Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Secrets Manager In Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecretsManager-004

Ensure that Amazon Secrets Manager service is used in your AWS account to manage access credentials (i.e. secrets) such as API keys, OAuth tokens and database credentials. For example, you can use AWS Secrets Manager to handle database credentials to meet security and compliance requirements in your organization. Secrets Manager provides built-in integrations for MySQL, PostgreSQL and Aurora on Amazon Relational Database Service (RDS), and can rotate, manage and retrieve credentials for these database types natively.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon Secrets Manager helps you protect sensitive information needed to access your cloud applications, services and resources. Users and applications can use this service to retrieve secrets with a call to Secrets Manager API, enhancing access security by eliminating the need to hard code credentials in plain text. The main benefits of using AWS Secrets Manager are: secure and automatic rotation of secrets – you can rotate secrets safely, on a regular schedule, without the need for code deployments, secret access management with IAM policies – you can manage access to secrets using fine-grained AWS IAM policies, encryption of secrets – you can secure secrets by encrypting them with AWS KMS Customer Master Keys, and last but not least, pay as you go pricing.


Audit

To determine if AWS Secrets Manager service is used in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.

03 In the navigation panel, select Secrets. If there are no secrets listed on this page, the service is not used to manage sensitive information and/or access credentials in the current AWS region.

04 Change the AWS region from the navigation bar to repeat step no. 3 for other regions. If no secrets are found, the Amazon Secrets Manager service is not currently in use within your AWS account.

Using AWS CLI

01 Run list-secrets command (OSX/Linux/UNIX) to list the names of all Secrets Manager secrets available in the selected AWS region (US East - N. Virginia):

aws secretsmanager list-secrets
	--region us-east-1
	--query 'SecretList[*].Name'

02 The command output should return the names of the secrets available in the selected region:

[]

If list-secrets command output returns an empty array, as shown in the example above, there are no AWS Secrets Manager secrets available in the selected region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 for other regions. If no secrets are found, the Amazon Secrets Manager service is not currently in use in your AWS account.

Remediation / Resolution

In order to utilize AWS Secrets Manager service to manage database access credentials and/or sensitive information such as API keys or authentication tokens, you must create and configure secrets. To create your own Secrets Manager secret, perform the following action:

Note: As example, this conformity rule demonstrates how to use AWS Secrets Manager service to create secrets that store and manage Amazon RDS database access credentials.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.

03 In the navigation panel, select Secrets.

04 Click Store a new secret button from the dashboard top menu to start the setup process for your new secret.

05 On Select secret type page, perform the following:

  1. Select Credentials for RDS database to configure the secret to store access credentials for an AWS RDS database instance.
  2. In the Username and Password fields, type the user name and password that grant access to the RDS database associated with the secret.
  3. From Select the encryption key dropdown list, choose the KMS key to use to encrypt the secret information. Use a Customer Master Key (CMK) for complete control over the encryption and decryption process.
  4. From Select which RDS database this secret will access, list select the Amazon RDS database instance associated with the new Secrets Manager secret.
  5. Click Next to continue the process.

06 On Secret name and description page, type a unique name for your secret in the Secret name box and a short description in the Description box (optional). Create any necessary tag sets for the new secret using the Tags form. Once the requested information is provided, click Next to continue.

07 On Store a new secret page, inside Configure automatic rotation section, perform the following:

  1. Select Enable automatic rotation to enable automatic rotation feature for the new secret.
  2. Select a predefined (e.g. 30, 60, 90 days) or a custom value for the rotation interval from the Select rotation interval dropdown list.
  3. Select Create a new Lambda function to perform rotation option to create your own custom Lambda function for rotation and give your new Lambda function a name in the New AWS Lambda function name box, or select Use an existing Lambda function to perform rotation to implement an AWS Lambda function that you have previously created for rotating this type of secret and choose this existing Lambda function from Choose an AWS Lambda function dropdown list.
  4. Choose Next to continue.

08 On the Review page, verify the secret configuration details, then click Store to create the new Amazon Secrets Manager secret.

09 Once the following confirmation message is displayed: "Your secret <secret-name> has been successfully stored.", click See sample code button to access the sample code that you can use to update your applications in order to retrieve the secret.

10 Repeat steps no. 4 – 10 to create new Secrets Manager secrets to store and manage access credentials for your AWS RDS database instances.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, you have to define the protected secret information required for the "SecretString" parameter. The secret information is a JSON structure of key/value pairs that Amazon Secrets Manager service knows how to process. Save the secret data to a JSON file named database-access-credentials.json (replace the highlighted details, i.e. the RDS database instance access credentials, with your own database credentials):

{
  "username": "<db-user-name>",
  "password": "<db-password>",
  "engine": "<db-engine-type>",
  "host": "<rds-instance-name>.<aws-region>.rds.amazonaws.com",
  "port": <db-port>,
  "dbname": "<db-name>",
  "dbInstanceIdentifier": "<rds-db-instance-name>"
}

02 Run create-secret command (OSX/Linux/UNIX) using the JSON file with the secret information created at the previous step (i.e. database-access-credentials.json) as command parameter to create the new Amazon Secrets Manager secret that will store and manage AWS RDS database credentials:

aws secretsmanager create-secret
	--region us-east-1
	--name cc-database-access-credentials
	--description "Provides access to AWS RDS database"
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/aabbccdd-aabb-1234-ccdd-aabbccdd1234
	--secret-string file://database-access-credentials.json

03 The command output should return the metadata for the new AWS Secrets Manager secret:

{
    "VersionId": "1234abcd-abcd-1234-abcd-1234abcd1234",
    "Name": "cc-database-access-credentials",
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-database-access-credentials-ABC123"
}

04 Repeat steps no. 1 – 3 to create new Secrets Manager secrets to store and manage database credentials for your Amazon RDS instances.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

Publication date Mar 4, 2019