I need to develop a solution to store both symmetric and asymmetric keys securely in AWS. These keys will be used by applications that are running on EC2s and Lambdas. The applications will need to be set up with policies that will allow the application or lambda to pull the keys out of the key store. The key store should also manage the key expiry, notifying various people when keys are going to expire. The initial key exchange is between my company and its partners meaning that we may have either a public or private key for a key pair depending upon the data transfer direction.
We have looked at KMS but from what I have seen KMS does not support asymmetric keys. I have also seen online that some people are using either S3 (protected by KMS) or parameter store to store the keys but this does not address the issue of key management.
Do you guys have any thoughts on this? or even SaaS/PaaS suggestions?
My recommendation would be to use AWS Secrets Manager for this. Secrets Manager allows you to store any type of credential/key, you can set up fine-grained cross account permissions to secrets, encryption at rest is used (via KMS), and secrets can be automatically rotated (by providing an expiration time and an AWS Lambda function owned by you to perform the rotation).
More details on the official docs:
Basic tutorial on how to use AWS Secrets Manager
Encryption at rest on Secrets Manager
Secrets rotation
Managing secrets policies
Related
I'm implementing a service that requires me to call my customers' API using their API keys. My customers will provide me with their API keys in their accounts.
When I'm calling my customers' API, I have to retrieve their API key before making the call. Since these are my customers' API keys and I want them to be kept safely, I'm considering keeping all of them in AWS Secrets Manager. I have roughly about 5,000 users (still growing) and I plan to store all their keys into a single secret in Secrets Manager. My application makes about a few millions calls to my customers API a month and it needs to retrieve the keys at high frequency and concurrency.
However, I'm not sure if this is the kind of use case for Secrets Manager because their docs sound to me like it was meant for just keeping secret information for the application and not for customers like a database. At the same time, storing encrypted keys in the database and having to decrypt them with a KMS key sounds like I may end up with roughly the same cost.
Is Secrets Manager meant for such a use case to store customers' sensitive information such as API keys? If not, what should I consider in my case?
50k api keys in a single secret is goinfg to be very unwieldy. Assuming a 40 byte token, you're looking at 2mb of data - SSM has a max data length for a value of 4096 bytes unless I'm mistaken.
To me it would make more sense to generate a key with KMS and use that key to encrypt customer API keys before writing them to a DynamoDB table (or even RDS if you so desire) When you need to use a customer API key, fetch it from dynamoDB, decrypt it with the KMS key, and then make use of it.
If you want automatic key rotation, SSM could be used to encrypt the key you use to encrypt the client API tokens. Your token decryption key would remain usable while the wrapping SSM entry would be reencrypted with a key rotation set by policy.
Finally, as Software Engineer suggested above, there is Vault.
Question # 0: AWS console displays AWS managed keys and Customer Managed Keys; it doesn't display AWS owned CMKs as an item in the list. As per documentation, customers cannot view or manage AWS-owned CMKs. However, under AWS managed keys, I see keys that were not created by me either implicitly or explicitly. Particularly I see this key with the alias aws/dynamodb. When I created DynamoDB tables, I used default settings which means, it will use AWS-owned CMKs for encryption at rest. Does this mean, "aws/dynamodb" is an AWS-owned CMK? It is a bit ambiguous. Is there a field in aws kms describe-key that displays the type?
The default option in us-east-1 is AWS owned CMK
Question # 1: Other than rotation policy, ownership, and the cost, is there a fundamental difference in the way AWS-owned CMKs encrypt/decrypt data when compared to AWS-managed CMKs?
Question # 2: As per the documentation, AWS-owned CMK usage is not limited to one particular account, this means there is a possibility that AWS uses the same CMK across multiple different accounts Is this understanding correct?
Question # 3: What services besides DynamoDB use AWS-owned CMKs for encryption at rest? In the picture, I see some more keys, and those are corresponding services that I tried.
Appreciate any help. Thanks in advance.
Does this mean, "aws/dynamodb" is an AWS-owned CMK?
No. AWS-owned CMKs don't show in your KMS console. The aws/dynamodb is AWS-managed CMK which is not free. It is the second option in DynamoDB table creation:
Q1. From the cryptographic point of view there is not difference, at least I'm not aware of any. But practical difference is that you can't use AWS-owned CMKs on your own. You can't use it to decrypt/encrypt your own data using AWS CLI or SDK, as the CMK is only used by AWS. The other difference is that it can be easier to move encrypted data between accounts, as AWS will use same AWS owned key on both accounts, rather then you managing different keys on different accounts.
Q2. Yes, that's correct. AWS can re-use the same key for multiple customers.
Q3. I think S3 is the most common service using AWS-owned key SSE-S3.
I'm working on a Slack app which will have to store access token per each customer using the app (ex. 1000 teams using it = 1000 tokens). Token enables the app to access Slack API for customers workspace and will be used frequently every day.
App will be running on AWS, using Lambda's and DynamoDB.
What would be the best practice to store those access tokens securly?
I cannot find any strict recomendation for this scenario. Was thinking initially to put those in DynamoDB in a dedicated table but thinking now if I should use other AWS services for that use case. I've checked Secrets Manager but looks like a rather expensive option and not sure if it applies to my scenario.
Appreciate any suggestions.
I would probably use a dedicated DynamoDB table for this purpose. At a minimum, I would configure it to use a KMS CMK to encrypt the data at-rest, and also restrict access to the table through fairly granular IAM permissions in your AWS account. If you also wanted to encrypt each value separately you could look into client-side encryption.
Your findings on the Secrets Manager costs are a good point. You could also look at Systems Manager Parameter Store as an alternative that is generally cheaper than Secrets Manager. Secrets Manager does have the added security of being able to set an IAM resource policy on the secret itself.
Ultimately it's up to you to determine how secure your solution needs to be, and how much you are willing to pay for that. You could even spin up an AWS HSM to encrypt the values, but that would increase the cost by quite a bit.
I want to create multiple API keys and distribute among the customers, Once I create an API key and attach it to usage plan I want to save it to secrets manager, Can secret manager apply the rotation policy to the API keys in API gateway or we need to develop our own mechanism for it?
I see it can apply rotation policy to AWS database credentials but didn't see the same for AWS API keys.
There is not a solution like RDS where you simply enter credentials and it does it for you, however, there is a native solution supported by Secrets Manager that I believe will service your purpose.
Secrets Manager has support for a Lambda Rotation, whereby it will invoke a Lambda of your choosing with that Lambda performing its required tasks then returning the new key back to be stored in Secrets Manager.
So your solution would look similar to this
Secrets Manager -> Invoke Lambda -> Create new key and retire old key(s) -> Return new key to secrets manager
I need to know what are the best practices for, where and how to keep the db creds and like thirdparty api's key/tokens on server.
From security point of view.
I think you would like to store your credential like API-Keys, Certificate, Passwords or anything related to sensitive information ensuring more security right?
Well, As you may know cloud applications and services use cryptographic keys and secrets to help keep information secure.
For highly sensitive data, you should consider additional layers of protection for data. Encrypting data using a separate protection key prior to storage in Key Vault is worthwhile for example.
Azure Key Vault:
Azure Key Vault provides safeguards for following keys and secrets.for example, When you use Key Vault, you can encrypt authentication keys, storage account keys, data encryption keys, .pfx files, and passwords by using keys that are protected by hardware security modules (HSMs).
Key Vault reduce following problems:
Secret management
Key management
Certificate management
Store secrets backed by HSMs
Any Third party sensitive credentials
You could check for more details here
Access Your Key Vaults More securely
You may need to access your key vault more securely because of its data sensitivity learn more about Secure access to a key vault
How secret and Certificate collaborate with azure key vault
Also for key vault secret and certificate you can check here
Azure key vault quick start
Setting up and retrieve a secret from Azure Key Vault using the Azure portal you can quickly start from Microsoft official document for azure key vault
Note: Now a days azure key-vaults become more popular among the big organizations and towards the developer as well to manage large scale
of security key , certification and many more. For more details I
would recommend to take a look official document here
If you have any more query feel free to share. Thanks and happy coding!
Storing secrets on the server is not best practice. If you are using AWS you can use Secrets Manager to securely manage your secrets.