A Technical Look at Managing Secrets using AWS Parameter Store
- June 08, 2017
As systems become more complex, it’s more important than ever to ensure you have a strategy for effective and efficient secrets management. While we will dive into the technical aspects of doing just this within AWS, let’s first review what exactly secrets are and why you need to manage them.
Secrets are simply anything you want to tightly control and to which you want to manage access–such as API Keys, passwords, and certificates. With important security implications surrounding secrets, organizations will want to manage them in a way that follows security best practices. However, it is a challenge to distribute secrets securely, especially in a cloud environment where instances are regularly spun up and spun down.
In order to secure access to secrets, it is a good practice to implement a layered defense approach that combines multiple mitigating security controls to protect sensitive data. While there are multiple solutions that help manage secrets securely and efficiently in the cloud, one of our favorites is HashiCorp Vault. The latest addition to this mix is the EC2 Systems Manager with a built-in parameter store.
EC2 System Manager Parameter Store
EC2 System Manager Parameter Store centralizes the management of configuration data — such as passwords, license keys, or database connection strings — that you would commonly refer to in scripts, commands, or other automation and configuration workflows. With granular security controls for managing user access and strong encryption for sensitive data such as passwords, Parameter Store improves the overall security posture of your managed instances. Further, we can audit the parameter usage in Amazon EC2 or AWS Cloudtrail. (Note that all calls to the AWS Parameter Store are recorded with AWS CloudTrail so that they can be audited.)
Since EC2 System Manager Parameter Store is a managed service, we do not have to install and manage it, AWS does so on our behalf. It is easily accessible from API, AWS CLI, and AWS SDKs.
Parameter Store offers several major advantages over a manual approach:
1. Easy Creation of Namespaces
2. KMS Integration
3. Stored history of parameter changes
4. It is a service that can be controlled separately from S3, which is likely used for many other applications.
5. Its configuration data store reduces overhead from implementing multiple systems.
6. It’s free!
We can leverage AWS Parameter Store with different AWS Services like AWS ECS, AWS EC2, Lambda, AWS CodePipeline etc. As part of Flux7 best practices, we have leveraged AWS security and secret management solutions for multiple customers.
For example, we recently worked with a company in the scientific research field who was looking to build a next generation platform to support the evolution of its research engine. To do so, Flux7 helped the firm implement an AWS-based microservices architecture. The microservices environment was built with AWS ECS clusters, HashiCorp Consul for service discovery, and EC2 Systems Manager Parameter Store. For this firm, AWS Parameter Store manages credentials, patching, configuration management and other automated tasks that would have previously been managed (often times manually) by IT Operations. The result is seamless secret management and a new architecture that has this firm spending less time on tactical, manual tasks and more time on strategic solution delivery.
As a solid new tool from AWS, we like to use AWS Parameter Store for customers just like this one. For more extensive secret management, we deploy HashiCorp Vault which has several advanced features of its own, including:
- Dynamic secret creation
- Automatic credential rotation
- A back-end to AWS and non-AWS services
- The ability to deploy on-premise
For further reading on how Flux7 helps organizations effectively manage secrets:
- Improved credential management hardens security, maintains RPO and RTO goals at a health records company
- Flux7 SmartStart Eases Vault Technology Adoption
- Handling Secrets in Microservices
- Flux7 helps customers securely run applications in the cloud with Vault
Read additional stories here of enterprises we’ve helped with DevOps best practices, or subscribe to our blog below for new use cases, tips, best practices and commentary.
Find out how we implement AWS Web Application Firewall to harden security