Reputation: 589
What is the best way to securely store Constants and Parameters for the servers to use it on runtime?
We're running a server on AWS that will be using a few constants. These constants may be details that are confidential like a few API tokens, Client secrets & even DB credentials. We have been saving these details in one of our files on the server itself (say Credentials.js). So,
- What is the best possible way to store these Credentials and in a secure manner.
- We were also planing to switch to AWS SSM parameter store. Is it worth considering it? It also provides KMS encryption to confidential parameters.
- Even if we do switch to AWS SSM Parameter store, we will have to call them multiple times when we make requests to third-party application servers (as we'll need the API tokens for those apps). Does this justify the cost we'll pay for SSM (Considering we take Standard store with High throughput) ?
Also, Please let me know if there are there alternatives to securely store these Parameters.
Thanks.
Upvotes: 0
Views: 1637
Answers (1)
Reputation: 22286
Secret Manager
Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
To get an overview how it look like, see AWS Secrets Manager: Store, Distribute, and Rotate Credentials Securely.
Cost
See Pricing. $0.40 USD per secret per month and $0.05 per 10,000 API calls.
Documents
- Tutorials - Start here to get the ideas
- secrets_getsecretvalue.js - Example to get secrets in JS
- JS SDK for Secret Manager - Look further here to know the JS SDK
- CreatSecretAPI - AWS API to create a secret for the detailed references
Create a secret via the AWS console or using SDK. See Creating a secret. A secret is a key/value pair where the value is in JSON format.
Alternatives
Hashicorp Vault
Lambda
Use a lambda which only accepts an access from those with a specific IAM role/permission attached to the IAM profile of an EC2 instance to run your app.
Others
Just Googling "parameter store for secret management" showed bunch of articles and how-to. Please do the research first.
Upvotes: 2
Related Questions
- What is the best practice to store secret keys/api keys in production?
- Where to store db credentials in a productive app?
- Securely store data in a Node CLI app
- Best practice store secrets in Javascript Express App
- Where should I store secret strings on Node server?
- Best way to store secrets in application
- what's the preferred way to store sensitive settings in web apps?
- What's the preferred way to store environment/configuration variables in Express?
- Where should I store my secret keys for my Node.js app?
- node.js: standard way to store app's configuration?