist and who can access them.
Secrets Manager also integrates with AWS logging and monitoring tools, so an audit trail of each use exists and alerts can be generated.
Whether you are an AWS pro or just getting started in the cloud, the Cloud Management Assessor can be used to automatically assess and monitor the security posture of your cloud accounts. At the same time, Tripwire Enterprise can be used to secure and monitor all your devices to help keep your secrets safe.