WKLD.03 – Use ephemeral secrets or a secrets-management service - AWS Prescriptive Guidance

WKLD.03 – Use ephemeral secrets or a secrets-management service

Application secrets consist largely of credentials, such as key pairs, access tokens, digital certificates, and sign-in credentials. The application uses these secrets to gain access to other services it depends upon, such as a database. To help protect these secrets, we recommend they are either ephemeral (generated at the time of request and short-lived, such as with IAM roles) or retrieved from a secrets-management service. This prevents accidental exposure through less secure mechanisms, such as persisting in static configuration files. This also makes it easier to promote application code from development to production environments.

For a secrets-management service, we recommend using a combination of Parameter Store, a capability of AWS Systems Manager, and AWS Secrets Manager:

  • Use Parameter Store to manage secrets and other parameters that are individual key-value pairs, string-based, short in overall length, and accessed frequently. You use an AWS Key Management Service (AWS KMS) key to encrypt the secret. There is no charge to store parameters in the standard tier of Parameter Store. For more information about parameter tiers, see Managing parameter tiers (Systems Manager documentation).

  • Use Secrets Manager to store secrets that are in document form (such as multiple, related key-value pairs), are larger than 4 KB (such as digital certificates), or would benefit from automated rotation.

You can use Parameter Store APIs to retrieve secrets stored in Secrets Manager. This allows you to standardize the code in your application when using a combination of both services.

To manage secrets in Parameter Store
  1. Create a symmetric AWS KMS key (AWS KMS documentation).

  2. Create a SecureString parameter (Systems Manager documentation). Secrets in Parameter Store use the SecureString data type.

  3. In your application, retrieve a parameter from Parameter Store by using the AWS SDK for your programming language. For an example in Java, see GetParameter.java (AWS Code Sample Catalog).

To manage secrets in Secrets Manager
  1. Create a secret (Secrets Manager documentation).

  2. Retrieve secrets from AWS Secrets Manager in code (Secrets Manager documentation).

    It is important to read Use AWS Secrets Manager client-side caching libraries to improve the availability and latency of using your secrets (AWS blog post). Using client-side SDKs, which already have best practices implemented, should accelerate and simplify the use and integration of Secrets Manager.