Best practice rules for AWS Secrets Manager
AWS Secrets Manager with the following rules:
- Secret Encrypted With KMS Customer Master Keys
- Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs.
- Secret Rotation Enabled
- Ensure that automatic rotation is enabled for your Amazon Secrets Manager secrets.
- Secret Rotation Interval
- Ensure that Amazon Secrets Manager's automatic rotation interval is properly configured.
2. Secrets Manager In Use
- Ensure that AWS Secrets Manager is in use for secure and efficient credentials management.
Using AWS Console
- Open and log in to AWS Management Console.
- Open AWS Secrets Manager dashboard from the link https://console.aws.amazon.com/secretsmanager/.
- Choose Secrets in the navigation bar.
- Choose the Secrets Manager secret that you want to examine, then click on its name (link) to access it futher
- On the selected secret configuration page, within the Secret details section, check the Encryption key attribute value. If the configuration attribute value is set to DefaultEncryptionKey or aws/secrets manager, the selected Amazon Secrets Manager secret is encrypted using the default encryption key that the AWS service created on your behalf.
- Repeat steps no. 4 and 5 for each Secrets Manager secret available in the current AWS region.
- Change the AWS region from the navigation bar to repeat the audit process for other regions.
TO configure existing Amazon Secrets Manager secrets to encrypt their data using customer-managed KMS Customer Master Keys (CMKs), perform the following actions:
- Define the required IAM policy that enables the selected IAM users and/or roles to administer the new customer-managed CMK and to encrypt/decrypt AWS Secrets Manager data using the KMS API. Create a new policy document, name it secrets-cmk-iam-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs of the IAM users and/or roles, with your own IAM details):
{
"Version": "2012-10-17",
"Id": "aws-secrets-manager-cmk-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Grant access to CMK manager",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/cc-secrets-manager"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow the use of the CMK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/cc-secrets-admin"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/cc-secrets-admin"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}2. Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. secrets-cmk-iam-policy.json) as a command parameter to create the new Amazon KMS CMK:
aws kms create-key
--region us-east-1
--description 'Customer-managed CMK for AWS Secrets Manager secrets'
--policy file://secrets-cmk-iam-policy.json3. You will see the output returned new CMK metadata.Then copy the AWS resource name as you will require this id later for was data encryption :
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "abcd1234-1234-abcd-1234-abcd1234abcd",
"Description": "Customer-managed CMK for AWS Secrets Manager secrets",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1517238743.120,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd",
"AWSAccountId": "123456789012"
}
}4. Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix “alias/” (the command does not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/secrets-manager-data-cmk
--target-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd5. Run update-secret command (OSX/Linux/UNIX) using the name of the Amazon Secrets Manager secret that you want to reconfigure as an identifier (see Audit section part II to identify the right resource) and the ARN of the KMS Customer Master Key (CMK) created earlier as a parameter, to update the configuration of the selected secret with the specified KMS key:
aws secretsmanager update-secret
--region us-east-1
--secret-id cc-prod-db-credentials
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd6. The command output should return the reconfigured AWS Secrets Manager secret metadata:
{
"Name": "cc-prod-db-credentials",
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-prod-db-credentials-ABC123"
}Repeat steps no. 5 and 6 for each Amazon Secrets Manager secret that you want to encrypt using your custom KMS CMK, available in the selected AWS region.
8. Change the AWS region by updating the — region command parameter value and repeat the entire remediation/resolution process for other regions.
👋 Join us today !!
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
