AWS Secrets Manager and database authentication security











up vote
1
down vote

favorite












I'm trying to figure out the security benefit to moving service authenticators to a secrets store.



It's obviously a bad idea to keep database authenticators in code or in app server configs.



AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.



However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.



How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?



I think I'm missing something here!










share|improve this question




























    up vote
    1
    down vote

    favorite












    I'm trying to figure out the security benefit to moving service authenticators to a secrets store.



    It's obviously a bad idea to keep database authenticators in code or in app server configs.



    AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.



    However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.



    How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?



    I think I'm missing something here!










    share|improve this question


























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I'm trying to figure out the security benefit to moving service authenticators to a secrets store.



      It's obviously a bad idea to keep database authenticators in code or in app server configs.



      AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.



      However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.



      How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?



      I think I'm missing something here!










      share|improve this question















      I'm trying to figure out the security benefit to moving service authenticators to a secrets store.



      It's obviously a bad idea to keep database authenticators in code or in app server configs.



      AWS Secrets Manager makes it easy to encrypt secrets and have AWS automatically rotate credentials, which is a good thing. Clearly, there's security benefit to rotating the db authenticator. If someone were to somehow steal a db authenticator, Secrets Manager may be rotating it daily or more frequently and if it's old you're out of luck.



      However, if your app server gets compromised, would it not have the AWS keys necessary to query Secrets Manager? Ditto for your source code (i.e., some kind of credential that leads to the db u/p is stored somewhere). And of course that app server has an IAM role attached to it that allows this query, as well as network traffic grants to access the database.



      How is this really that much different from having the database authenticator stored on the app server? Is it simply that by accessing the Secrets Manager programmatically via your code (via the SDK), someone would have to compromise both your source code AND an app server in order to have the password and the proper path within the VPC (e.g., inbound security group rules, route table, etc.) to get to the data?



      I think I'm missing something here!







      database amazon-web-services aws-sdk aws-secrets-manager






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 13 at 21:42

























      asked Nov 13 at 21:36









      thak

      62




      62
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.



          As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289866%2faws-secrets-manager-and-database-authentication-security%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.



            As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.






            share|improve this answer

























              up vote
              0
              down vote













              The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.



              As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.



                As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.






                share|improve this answer












                The short answer is that Secrets Manager allows you to not have to store passwords in your source code or in configuration files that have to be distributed to your servers. However, as you point out, if your hosts are compromised all bets are off and nothing will prevent the attacker from reading your secrets from memory.



                As to the AWS credentials, if this is an EC2 instance, you would also want use roles for EC2 so that AWS automatically rotates and delivers your credentials to the host.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 16 at 1:25









                Joe Baro

                1




                1






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289866%2faws-secrets-manager-and-database-authentication-security%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?