Secret management is a set of cybersecurity practices that ensure the secure storage of secrets and the proper use of them when accessing resources.
Secret Management Cloud Solutions
Here, we introduce services from three major cloud service providers: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP).
AWS Secrets Manager
Secret management in AWS is done via the AWS Secrets Manager. AWS Secrets Manager enables you to replace hard-coded credentials in your code, including passwords, with an API call to AWS Secrets Manager to retrieve the secrets programmatically. Also, AWS Secrets Manager can automatically rotate the secret for you according to a specified schedule.
Azure Key Vault
Secret management in Azure is done via the Azure Key Vault. Like AWS Secrets Manager, Key Vault can be used to secretly store and tightly control access to tokens, passwords, certificates and other secrets. Furthermore, Key Vault can also be used as a key management and certificate management solution, which are beyond the scope of this article.
Google Secret Manager
Like both AWS and Azure, GCP also has its own version of secret management solution: Google Secret Manager.
Secret Management Practices
Store different types of secrets
AWS: AWS Secrets Manager enables you to store text in the encrypted secret data portion of a secret. This typically includes the connection details of the database or service. These details can include the server name, IP address, and port number, as well as the username and password used to sign in to the service.
Azure: Azure Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each. The Key Vault service doesn’t provide semantics for secrets. It merely accepts the data, encrypts it, stores it, and returns a secret identifier (“id”). The identifier can be used to retrieve the secret later. Key Vault also supports a contentType field for secrets. Clients may specify the content type of a secret to assist in interpreting the secret data when it’s retrieved.
GCP: A secret in Google Cloud is a project-global object that contains a collection of metadata and secret versions. Google Secret Manager allows you to store, manage, and access secrets as binary blobs or text strings.
Encrypt secret data
AWS: AWS Secrets Manager encrypts the protected text of a secret by using AWS Key Management Service (AWS KMS). KMS ensures secure encryption of your secret when at rest. The Secrets Manager associates every secret with a KMS key. Whenever Secrets Manager encrypts a new version of the protected secret data, Secrets Manager requests KMS to generate a new data key from the KMS key. Whenever the secret needs decryption, Secrets Manager requests KMS to decrypt the data key, which Secrets Manager then uses to decrypt the protected secret data.
Azure: Key Vault encrypts secrets at rest with a hierarchy of encryption keys, with all keys in that hierarchy protected by modules that are FIPS 140-2 compliant. The encryption leaf key of the key hierarchy is unique to each key vault. The encryption root key of the key hierarchy is unique to the security world, and its protection level varies between regions.
GCP: Like both AWS and Azure, Google Secret Manager encrypts secret data using AES-256 before it is persisted to disk. Secret data is automatically and transparently decrypted when accessed by an authorized user.
Programmatically retrieve secrets at runtime
AWS: In AWS, you can replace stored credentials with a runtime call to the AWS Secrets service to retrieve the credentials dynamically when you need them. Since secrets are encrypted and versioned in Secrets Manager, your client requires access to the most recent version of the encrypted secret value. When you query for the encrypted secret value, you can choose to provide only the secret name or Amazon Resource Name (ARN), without specifying any version information at all. Secrets Manager automatically returns the most recent version of the secret value.
Azure: The Azure Key Vault’s code integration is very similar, except those applications use URIs to securely retrieve secrets. Additionally, Key Vault has APIs for many common programming paradigms Python, Java, etc.
GCP: In Google Cloud, the Secret Manager exposes a REST API and a gRPC API for accessing and managing secrets in your applications. In order to access secrets from applications, the Secret Manager API access needs to be enabled using the Google Cloud CLI. Then, client libraries for Secret Manager can be used in common programming languages.
Automatically rotate secrets
AWS: AWS Secrets Manager can automatically rotate secrets without user intervention and on a specified schedule. You define and implement rotation with an AWS Lambda function. This function defines how Secrets Manager performs the following tasks:
- Creates a new version of the secret.
- Stores the secret in Secrets Manager.
- Configures the protected service to use the new version.
- Verifies the new version.
- Marks the new version as production ready.
Azure: Azure Key Vault uses rotation policy for automatic secret rotation. The rotation policy allows users to configure rotation and Event Grid notifications near expiry notification. The rotation policy settings include:
- Expiry time
- Enabled/disabled
- Rotation types (before or after expiry)
- Notification time
Azure recommends rotating encryption keys at least every two years to meet cryptographic best practices.
GCP: Google Secret Manager uses Rotation Schedules for secret rotation. Secret Manager sends messages to Pub/Sub topics configured on the secret based on the provided rotation frequency and rotation time. Then, a Pub/Sub subscriber must be configured to receive and act on the SECRET_ROTATE messages.
Conclusion
As more enterprises start to adopt cloud technologies, data storage also saw a big migration to the cloud. This brought a paradigm shift to data security as well. In this article, we discussed a hot topic in data security, secret management, and explored how various cloud providers address the issue.
References
https://www.cyberark.com/what-is/secrets-management/
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html#features
https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets
https://cloud.google.com/secret-manager/docs/accessing-the-apiÂ
https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html#reference_limits_max-min
https://cloud.google.com/secret-manager/quotas
https://cloud.google.com/secret-manager/docs/encryption
https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
https://cloud.google.com/secret-manager/docs/secret-rotation