CODEWITHSUNDEEP
amazon-web-servicesaws-secrets-manageramazon-kms
divyanayan awasthi
divyanayan awasthi

Reputation: 950

Encrypt secret manager value using kms cloud formation

How I encrypt secret manager value in aws kms so that no on can see the plain text value . it basically should be decrypted in lambda using kms . is this even possible in AWS .

I could see that we can use kms to encrypt and decrypt kms values, but that happens at rest .

Upvotes: 0

Views: 911

Answers (2)

Mark van Holsteijn
Mark van Holsteijn

Reputation: 422

To encrypt a given plaintext secret for inclusion within a CloudFormation template, you can use the custom secret provider. It will decrypt the secret and store it in the SSM parameter store, as shown below:

Resources:
ApiKey:
  Type: Custom::Secret
  Properties:
    Name: /datadog/api-key
    EncryptedContent: >-
      AQICAHgefwksukJYA7L2AkPMZLGjZsGxHbvY9AoVs55dcju1AwEZui/8lNbnGAhv63Wh0heUAAAA3zCB
      3AYJKoZIhvcNAQcGoIHOMIHLAgEAMIHFBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDOXKKVZ4ft75
      /oZ2TQIBEICBlzf5j1M3w6OH+iphx59kFLnNoKb+u1RCLfIqEitrt6VGu13/jDlnDcPE2DfkZFkW3fnm
      Nn5OXfgt1L9j4XYdIQTEwexorNqUr5pUtMfS9YX8yL9DbArH+XBv/OQPSj8VsuWRcwFP5EwZKB9O4X3l
      1pZlPafp2Y/ndWXgC1o6YgfplnmjufoUUTy8wi4P5glbwnqGP/iyc7g=
    ReturnSecret: true
    RefreshOnUpdate: true
    ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

The value is stored encrypted, but will be available in plaintext from the parameter store for those authorised to read it. By specifying ReturnSecret, you can access the plaintext secret in the CloudFormation template itself.

If it is a static secret, storing the secret in the parameter store is way cheaper.

For a more information checkout https://binx.io/blog/2018/10/21/encrypting-secrets-in-aws-cloudformation/

Upvotes: 0

Foghorn
Foghorn

Reputation: 2326

If you want to use lambda to either access or store data in cloud formation dynamically, you likely want to use a lambda-backed custom resource. Read more about it here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources-lambda.html.

Basically, you can either pass data to the lambda function (which can be dynamic based on outputs of resources already created) and/or get dynamic data that it created through its outputs.

However, secret manager is designed to be able to let authorized users/entities (like EC2 instances, for example) to see the plaintext password. Consider instead setting up which users/entities are allowed to use. See here for more detail on access control to secret manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_determining-access.html

Upvotes: 1

Related Questions