Secrets managers
Contents
The lure to keep connection string to the database in source code is one of the common mistakes. Keep secrets in source code even if sensitive data is encrypted that is a well-known antipattern. It can lead to issues like data breach by a malicious actor, losing or corrupting data by a non-authorised engineer with lack of knowledge. Passwords, tokens, keys, connection strings, and other sensitive information which are used by applications should be treated as secrets. There are several tools for AWS cloud that allows managing secrets for microservice oriented solutions.
Speaking of managing secrets, popping up the question, what are the features and qualities they should provide. Let’s take a look into some of them:
- Excrypted storage - keeps secrets in safe storage.
- Role-based actor control (RBAC) - provides granular access to secrets. For example, a role provides access to staging secrets only for developer and production secrets for CI/CD.
- Compliance - approved and trusted by government and public organizations in order to treat the service as save storage.
- Key rotation - allows changing passwords periodically.
- Sentinel Policy - smart policies to restrict user access, for example, a rule which grant developer access only for working days.
- Auditing - ability to track who and what did.
There are services and solutions which can be used to manage secrets in AWS cloud:
- AWS Parameter store - allows storing secrets in the key-value store, encrypted with KMS key.
- AWS Secret Manager - similar to Parameter store but additionally provides RDS password rotation feature.
- Vault - the most full-featured and cloud agnostic service.
Comparison by qualities and features
| Feature | Parameter Store | Secret Manager | Vault |
|---|---|---|---|
| Excrypted | Yes | Yes | Yes |
| RBAC | Yes | Yes | Yes |
| Sentinel Policy | No | No | Yes |
| Managed service | Yes | Yes | No |
| Compliance | Yes | Yes | Yes |
| Key rotation | No | Yes | Yes |
| Costs for up to 10,000 secrets | Free | Mid | High |
| Auditing | CloudTrail | CloudTrail | Audit logging |
Costs in details
- License: Vault is open source solution created by HashiCorp. However for enterprise features you need to contact sales https://www.hashicorp.com/products/vault/enterprise. Could vary from £100 to £2000 per license per year: https://www.digitalmarketplace.service.gov.uk/g-cloud/services/616269884887768.
- Compute power: EC2
- Network: VPC
- Storage: S3 or RDS
- Parameter Storage:
- Standard: free
- Advanced: $0.05 per advanced parameter per month
- API Interactions:
- Standard:
- Standard Throughput: free
- Higher Throughput: $0.05 per 10,000 Parameter Store API interactions
- Advanced:
- $0.05 per 10,000 Parameter Store API interactions
- Standard:
- Throughput:
- Max size for parameter value:
- Standard: 4 Kb
- Advanced: 8 Kb
- Total number of parameters allowed:
- Standard: 10,000
- Advanced: 100,000
- Max size for parameter value:
- PER SECRET PER MONTH: $0.40 per secret per month. For secrets that are stored for less than a month, the price is prorated (based on the number of hours.)
- PER 10,000 API CALLS: $0.05 per 10,000 API calls.
Summary
Vault is most advanced secrets management solution. Since it dedicated service it has to be maintained, hardened and backuped. Fees for storage, network, and compute power need to take into account.
In the other hand there are out of the box fully managed AWS services. Combination of AWS Parameter Store and AWS Secret Manager can be fine tuned with lambda function and turned into the affordable sofisticated secrets management solution.