Skeddly Blog

Skeddly news and announcements...

AWS Secrets Manager

Last week, at the AWS Summit San Francisco, AWS unveiled the new AWS Secrets Manager service. This new service allows you to:

  • Save your secrets, passwords, and API keys in a KMS-encrypted storage service,
  • Retrieve your secrets from your applications using the AWS CLI and AWS SDKs, and
  • Automatically rotate your secrets on a custom schedule.

This service enables you to avoid storing database credentials and other secrets in configuration files on your servers. Secrets can be retrieved and used dynamically.

It’s basically doing for any secret what “IAM Roles for EC2 Instances” did for IAM access keys.

But the real power of the AWS Secrets Manager comes from the automated rotation. This allows you to change your passwords every 30 days (for example).

Supported Secret Types

AWS Secrets Manager can basically handle many types of secrets:

  • username/password pairs
  • key/value pairs
  • plaintext data

Amazon RDS is supported out-of-the-box. For these types of secrets, the following information is retrieved from the service:

  • username
  • password
  • database engine
  • RDS instance ID
  • RDS instance main database
  • RDS instance endpoint hostname
  • RDS instance endpoint port

Secret Storage

The secrets are encrypted using KMS keys. You can use the default aws/secretsmanager KMS key, or you can create your own KMS key to use.

Secret Rotation

AWS Secrets Manager can also rotate your secrets on a regular basis. For example, you can have your database password changed every 10 days. This helps keep things very secure.

Secret rotation is handled through Lambda functions. AWS is providing built-in Lambda functions for rotating Amazon RDS passwords. But since the secret rotation is handled by Lambda functions, then any secret can be rotated as long as a Lambda function can be written to do it.

You’ll see us create a Lambda function to rotate Skeddly API access keys in the future.

There are 2 types of secret rotation:

  • “self” rotation, and
  • master/user rotation.

Self rotation is when a secret (database username/password for example) changes itself. This is easy to setup using AWS Secrets Manager. However, using this method, there will be a short period of time when the password being used by the application is no longer valid.

For example, take the following sequence:

  1. Application retrieves username/password from AWS Secrets Manager.
  2. AWS Secrets Manager changes the password.
  3. Application tries to use the password it retrieved in step #1.

In the above case, the database access will fail. If your application is written to handle this case, or you just don’t care, great. Otherwise, there’s the master/user option that you can use.

Using the master/user rotation option, you have two (or more) secrets registered in the AWS Secrets Manager:

  • A “master” secret whose job is to rotate other secrets, and
  • One or more “user” secrets that are used by your application.

When you’re using AWS Secrets Manager for RDS username/passwords, then under this pattern, AWS Secrets Manager will use the “master” secret to:

  • Create a clone of the username (if your user was called user, it will create another database user called user_clone).
  • Change the passwords of the user and user clone on a scheduled, but alternating basis.
  • When the secret is requested, it will return the username and password for the recently-changed password.

This gives high-availability for your secrets because a recently retrieved secret won’t be invalidated immediately after retrieval.

Pricing

Pricing for AWS Secrets Manager is as follows:

  • $0.40 per secret stored
  • $0.05 per 10,000 requests

So here’s a pricing example. Suppose you have 2 secrets being stored: a database password and an API key to some third-party service.

Every day, your application makes 1,000 API requests, and 1,000,000 database requests. With this frequency, the monthly cost (assuming 30-day month) would be:

  • 2 secrets x $0.40 per secret = $0.80
  • (1,000,000 + 1,000) requests * (0.05 / 10,000) per request x 30 days = $150.15

So the total cost would be $150.95

Final Thoughts

The AWS Secrets Manager could be a fantastic service. It will definitely be a competitor to HashiCorp’s Vault.

Setup of master/user password rotation is a bit cumbersome due to some manual steps, but once setup, it runs pretty smoothly.

I’d like to see AWS add support for RDS read-replicas. I see two possible solutions:

  • When the secret for the main RDS instance changes, update the secret for any replicas as well.
  • Include read-replica endpoints in the retrieved data.

Additional Resources

About Skeddly

Skeddly is the leading managed scheduling service for your AWS account. Using Skeddly, you can:

  • Reduce your AWS costs,
  • Schedule snapshots and images, and
  • Automate many DevOps and IT tasks.

Sign-up for our 30 day free trial or sign-in to your Skeddly account to get started.

<