AWS Secrets Manager and database authentication security
up vote
1
down vote
favorite
I'm trying to figure out the security benefit to moving service authenticators to a secrets store.
It's obviously a bad idea to keep database authenticators in code or in app server configs.
AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.
However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.
How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?
I think I'm missing something here!
database amazon-web-services aws-sdk aws-secrets-manager
add a comment |
up vote
1
down vote
favorite
I'm trying to figure out the security benefit to moving service authenticators to a secrets store.
It's obviously a bad idea to keep database authenticators in code or in app server configs.
AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.
However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.
How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?
I think I'm missing something here!
database amazon-web-services aws-sdk aws-secrets-manager
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I'm trying to figure out the security benefit to moving service authenticators to a secrets store.
It's obviously a bad idea to keep database authenticators in code or in app server configs.
AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.
However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.
How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?
I think I'm missing something here!
database amazon-web-services aws-sdk aws-secrets-manager
I'm trying to figure out the security benefit to moving service authenticators to a secrets store.
It's obviously a bad idea to keep database authenticators in code or in app server configs.
AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.
However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.
How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?
I think I'm missing something here!
database amazon-web-services aws-sdk aws-secrets-manager
database amazon-web-services aws-sdk aws-secrets-manager
edited Nov 13 at 21:42
asked Nov 13 at 21:36
thak
62
62
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
add a comment |
up vote
0
down vote
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
add a comment |
up vote
0
down vote
up vote
0
down vote
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.
As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.
answered Nov 16 at 1:25
Joe Baro
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289866%2faws-secrets-manager-and-database-authentication-security%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown