Product & Solutions
Resources
FREE TOOLS
Website Security Assessment SSL Certificate Checker Domain Expiry Checker HELP AND SUPPORT
Help Center Developer HubCompany
Efficiently managing AWS secrets is of paramount importance for the protection of sensitive data and the prevention of unauthorized access to critical systems and applications.
In today’s ever-evolving threat landscape, organizations are compelled to ensure the proper management and security of their secrets.
The AWS SDK, also known as the AWS Software Development Kit, constitutes a comprehensive set of software development tools and libraries.
It is meticulously designed to simplify the utilization of AWS services in applications, providing a user-friendly interface for seamless access to resources such as EC2, S3, and DynamoDB on AWS.
Nevertheless, when employing the AWS SDK to interact with AWS services, it is imperative to ensure that the secrets employed for authentication and authorization are managed with the utmost care.
In this blog post, we will delve into some best practices for the secure management of AWS secrets when utilizing the AWS SDK in Python.
Before embarking on the secure management of your AWS secrets with the AWS SDK for Python, make certain of the following prerequisites:
A foundational understanding and proficiency in Python, along with the capability to install packages using pip.
An AWS account equipped with the requisite permissions to access AWS services.
An IAM user or role endowed with the necessary access privileges.
Ensure that Boto3, the AWS SDK for Python, is installed on your system via pip.
The Pitfall of Long-Lived Access and Secret Keys in Code When working with the AWS SDK in Python, embedding long-lived access keys and secret keys directly into your code is not advisable.
These credentials serve as the means for authentication to AWS resources and present a security concern as they lack automatic rotation.
Here are some potential risks associated with hard-coding long-lived access keys and secret keys into your code:
Sharing code elevates the risk of inadvertent exposure of sensitive information to individuals with access, be it through unintentional public sharing or accidental commits to public repositories.
Rotating access keys and secret keys can be a complex process, potentially leading to version control complications and necessitating updates across all instances of these keys within a codebase.
In the subsequent section, we will explore the resolution to this issue through the utilization of temporary keys.
This enhances security when working with the AWS SDK in Python, the adoption of temporary access keys is the preferred approach.
Temporary keys are short-lived credentials that facilitate secure access to AWS resources.
This reduces the risk of unauthorized access and simplifies the management of resource access.
This streamlines the process of providing end-users with access to AWS resources without the necessity of defining an AWS identity for each user.
AWS CLI is a command-line utility that empowers engineers to engage with AWS services via command-line instructions.
Furthermore, AWS CLI serves as a valuable tool for overseeing AWS secrets.
An inherent advantage of utilizing AWS CLI is its ability to automatically retrieve AWS credentials, including access and secret keys, from a credentials file established by AWS CLI.
This eliminates the need for manual input of access keys and secret keys when configuring an AWS client.
To generate the credentials file, execute the subsequent command in your terminal:
aws configure
AWS Access Key ID [your-access-key-id]:
AWS Secret Access Key [your-secret-access-key]:
Default region name [us-east-1]:
Default output format [None]:
Upon executing this command, you will be prompted to input your access key, secret key, default region, and output format. Subsequently, the execution will result in the creation of a credentials file on your local machine. This file can be autonomously located and accessed by the AWS SDK when configuring an AWS client.
Alternatively, you can opt to create a credentials file manually. By default, this file resides at ~/.aws/credentials. The credentials file must, at the very least, contain entries for the access key and secret access key.
In the example below, the access key and secret key for the account are delineated within the default profile:
[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
When the aws configure command is employed, the non-sensitive configuration options, such as region and output format, are preserved within a file named “config.” This particular file is stored within the .aws directory located in your home directory.
[default]
region = us-east-1
Developers have the flexibility to generate and configure multiple profiles for the management of distinct sets of AWS credentials.
This can be achieved by employing the aws configure command along with the –profile option.
Alternatively, you can manually insert entries into both the config and credentials files. These files store the configurations and access keys for each individual profile.
To introduce new profiles, you can create separate named profiles within the config and credentials files. Example
[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
[beagle-prod-tc]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
[beagle-srv]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
In this instance, the default profile, denoted as [default], is utilized whenever an AWS CLI command is executed without explicitly specifying a profile. The second profile, identified as [user1], comes into play when a command is executed with the –profile user1 parameter. It’s worth noting that this file can be located at ~/.aws/credentials on Linux and Mac systems.
AWS CLI offers a range of commands to oversee the configuration parameters.
You have the option to utilize the aws configure set command for adjusting or defining the configuration parameters, while the aws configure get command is available for fetching the configuration settings.
Here’s a guide on how to make use of these commands:
To configure specific parameters, employ the AWS configure set command. You can specify the target profile for modification via the –profile option. For instance, to define the region for the USER profile, execute the subsequent command:
aws configure set region us-east-1 --profile username
To eliminate a configuration setting, you have the option of employing an empty string as the value or manually deleting the setting from the config and credentials files.
To access the configuration parameters you’ve defined, utilize the aws configure get command. If you wish to obtain the region setting for the USER profile, execute the following command:
aws configure get region --profile username
You have the option to import CSV-based credentials obtained from the AWS web console by employing the AWS configure import command. The CSV file should include the following headers:
Username
Access Key ID
Secret Access Key
To initiate the import of credentials from the credentials.csv file, execute the subsequent command:
aws configure import --csv file://credentials.csv
To obtain a list of all your profile names, execute the aws configure list-profiles command.
aws configure list-profiles --region us-east-1
Best Practices for Secure Credential Management in AWS When operating within the AWS ecosystem, it’s imperative to adhere to best practices for credential management to safeguard your resources.
Avoid embedding AWS access keys and secret keys directly into your code. Instead, employ AWS CLI to configure your keys and store them securely.
Harness the power of AWS Identity and Access Management (IAM) policies and roles to restrict access to your secrets, ensuring that only the necessary users and services can access them.
There are plenty of IAM solutions for a wide range of businesses, applications, and use cases. However, to be truly effective, organizations require a well-thought-out identity and access management policy, that is consistently monitored and adhered to.
Implement a regimen of regular access key, password, and secret rotation to mitigate the potential impact of exposure.
Parameter Store is a dependable and scalable AWS service that facilitates secure secret storage and management.
For more sophisticated secret management, consider AWS Secrets Manager, which offers features like automatic rotation and integration with Amazon RDS.
In Conclusion, effective AWS credential management is pivotal in upholding the security of your AWS resources.
By adopting AWS’s configuration and credential files, you can keep your AWS access and secret keys secure and segregated from your code.
Furthermore, adhering to best practices, including access restriction with IAM policies and roles and regular secret rotation, can bolster your AWS credential management.
Whether you’re new to AWS or an experienced practitioner, always prioritize sound AWS credential management practices to ensure the security of your AWS resources.
