How to Handle AWS Secrets
Keshav MalikKeshav is a full-time Security Engineer who loves to build and break stuff.He is constantly looking for new and exciting technologies and enjoys working with diverse technologies in his spare time. He loves music and plays badminton whenever the opportunity presents itself. |
Secure management of AWS secrets is essential for protecting sensitive data and preventing unauthorized access to critical systems and applications. In today's rapidly escalating threat landscape, organizations must ensure their secrets are appropriately managed and safeguarded.
The AWS SDK, also referred to as the AWS Software Development Kit, is a set of software development tools and libraries created to make it easier for developers to utilize AWS services in their applications. It provides an accessible interface for accessing resources like EC2, S3, and DynamoDB on AWS with ease.
However, when using AWS SDK to interact with AWS services, it's essential that secrets used for authentication and authorization are managed appropriately. In this blog post, we'll cover some best practices for managing AWS secrets when using the AWS SDK in Python.
Prerequisites
Before using the AWS SDK for Python to securely manage your AWS secrets, ensure that:
- Basic understanding & knowledge of Python and the ability to install packages using pip
- An AWS account with appropriate permissions to access AWS services
- An IAM user or role with necessary access rights
- Boto3, the AWS SDK for Python, should also be installed on your system using pip.
The Problem with Long-Lived Access Keys and Secret Keys in Code
When using AWS SDK with Python, hard-coding long-lived access keys and secret keys is not recommended. These credentials are used for authentication to AWS resources, and these keys pose a security risk since they aren't automatically rotated.
Here are some potential risks of hard-coding long-lived access keys and secret keys into your code:
- Code sharing increases the risk of accidental exposure of sensitive information to those with access to it, whether through public sharing or accidental committing to a public repository.
- It can be challenging to rotate access keys and secret keys, which could lead to version control issues and the need to update all instances of those keys within a codebase.
In the following section, we'll see how you can overcome this problem by using temporary keys.
Using Temporary Access Keys Instead
For better security when using AWS SDK with Python, temporary access keys are the better solution. Temporary keys are short-lived credentials that allow secure access to AWS resources.
Here are some advantages of using temporary access keys:
- They expire after a specified period (e.g., one month or one week), decreasing the risk of unauthorized access and making it easier to manage resource access.
- Temporary access credentials can be generated on demand, making it simpler & easier to provide end users with access to AWS resources without defining an AWS identity for each user.
Note: The AWS Security Token Service (STS) is a utility that generates temporary access keys.
Using AWS CLI to Manage AWS Secrets
AWS CLI is a command-line tool that enables engineers to interact with AWS services by using CLI commands. Also, AWS CLI can be utilized for managing AWS secrets.
One of the advantages of using AWS CLI is that it automatically fetches AWS credentials (access & secret keys) from a credentials file created by AWS CLI, so there's no need to manually supply access keys and secret keys when creating an AWS client.
Here's an example of creating an AWS client without specifying access keys and secret keys when using AWS CLI:
import boto3
client = boto3.client('s3')
In this example, the boto3.client() function is called with the s3 argument to create a client for Amazon S3. Since access keys and secret keys are not specified, the AWS SDK will automatically retrieve them from the credentials file created by AWS CLI.
To create the credentials file, run the following command in the terminal:
aws configure
This command will prompt you to enter your access key, secret key, default region, and output format. Once executed, a credentials file will be created on your machine which the AWS SDK can automatically search for and retrieve when creating an AWS client.
Manual Way to Configure AWS Secrets
Another way to create a credentials file is to do it manually. The default location for the file is ~/.aws/credentials. The credentials file should have, at minimum, the access key and secret access key specified.
In the sample file provided below, the access key and secret key for the account are specified in the default profile:
[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
When you use the aws configure command, the configuration options that are not sensitive (such as region & output format) are saved in a file named config. This file is also stored in the .aws folder in your home directory.
[default]
region=us-west-2
output=json
Creating Multiple Named Profiles
Developers can create & configure additional profiles to manage different sets of AWS credentials by using the aws configure command with the --profile option. Alternatively, you can manually add entries to the config and credentials files. These files store configurations and access keys for each profile.
To add new profiles, you can create separate named profiles in the config and credentials files.
Here's an example of the credentials file with two profiles:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
In this example, the default profile ([default]) is used when the AWS CLI command is used without specifying a profile. The second profile ([user1]) is used when you run a command with the --profile user1 parameter. The file can be found in ~/.aws/credentials on Linux and Mac systems.
Note: Credentials location for a Windows system is %USER%\.aws\credentials.
Managing AWS CLI Configuration Settings
AWS CLI provides several commands to manage the configuration settings. You can use the aws configure set command to modify or set the configuration settings, and the aws configure get command to retrieve the configuration settings. Here's how you can use them:
Setting Configuration Settings
To set any configuration settings, you can use the aws configure set command. Specify the profile you want to modify using the --profile option. For example, to set the region for the USER profile, run the following command:
$ aws configure set region me-south-1 --profile USER
You can remove a configuration setting by using an empty string as the value or deleting the setting manually from the config and credentials files.
Retrieving Configuration Settings
You can retrieve the configuration settings that you've set using the aws configure get command. To retrieve the region setting for the USER profile, run the following command:
$ aws configure get region --profile USER
Note: The AWS Secret Access Key is not meant to be retrieved in plain text. It is considered sensitive information and is typically stored securely. The AWS CLI does not provide a command specifically for retrieving the Secret Access Key.
Importing CSV Credentials
You can import the CSV credentials generated from the AWS web console using the aws configure import command. The CSV file must contain the following headers:
- User Name
- Access key ID
- Secret access key
To import the credentials from the credentials.csv file, run the following command:
$ aws configure import --csv file://credentials.csv
Listing Profiles
You can list all your profile names using the aws configure list-profiles command.
$ aws configure list-profiles --region <<YOUR_REGION>
Best Practices for Secure Credential Management in AWS
When working with AWS, it's essential to adhere to best practices for credential management in order to protect your resources. Here are six top tips for AWS SDK credential management:
- Use the AWS CLI to Configure AWS Keys: Avoid hardcoding AWS access keys and secret keys into your code. Instead, utilize the AWS CLI to configure your keys and store them securely.
- Limit access to secrets with IAM policies and roles: Use AWS Identity and Access Management (IAM) policies and roles to limit access to your secrets only to the users and services that require them.
- Regularly rotate secrets to minimize impact: Regularly rotate your access keys, passwords, and other secrets to minimize the impact of potential exposure.
- Use Parameter Store to store secrets: Parameter Store is a secure and scalable AWS service that allows you to store and manage secrets securely.
- Use AWS Secrets Manager for more advanced management: AWS Secrets Manager provides advanced secret management features, such as automatic rotation and integration with Amazon RDS.
- Use tools like GitGuardian to detect leaked secrets: Leaked secrets can put your AWS resources at risk. Use tools like GitGuardian to detect and prevent leaks of your secrets in code repositories and other sources.
Conclusion
Properly managing AWS credentials is crucial to maintaining the security of your AWS resources. By using AWS's configuration and credential files, you can keep your AWS access and secret keys secure and separate from your code. Additionally, following best practices such as limiting access to secrets with IAM policies and roles, and regularly rotating secrets can further enhance your AWS credential management.
As always, it's essential to stay vigilant against potential security breaches. That's where GitGuardian comes in. GitGuardian is a tool that can scan your GitHub repositories for exposed secrets, such as AWS keys, and alert you when it finds them. By using GitGuardian in conjunction with proper AWS credential management practices, you can ensure that your AWS resources remain secure.
So, whether you're new to AWS or a seasoned pro, remember the importance of proper AWS credential management and take steps to keep your AWS resources secure. And don't forget to give GitGuardian a try for an extra layer of security.
If you are interested in learning more about AWS IAM security best practices check this post:
We hope this blog post has provided you with a better understanding of how to manage AWS secrets and keep your applications secure.
It is part of a series on secrets management with popular technologies, have a look!