Secrets in AWS

By
Sooraj V Nair
Published on
07 Nov 2023
10 min read
Secrets Management

Efficiently managing AWS secrets is of paramount importance for the protection of sensitive data and the prevention of unauthorized access to critical systems and applications.

In today’s ever-evolving threat landscape, organizations are compelled to ensure the proper management and security of their secrets.

The AWS SDK, also known as the AWS Software Development Kit, constitutes a comprehensive set of software development tools and libraries.

It is meticulously designed to simplify the utilization of AWS services in applications, providing a user-friendly interface for seamless access to resources such as EC2, S3, and DynamoDB on AWS.

Nevertheless, when employing the AWS SDK to interact with AWS services, it is imperative to ensure that the secrets employed for authentication and authorization are managed with the utmost care.

In this blog post, we will delve into some best practices for the secure management of AWS secrets when utilizing the AWS SDK in Python.

Things to remember before using AWS SDK

Before embarking on the secure management of your AWS secrets with the AWS SDK for Python, make certain of the following prerequisites:

  • A foundational understanding and proficiency in Python, along with the capability to install packages using pip.

  • An AWS account equipped with the requisite permissions to access AWS services.

  • An IAM user or role endowed with the necessary access privileges.

  • Ensure that Boto3, the AWS SDK for Python, is installed on your system via pip.

Limitations of long-lived access keys and secret keys in code

The Pitfall of Long-Lived Access and Secret Keys in Code When working with the AWS SDK in Python, embedding long-lived access keys and secret keys directly into your code is not advisable.

These credentials serve as the means for authentication to AWS resources and present a security concern as they lack automatic rotation.

Here are some potential risks associated with hard-coding long-lived access keys and secret keys into your code:

  1. Sharing code elevates the risk of inadvertent exposure of sensitive information to individuals with access, be it through unintentional public sharing or accidental commits to public repositories.

  2. Rotating access keys and secret keys can be a complex process, potentially leading to version control complications and necessitating updates across all instances of these keys within a codebase.

In the subsequent section, we will explore the resolution to this issue through the utilization of temporary keys.

What are the advantages of using temporary access keys?

1. Enhanced security

This enhances security when working with the AWS SDK in Python, the adoption of temporary access keys is the preferred approach.

Temporary keys are short-lived credentials that facilitate secure access to AWS resources.

2. Set expiration period (e.g., one month or one week)

This reduces the risk of unauthorized access and simplifies the management of resource access.

3. Temporary access credentials can be generated on-demand

This streamlines the process of providing end-users with access to AWS resources without the necessity of defining an AWS identity for each user.

Leveraging AWS CLI for AWS secrets management

AWS CLI is a command-line utility that empowers engineers to engage with AWS services via command-line instructions.

Furthermore, AWS CLI serves as a valuable tool for overseeing AWS secrets.

An inherent advantage of utilizing AWS CLI is its ability to automatically retrieve AWS credentials, including access and secret keys, from a credentials file established by AWS CLI.

This eliminates the need for manual input of access keys and secret keys when configuring an AWS client.

To generate the credentials file, execute the subsequent command in your terminal:

aws configure
AWS Access Key ID [your-access-key-id]:
AWS Secret Access Key [your-secret-access-key]:
Default region name [us-east-1]:
Default output format [None]:

Upon executing this command, you will be prompted to input your access key, secret key, default region, and output format. Subsequently, the execution will result in the creation of a credentials file on your local machine. This file can be autonomously located and accessed by the AWS SDK when configuring an AWS client.

Manual configuration of AWS secrets

Alternatively, you can opt to create a credentials file manually. By default, this file resides at ~/.aws/credentials. The credentials file must, at the very least, contain entries for the access key and secret access key.

In the example below, the access key and secret key for the account are delineated within the default profile:

[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY

When the aws configure command is employed, the non-sensitive configuration options, such as region and output format, are preserved within a file named “config.” This particular file is stored within the .aws directory located in your home directory.

[default]
region = us-east-1

Establishing multiple named profiles

Developers have the flexibility to generate and configure multiple profiles for the management of distinct sets of AWS credentials.

This can be achieved by employing the aws configure command along with the –profile option.

Alternatively, you can manually insert entries into both the config and credentials files. These files store the configurations and access keys for each individual profile.

To introduce new profiles, you can create separate named profiles within the config and credentials files. Example

[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY

[beagle-prod-tc]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
[beagle-srv]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY

In this instance, the default profile, denoted as [default], is utilized whenever an AWS CLI command is executed without explicitly specifying a profile. The second profile, identified as [user1], comes into play when a command is executed with the –profile user1 parameter. It’s worth noting that this file can be located at ~/.aws/credentials on Linux and Mac systems.

Managing AWS CLI configuration parameters

AWS CLI offers a range of commands to oversee the configuration parameters.

You have the option to utilize the aws configure set command for adjusting or defining the configuration parameters, while the aws configure get command is available for fetching the configuration settings.

Here’s a guide on how to make use of these commands:

1. Configuring parameters

To configure specific parameters, employ the AWS configure set command. You can specify the target profile for modification via the –profile option. For instance, to define the region for the USER profile, execute the subsequent command:

aws configure set region us-east-1 --profile username

To eliminate a configuration setting, you have the option of employing an empty string as the value or manually deleting the setting from the config and credentials files.

2. Fetching configuration parameters

To access the configuration parameters you’ve defined, utilize the aws configure get command. If you wish to obtain the region setting for the USER profile, execute the following command:

aws configure get region --profile username

3. Importing CSV-based credentials

You have the option to import CSV-based credentials obtained from the AWS web console by employing the AWS configure import command. The CSV file should include the following headers:

  • Username

  • Access Key ID

  • Secret Access Key

To initiate the import of credentials from the credentials.csv file, execute the subsequent command:

aws configure import --csv file://credentials.csv

Listing profiles

To obtain a list of all your profile names, execute the aws configure list-profiles command.

aws configure list-profiles --region us-east-1

Best Practices for Secure Credential Management in AWS When operating within the AWS ecosystem, it’s imperative to adhere to best practices for credential management to safeguard your resources.

Top 5 recommendations for managing AWS SDK credentials effectively

1. Utilize the AWS CLI for key configuration

Avoid embedding AWS access keys and secret keys directly into your code. Instead, employ AWS CLI to configure your keys and store them securely.

2. Restrict access with IAM policies and roles

Harness the power of AWS Identity and Access Management (IAM) policies and roles to restrict access to your secrets, ensuring that only the necessary users and services can access them.

There are plenty of IAM solutions for a wide range of businesses, applications, and use cases. However, to be truly effective, organizations require a well-thought-out identity and access management policy, that is consistently monitored and adhered to.

3. Regularly rotate secrets

Implement a regimen of regular access key, password, and secret rotation to mitigate the potential impact of exposure.

4. Leverage parameter store for secure secret storage

Parameter Store is a dependable and scalable AWS service that facilitates secure secret storage and management.

5. Advanced management with AWS secrets manager

For more sophisticated secret management, consider AWS Secrets Manager, which offers features like automatic rotation and integration with Amazon RDS.

Summing up

In Conclusion, effective AWS credential management is pivotal in upholding the security of your AWS resources.

By adopting AWS’s configuration and credential files, you can keep your AWS access and secret keys secure and segregated from your code.

Furthermore, adhering to best practices, including access restriction with IAM policies and roles and regular secret rotation, can bolster your AWS credential management.

Whether you’re new to AWS or an experienced practitioner, always prioritize sound AWS credential management practices to ensure the security of your AWS resources.


Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days