AWS Secrets Manager – Store, Distribute, and Rotate Credentials Securely

My biggest criticism of Parameter Store is actually that it's free. Let me explain:

Because it's free they limit the requests per seconds you can make to the Parameter Store. That's especially noticeable when doing requests for all parameters of a given path, as the limit is way lower there than for requesting (a bunch of) individual parameters. In the past that caused serious problems for us when using Parameter Store for AWS Lambda functions during a deploy of new versions of functions, as suddenly there was a spike in the number of requests to Parameter Store as all AWS Lambda containers got replaced.

They of course set such limits because it's free, so I'd gladly pay for getting increased limits.

> The only value-add is secret rotation and that's not something that most of the time makes sense to use.

From a security perspective, you should be rotating secrets somewhere between annually and every 90 days, depending on your business/security/compliance requirements and the nature of the data secured by the secret.

The pricing is a bit surprising, but I am sure that if you tried to build the full solution you would end up needing a few more pieces than just the rotation lambda and cron.

Would have been nice if there was a 5 secret free tier though. I feel like the sticker shock will dissuade small users when everybody really should be doing secret rotation.

After Amazon EC2 Systems Manager Parameter Store got some much needed love last year (adding KMS encryption and versioning), I wrote a small utility for populating environment variables using a specific Parameter Store prefix: https://github.com/nlindblad/confidential

It can either write the environment variables out to a Docker compatible environment file or it can be used as a wrapper to run any executable/script with the environment pre-populated. The README contains various examples of those use cases.

The primary motivation was to have proper secrets management for my hobby projects that didn't rely on Ansible Vault, configuration files in S3 or having to use the AWS SDK in each project.

Wrt rotation theres also a cultural component of it. Systems grow in complexity and importance. Forcing periodic rotation, With corresponding automagic client support, ensures thats its even possible when you need it. Compare STS tokens to IAM credentials.

What's the backend? If it's HSM, that would explain the steep price (sort of).

How many secrets do you have? Even with thousands this doesn't seem expensive, and if you have 1000's you're probably mature enough to pay a bit.

Totally had the same reaction. The first thing I thought of is "wait doesn't ParamStore already do this?"

>The only value-add is secret rotation and that's not something that most of the time makes sense to use.

This attitude is why company after company keeps leaking customer data.

There's still a bootstrap issue with AWS Secrets Manager - you have to set up enough tooling to be able to call the API.

The killer-app of odin imho was/is the on-machine http server that let all manner of applications very easily get credentials.

You could just do something like

  MY_API_KEY="$(curl http://localhost:5000?key=my-api)"

and boom your shell script or whatever was very easily using secrets.

The fact that Amazon systems bootstrapped EC2 instances meant they could easily enable this org-wide. The odin back-end then owned all the lifecycles around those secrets including what kinds of hosts they would go to, if/how they would rotate, etc etc. It has its annoyances including the fact you have to use http to localhost which can get saturated if you're not doing things right, but overall it really made secrets-management a non-issue.

After leaving Amazon you really go on to understand how good the internal tools are at Amazon and how they probably have the best tools in the industry.

Odin works well, it's just a hassle to share credentials with non-developers who don't have a dev desktop and therefore can't access Odin. It's an issue I've encountered several times recently with no clear solution, it seems.

Odin works really well but but only because it integrates so tightly with with the rest of the internal tooling. Without Apollo (another internal tool) to manage and orchestrate the deployment of packages that need Odin's secrets, it's a lot clumsier to use.

Surprised at all the folks openly discussing internal tooling.

I miss having ODIN.

The big missing piece is roles. No service uses a root access key directly. Instead, there's a webserver role with access to a relevant secrets group but no access to data warehouse secrets, for example.

Access keys can be provisioned and downloaded straight onto the box from the service. Sure, a compromise is bad, but only exposes the secrets that would be available on the pwned box regardless.

It's a non issue to grant access to a particular group of secrets to a particular server role, assuming the requesting server has an IAM instance profile attached to it. The IAM Policy just describes what secrets the role can access, and then the server simply makes the api call to get the secret.

Having your personal AWS keys compromised should also be a non-issue because of MFA. My keys that I keep in OSX Keychain grant zero permissions, except the ability to assume a more privileged role, but that requires MFA.

FWIW, we're using Parameter Store for secrets and it works great. Given that I just finished that set up just weeks ago, I'm in no rush to jump on the Secrets Manager wagon based on what I'm seeing.

The only problem with both services is the 4k character limit. We have some big cert chains and such that exceed that, so we had to build the tools such that they could put/get a chunked secret. Wasn't too bad though.

It'd be cheaper than running Vault with a backing Consul cluster which also provides rotation and other features.

There is a point where Vault is more cost effective, but I believe it'd require a ton of requests and secrets to justify min 6 machines of at least t2.micro that also need to managed and secured.

Agree the pricing is way off, but at least you can use an object/table inside a secret to serve as a group of secrets. eg, not just key:"value", but key:{key:"value", key:"value", ...}

Yeah, I'm surprised they charge per secret. I guess it's a blip when you have big aws spend

per 10,000 requests

At my work, we have a vault service, but it takes 3 servers for vault plus another 3 for consul and they are not very cheap servers (m4.larges). Our rough calculations, using a 3x3 vault/consul architecture, estimated you'd need over 1100-1300 secrets to make it worth implementing vault (not including development/maintenance cost which could be significant. and if you have multiple, independent environments, it gets worse.

The real issue for some of the people at my work is the vendor lock-in versus vault.

How many secrets do you think you'll have? 400? 4000? We're still within pennies range compared to doing this securely yourself.

FTFU - Valut service.... You need more than one server, it'll need to have 100% uptime too, backed up and available in multiple regions. No security team want to own this infrastructure.

There's really no comparison. You could use Vault to build a PKI. You couldn't say the same for a proprietary, vendor locked solution like this.

I believe that's what HC's Vault Enterprise is (hosted/SaaS): https://www.hashicorp.com/products/vault

A key difference is in kms you never know the actual secret (kms stores this on your behalf) . This is for use cases where you need the secret in application code, like db creds.

Looks like a cool product I noticed they dont include a revoke workflow though, the trickiest bit of key rotation

Yeah I'm thinking about starting to use it for personal projects but don't want to bother with these 2 dollar bills. I'm pretty sure they can benefit from me playing with it first and then advocating for it at work

Oh, I misread it as a secret for Twitter (which, I guess, makes no sense, because tweets are generally public).. and I was wondering how the password got updated on the Twitter side. So I guess, naturally, secrets can only be rotated for AWS services that support it.

Yes!