AWS New Security Features — Secrets Manager, Firewall Manager and ACM Private CA
AWS has announced the arrival of few new Security Services in the AWS Summit at SFO. This blog will cover their salient features
AWS Secrets Manager
AWS Secrets Manager allows to manage the secrets like DB Credentials, Third Party API Keys, passwords and any arbitrary text to access AWS, On-Prem or Third-party services. A typical workflow of a DB admin creating credentials and application accessing it depicted as follows
Key features of Secrets Manager
- Programmatically retrieve the secrets rather than hardcoding
- Versioning of Secret
- Store any kind of secret up to 4096 bytes incl. Connection strings etc..
- The Secret is encrypted by KMS
- Secret Manager accepts requests only from hosts that support TLS and Perfect Forward Secrecy standards
- Automatically rotate secrets using an AWS supplied Lambda function and is available for Amazon Aurora, MySQL, and PostgreSQL. Other Databases can leverage a custom lambda function as described in the developer guide
- Use IAM to control access to Secrets
Key Terminologies
Secret: A set of credentials and connection details. A sample is as below
{
“host” : “prod01.databases.example.com”,
“port” : “3306”,
“username” : “administrator”,
“password” : “M^S3cret*Passw0rd”,
“dbname” : “my database”,
“engine” : “mysql”
}
Secured Service: The service, such as a database or other service running on a network server, whose access is controlled by the credentials stored in the secret
Rotation: Rotation is the process where you periodically change the secret to prevent attackers from accessing a secured service especially when the credentials are compromised in some cases
Version: Multiple versions of a secret exist to support rotation as described above. Versioning is achieved through staging labels
Staging Label: Staging labels help identify different versions of a Secret during rotation. AWS supplied Lambda functions maintain the labels AWSPENDING, AWSCURRENT, and AWSPREVIOUS
Monitoring Secrets
- Use CloudTrail to monitor all API calls to Secrets Manager like CreateSecret and DeleteSecret
- Use CloudWatch events
References
AWS Firewall Manager
AWS Firewall Manager builds on top of AWS WAF. Refer to WAF Documentation for a complete overview. AWS Firewall Manager is specifically useful when managing a large number of resources using AWS WAF.
Key facts of Firewall Manager
- makes it easier to configure AWS WAF rules across all aws accounts within an organization.
- security administrators can write company-wide rules from one place, enforce them across applications protected by AWS WAF
- gets the central visibility of attacks against Application Load Balancers and Amazon CloudFront infrastructure.
- lets you use your own custom rules, or purchase managed rules from AWS Marketplace
- automatically adds protection to resources that are added to your account
- Hierarchical application of rules
- Visual Dashboard
- Compliance Notifications
Pre-requisites
- Join an AWS Organization
- Set up Firewall Manager Admin Account in the master account of AWS Organization (or an authorized member account)
- Enable AWS Config for each member of AWS Organization
References
ACM Private Certificate Authority
AWS Certificate Manager lets you provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources.
AWS Certificate Manager (ACM) Private Certificate Authority (CA) is a managed private CA service that helps you securely manage the lifecycle of your private certificates without having to operate a private CA
ACM Private CA extends ACM’s certificate management capabilities to private certificates, enabling to manage public and private certificates centrally.
Key Features and Benefits of ACM Private CA
- ACM Private CA can be used without needing to use ACM itself
- Secure and fully managed private CA eliminating the need to operate a private CA
- Manage both public and private certificates centrally
- Powerful API integrations to help developer agility especially when deploying a large number of short-lived certificates
- Easily customizable for custom resource names or lifetimes
- ACM Private CA keys are stored in AWS HSM for the highest level of security
- IAM integration controlling access
- CloudTrail integration for monitoring API activities
