AWS Secrets Manager and database authentication security
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm trying to figure out the security benefit to moving service authenticators to a secrets store.
It's obviously a bad idea to keep database authenticators in code or in app server configs.
AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.
However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.
How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?
I think I'm missing something here!
database amazon-web-services aws-sdk aws-secrets-manager
asked Nov 13 '18 at 21:36
thakthak
62
add a comment |
I'm trying to figure out the security benefit to moving service authenticators to a secrets store.
It's obviously a bad idea to keep database authenticators in code or in app server configs.
AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.
However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.
How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?
I think I'm missing something here!
database amazon-web-services aws-sdk aws-secrets-manager
asked Nov 13 '18 at 21:36
thakthak
62
add a comment |
I'm trying to figure out the security benefit to moving service authenticators to a secrets store.
It's obviously a bad idea to keep database authenticators in code or in app server configs.
AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.
However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.
How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?
I think I'm missing something here!
database amazon-web-services aws-sdk aws-secrets-manager
asked Nov 13 '18 at 21:36
thakthak
62
I'm trying to figure out the security benefit to moving service authenticators to a secrets store.
It's obviously a bad idea to keep database authenticators in code or in app server configs.
AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.
However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.
How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?
I think I'm missing something here!
database amazon-web-services aws-sdk aws-secrets-manager
database amazon-web-services aws-sdk aws-secrets-manager
asked Nov 13 '18 at 21:36
thakthak
62
asked Nov 13 '18 at 21:36
thakthak
62
edited Nov 13 '18 at 21:42
thak
asked Nov 13 '18 at 21:36
thakthak
62
asked Nov 13 '18 at 21:36
thakthak
62
asked Nov 13 '18 at 21:36
thakthak
62
62
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
answered Nov 16 '18 at 1:25
JoeBJoeB
1644
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289866%2faws-secrets-manager-and-database-authentication-security%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
answered Nov 16 '18 at 1:25
JoeBJoeB
1644
add a comment |
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
answered Nov 16 '18 at 1:25
JoeBJoeB
1644
add a comment |
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
answered Nov 16 '18 at 1:25
JoeBJoeB
1644
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
answered Nov 16 '18 at 1:25
JoeBJoeB
1644
answered Nov 16 '18 at 1:25
JoeBJoeB
1644
answered Nov 16 '18 at 1:25
JoeBJoeB
1644
answered Nov 16 '18 at 1:25
JoeBJoeB
1644
1644
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289866%2faws-secrets-manager-and-database-authentication-security%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
