How to Handle AWS Secrets

Keshav Malik

Keshav is a full-time Security Engineer who loves to build and break stuff.
He is constantly looking for new and exciting technologies
and enjoys working with diverse technologies in his spare time.
He loves music and plays badminton whenever the opportunity presents itself.

Secure management of AWS secrets is essential for protecting sensitive data and preventing unauthorized access to critical systems and applications. In today's rapidly escalating threat landscape, organizations must ensure their secrets are appropriately managed and safeguarded.

The AWS SDK, also referred to as the AWS Software Development Kit, is a set of software development tools and libraries created to make it easier for developers to utilize AWS services in their applications. It provides an accessible interface for accessing resources like EC2, S3, and DynamoDB on AWS with ease.

However, when using AWS SDK to interact with AWS services, it's essential that secrets used for authentication and authorization are managed appropriately. In this blog post, we'll cover some best practices for managing AWS secrets when using the AWS SDK in Python.

Prerequisites

Before using the AWS SDK for Python to securely manage your AWS secrets, ensure that:

  • Basic understanding & knowledge of Python and the ability to install packages using pip
  • An AWS account with appropriate permissions to access AWS services
  • An IAM user or role with necessary access rights
  • Boto3, the AWS SDK for Python, should also be installed on your system using pip.

The Problem with Long-Lived Access Keys and Secret Keys in Code

When using AWS SDK with Python, hard-coding long-lived access keys and secret keys is not recommended. These credentials are used for authentication to AWS resources, and these keys pose a security risk since they aren't automatically rotated.

Here are some potential risks of hard-coding long-lived access keys and secret keys into your code:

  • Code sharing increases the risk of accidental exposure of sensitive information to those with access to it, whether through public sharing or accidental committing to a public repository.
  • It can be challenging to rotate access keys and secret keys, which could lead to version control issues and the need to update all instances of those keys within a codebase.

In the following section, we'll see how you can overcome this problem by using temporary keys.

Using Temporary Access Keys Instead

For better security when using AWS SDK with Python, temporary access keys are the better solution. Temporary keys are short-lived credentials that allow secure access to AWS resources.

Here are some advantages of using temporary access keys:

  • They expire after a specified period (e.g., one month or one week), decreasing the risk of unauthorized access and making it easier to manage resource access.
  • Temporary access credentials can be generated on demand, making it simpler & easier to provide end users with access to AWS resources without defining an AWS identity for each user.

Note: The AWS Security Token Service (STS) is a utility that generates temporary access keys.

Using AWS CLI to Manage AWS Secrets

AWS CLI is a command-line tool that enables engineers to interact with AWS services by using CLI commands. Also, AWS CLI can be utilized for managing AWS secrets.

One of the advantages of using AWS CLI is that it automatically fetches AWS credentials (access & secret keys) from a credentials file created by AWS CLI, so there's no need to manually supply access keys and secret keys when creating an AWS client.

Here's an example of creating an AWS client without specifying access keys and secret keys when using AWS CLI:

import boto3
client = boto3.client('s3') 

In this example, the boto3.client() function is called with the s3 argument to create a client for Amazon S3. Since access keys and secret keys are not specified, the AWS SDK will automatically retrieve them from the credentials file created by AWS CLI.

To create the credentials file, run the following command in the terminal:

aws configure 

This command will prompt you to enter your access key, secret key, default region, and output format. Once executed, a credentials file will be created on your machine which the AWS SDK can automatically search for and retrieve when creating an AWS client.

Manual Way to Configure AWS Secrets

Another way to create a credentials file is to do it manually. The default location for the file is ~/.aws/credentials. The credentials file should have, at minimum, the access key and secret access key specified.

In the sample file provided below, the access key and secret key for the account are specified in the default profile:

[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY 

When you use the aws configure command, the configuration options that are not sensitive (such as region & output format) are saved in a file named config. This file is also stored in the .aws folder in your home directory.

[default]
region=us-west-2
output=json

Creating Multiple Named Profiles

Developers can create & configure additional profiles to manage different sets of AWS credentials by using the aws configure command with the --profile option. Alternatively, you can manually add entries to the config and credentials files. These files store configurations and access keys for each profile.

To add new profiles, you can create separate named profiles in the config and credentials files.

Here's an example of the credentials file with two profiles:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY 

In this example, the default profile ([default]) is used when the AWS CLI command is used without specifying a profile. The second profile ([user1]) is used when you run a command with the --profile user1 parameter. The file can be found in ~/.aws/credentials on Linux and Mac systems.

Note: Credentials location for a Windows system is %USER%\.aws\credentials.

Managing AWS CLI Configuration Settings

AWS CLI provides several commands to manage the configuration settings. You can use the aws configure set command to modify or set the configuration settings, and the aws configure get command to retrieve the configuration settings. Here's how you can use them:

Setting Configuration Settings

To set any configuration settings, you can use the aws configure set command. Specify the profile you want to modify using the --profile option. For example, to set the region for the USER profile, run the following command:

$ aws configure set region me-south-1 --profile USER 

You can remove a configuration setting by using an empty string as the value or deleting the setting manually from the config and credentials files.

Retrieving Configuration Settings

You can retrieve the configuration settings that you've set using the aws configure get command. To retrieve the region setting for the USER profile, run the following command:

$ aws configure get region --profile USER

Note: The AWS Secret Access Key is not meant to be retrieved in plain text. It is considered sensitive information and is typically stored securely. The AWS CLI does not provide a command specifically for retrieving the Secret Access Key.

Importing CSV Credentials

You can import the CSV credentials generated from the AWS web console using the aws configure import command. The CSV file must contain the following headers:

  • User Name
  • Access key ID
  • Secret access key

To import the credentials from the credentials.csv file, run the following command:

$ aws configure import --csv file://credentials.csv

Listing Profiles

You can list all your profile names using the aws configure list-profiles command.

$ aws configure list-profiles --region <<YOUR_REGION> 

Best Practices for Secure Credential Management in AWS

When working with AWS, it's essential to adhere to best practices for credential management in order to protect your resources. Here are six top tips for AWS SDK credential management:

  1. Use the AWS CLI to Configure AWS Keys: Avoid hardcoding AWS access keys and secret keys into your code. Instead, utilize the AWS CLI to configure your keys and store them securely.
  2. Limit access to secrets with IAM policies and roles: Use AWS Identity and Access Management (IAM) policies and roles to limit access to your secrets only to the users and services that require them.
  3. Regularly rotate secrets to minimize impact: Regularly rotate your access keys, passwords, and other secrets to minimize the impact of potential exposure.
  4. Use Parameter Store to store secrets: Parameter Store is a secure and scalable AWS service that allows you to store and manage secrets securely.
  5. Use AWS Secrets Manager for more advanced management: AWS Secrets Manager provides advanced secret management features, such as automatic rotation and integration with Amazon RDS.
  6. Use tools like GitGuardian to detect leaked secrets: Leaked secrets can put your AWS resources at risk. Use tools like GitGuardian to detect and prevent leaks of your secrets in code repositories and other sources.

Conclusion

Properly managing AWS credentials is crucial to maintaining the security of your AWS resources. By using AWS's configuration and credential files, you can keep your AWS access and secret keys secure and separate from your code. Additionally, following best practices such as limiting access to secrets with IAM policies and roles, and regularly rotating secrets can further enhance your AWS credential management.

As always, it's essential to stay vigilant against potential security breaches. That's where GitGuardian comes in. GitGuardian is a tool that can scan your GitHub repositories for exposed secrets, such as AWS keys, and alert you when it finds them. By using GitGuardian in conjunction with proper AWS credential management practices, you can ensure that your AWS resources remain secure.

So, whether you're new to AWS or a seasoned pro, remember the importance of proper AWS credential management and take steps to keep your AWS resources secure. And don't forget to give GitGuardian a try for an extra layer of security.

If you are interested in learning more about AWS IAM security best practices check this post:

AWS IAM Security Best Practices
Identity and access management is a pillar of security. With the advent of the cloud, it got a lot more complicated. Here is a recap of the best practices to put in place to secure AWS IAM.

We hope this blog post has provided you with a better understanding of how to manage AWS secrets and keep your applications secure.

It is part of a series on secrets management with popular technologies, have a look!

How to Handle Secrets in Jenkins
DevOps engineers must handle secrets with care. In this series, we summarize best practices for leveraging secrets with your everyday tools.
4 Ways to Store & Manage Secrets in Docker
DevOps engineers must handle secrets with care. In this series, we summarize best practices for leveraging secrets with your everyday tools.
How to Handle Secrets in Python
DevOps engineers must handle secrets with care. In this series, we summarize best practices for leveraging secrets with your everyday tools.

💡
Ready to find out which secrets management approach is right for you? Take the GitGuardian Secrets Management Needs Quiz right now at https://www.gitguardian.com/secrets-management-guide