Store and use secrets securely

PostedNovember 27, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Securing access credentials is crucial to protecting sensitive resources and ensuring that only authorized entities access AWS services. By implementing effective secret management practices, organizations can minimize the risk of credential exposure, unauthorized access, and potential data breaches.

Best Practices

Use AWS Secrets Manager for Storing Secrets

Utilize AWS Secrets Manager to securely store and manage secrets such as API keys, database passwords, and OAuth tokens. This service helps you automatically rotate, manage, and retrieve these sensitive pieces of information without hardcoding them in your applications.
Implement AWS Lambda to automate the rotation of these secrets and securely provide them to the necessary services at runtime to minimize the risk of exposure.
Leverage encryption in transit and at rest for the secrets stored within AWS Secrets Manager to ensure they remain confidential.
Use IAM policies to restrict access to secrets, allowing only authorized entities (human or machine) to retrieve them, thus reducing the attack surface.
Regularly audit and review your secrets management strategy and access permissions to ensure they align with the principle of least privilege.

Questions to ask your team

How are you storing your secret access credentials, and which service are you using for this purpose?
What policies do you have in place for managing and rotating secrets?
How are you ensuring that secrets are encrypted both in transit and at rest?
What mechanisms do you have for auditing the use of secrets within your workloads?
How do you handle access controls for secrets to ensure only authorized entities can access them?

Who should be doing this?

Security Architect

Design and implement the strategy for managing identities for people and machines.
Ensure compliance with security standards and best practices in identity management.
Oversee the secure storage and management of secrets and access credentials.

DevOps Engineer

Integrate identity management solutions into CI/CD pipelines.
Automate the rotation and management of secrets for various workloads.
Monitor and troubleshoot identity-related issues in the AWS environment.

Cloud Administrator

Manage user identities and permissions within AWS IAM.
Implement policies for secure access to AWS resources.
Regularly audit identity access and update permissions as necessary.

Compliance Officer

Ensure that identity and access management practices align with regulatory requirements.
Conduct regular reviews and assessments of identity management policies.
Provide training to staff on security best practices related to identity management.

Developer

Use secure methods for managing secrets in application code.
Collaborate with the DevOps team to implement access controls for applications.
Test and validate the integration of identity management solutions in the development process.

What evidence shows this is happening in your organization?

Secrets Management Policy: A formal document outlining the organization’s approach to managing secrets, including the use of AWS Secrets Manager for storing, managing, and rotating API keys, passwords, and other sensitive credentials.
Secrets Management Checklist: A practical checklist for development and operations teams to ensure that all secrets are stored securely, managed efficiently, and rotated regularly in accordance with organizational security policies.
Secrets Rotation Strategy: A strategic document that outlines the processes and schedules for rotating secrets, ensuring that access credentials remain secure and reducing the risk of credential compromise.
AWS Secrets Manager Configuration Guide: A detailed guide on configuring AWS Secrets Manager for managing application secrets, including step-by-step instructions on creating and accessing secret versions efficiently and securely.
Secrets Access Control Model: A diagram illustrating the access control model for secrets within the organization, including roles and permissions for human and machine identities accessing sensitive data.
Incident Response Playbook for Credential Exposure: A playbook designed to guide the incident response team through steps to take if credentials are suspected to be compromised, outlining communication, remediation, and review processes.

Cloud Services

AWS

AWS Secrets Manager: AWS Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure. It allows you to manage and rotate secrets securely.
AWS Identity and Access Management (IAM): AWS IAM allows you to securely control access to AWS services and resources for your users and applications. You can create and manage AWS users and groups, and use permissions to allow and deny their access to resources.
AWS Key Management Service (KMS): AWS KMS makes it easy to create and control the encryption keys used to encrypt your data, thus helping ensure that sensitive information is protected.

Azure

Azure Key Vault: Azure Key Vault is a cloud service for securely storing and accessing secrets, such as API keys, passwords, and certificates. It supports secure access policies and automated secret rotation.
Azure Active Directory (AAD): Azure Active Directory is a cloud identity management solution that provides robust authentication and access management capabilities for users and services, ensuring only authorized identities can access resources.
Azure Managed Identities: Azure Managed Identities provide Azure services with an automatically managed identity in Azure Active Directory. This allows them to authenticate to other services without storing credentials in code.

Google Cloud Platform

Google Cloud Secret Manager: Google Cloud Secret Manager provides a secure and convenient way to store API keys, passwords, certificates, and other sensitive data. It helps to manage secrets and automatically handles versioning.
Cloud Identity: Google Cloud Identity provides identity and access management capabilities that help secure your organization’s Google Cloud resources by managing user identities and granting access.
Google Cloud IAM: Google Cloud IAM enables you to manage access control for Google Cloud resources, allowing you to give different levels of access to different users and services.

Question: How do you manage identities for people and machines?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals