How to Share a Secret (Key) on AWS
In April 2018, Amazon Web Services announced thelaunch of AWS Secrets Manager. Secrets Manager is an application you can use with your AWS cloud accounts to store and retrieve secrets and credentials – all through API or AWS Command Line Interface (CLI). No more risk for you trying to manually rotate your encryption keys, or hand-code processes to control those rotations automatically.
Before AWS Secrets Manager, if you lost control of your authentication service, your alternatives were pretty slim. Maybe you had the password written in an envelope, stored in the locked desk drawer of a trusted agent, or you had a vulnerable backdoor ready to cycle your keys to a preset. But keeping secrets in a trusted hand is something people have been thinking about for decades.
AWS Secrets Manager takes on the monumental task of the secure distribution of something that's supposedly "secret." There are plenty of secrets that need sharing — and different ways to go about doing it securely.
It's Crucial to Manage Your Secrets
If you're an AWS Security admin, you know the challenge that comes with managing different credentials and secrets. Most of the time, handling security for accounts comes down to requesting and rotating credentials for both the service and the Amazon databases storing the information.
There's no 100 percent reliable way to extract the credentials for the account and transfer them while maintaining security. Add to the mix trying to maintain proper security practices like rotating keys and passwords on a regular basis, and you have a hair-tearing nightmare.
Users and managers tend to resent security measures. Let's face it. They're a pain. Meanwhile, your security professionals are always anxious about vulnerabilities. To them, the possible solutions are risky. When you ask for credentials from database administrators, or embed them in environmental variables, or get them into the application itself, you're exposing your company to risk.
Secrets Manager is Pretty Darn Effective
Amazon's entry into the secret-sharing industry is fully managed by the giant, tying the security of stored secrets and credentials directly to the Identity and Access Management (IAM) access on your AWS account. You are also able to integrate Secrets Manager with AWS Key Management System (KMS). This helps further encrypt all of your stored data in the cloud.
Secrets Manager also comes with a secret rotation feature, allowing you to automatically rotate API keys and passwords. This can be configured and wired witha Lambda Function to help with the rotation.
The question of whether or not you should take on Secrets Manager comes with the price. It'll cost you $0.40 per month per secret and $0.05 per 10,000 API calls. Considering AWS has some more cost-effective (and even free) options to keep your sensitive data secure, your organization's eye to security can drive the necessity of paying for premium.
Don't want to share secrets? You have options.
If AWS Secrets Manager isn't exactly what you need from your AWS credentials or secret management, there's always the tried-and-true distributing of Access Keys. For obvious reasons, being willy-nilly with your admin-level Access Keys is really frowned upon, so there are all sorts of resources to explain how you can distribute keys that won't leave all your accounts completely vulnerable.
Amazon has suggestions for best practices when it comes to managing access keys. You canread their General Reference Document for AWS to read them all, but it boils down to this: only give the accesses you must. They point out that access keys should be kept safe, and only created when they're absolutely necessary. And Temporary Security Credentials (IAM Roles) can help keep things safe as well by giving people the accesses they need rather than long-term access.
Speaking of IAM roles, those can be helpful in a few different ways to help keep secrets secret. Mobile apps, cross-account accesses, or scripts running on an Amazon EC2 instance can all be made more secure with IAM roles.
But like anything else that gives access, IAM roles come with their own vulnerabilities (another reason to seriously consider AWS Secrets Manager). You shouldn't embed the access keys you generate into the code, you should use different access keys for different applications, and you should rotate them. Theirguidelines when dealing with IAM User Access keys can point you in the right direction.
Researchers Have Been Sharing Secrets for a While
Back in 1979, an MIT researcher by the name of Adi Shamir wrote an essay cited by computer scientists, cryptanalysts, and security bloggers. Writing for a mathematics text published by MIT, he wrote:
Eleven scientists are working on a secret project. They wish to lock up the documents in a cabinet so that the cabinet can be opened if and only if six or more of the scientists are present. What is the smallest number of locks needed? What is the smallest number of keys to the locks each scientist must carry?
…A minimal solution uses 462 locks and 252 keys per scientist. These numbers are impractical, and become worse when the number of scientists increases.
This sort of problem is still central to cryptanalysis. How can we protect something, but still make it possible for people to access it, without exposing ourselves to unnecessary risk? Shamir wanted to know two things: is it possible to protect a safe with unique keys that only unlock when a certain number of people are present? Second, is it possible to distribute those keys in a way that doesn't endanger the security of every other key if one of them is "exposed" or "stolen?"
The short answer is yes. You can find solutions at blogs like ThreatStack, where they show how you can write a program to generate a random string, split it into however many keys you need, then when the keys are credentials, the program can pick a random entry from the keys presented to combine them into a coherent whole.
Better at Keeping Secrets Than Your Eighth-Grade Sister
Whichever solution you choose for your credentials, tokens, passwords, and logins, know that options exist. When it comes to AWS interface and interacting with different user accounts, services, your best bet could very well be AWS Secrets Manager — if your company can go for the cost.