CODEWITHSUNDEEP
amazon-web-servicesaws-secrets-manageraws-parameter-store
Frankster
Frankster

Reputation: 689

Securely upload secrets to Secret Manager/Parameter Store

I caught a misstake I have made in the way I have been uploading secrets to Secrets Manager. Through using cloudformation I have been sending in the secret as a plain text parameter into the template. The secret itself never gets exposed in the cloudformation yaml file. However, the secret is exposed as a parameter in cloudformation. Hence, being able to read/describe the stack is enough to get the secret.

Did some digging and found this. They suggest creating the parameter store/secret manager using cdk or cloudformation and after which you upload the secret using SDK/CLI.

To my question: does the SDK and CLI give traces themselves? Meaning, have I just moved the problem. Shifted from exposing the secret in cloudformation to exposing it to cloudtrail or any other monitoring in AWS.

How can I securely upload my own secrets in combination with IaC, without manually using the AWS console. Is there a way to turn of logging for certain SDK/CLI calls?

Upvotes: 2

Views: 956

Answers (1)

Maurice
Maurice

Reputation: 13108

Depending on your use case there are different options:

  • If you set up new resources and need to create a new secret, you can have the SecretsManager generate the secret for you. See CloudFormation docs for the Secret resource.
  • If you want to store an existing secret, the option with the separate API-call is a good suggestion. The only place this could in principle be recorded is CloudTrail, which records any API-Call, but I have confirmed, that the secret value is not stored in the PutSecretValue event record.

A CreateSecret event from CloudTrail:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDA2BFBC5RB4SDFSDQDI",
        "arn": "arn:aws:iam::123456789123:user/myself",
        "accountId": "123456789123",
        "accessKeyId": "ASIA2BFSDFSD5RBR4L2JB7T",
        "userName": "myself",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "true",
                "creationDate": "2021-07-05T11:38:38Z"
            }
        }
    },
    "eventTime": "2021-07-05T11:39:46Z",
    "eventSource": "secretsmanager.amazonaws.com",
    "eventName": "CreateSecret",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "95.48.10.191",
    "userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.109-57.183.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.292-b10 java/1.8.0_292 vendor/Oracle_Corporation cfg/retry-mode/legacy",
    "requestParameters": {
        "name": "/demo",
        "clientRequestToken": "5c59462b-d05c-4cfa-a224-a8d60f3edeff"
    },
    "responseElements": null,
    "requestID": "6e61267a-ed8a-4383-8729-c33b8c217990",
    "eventID": "23facc03-032c-4b24-bc36-d8f4e330445e",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management",
    "recipientAccountId": "123456789123",
    "sessionCredentialFromConsole": "true"
}

A PutSecretValue event in CloudTrail:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDA2BFSASB4SXNVRQDI",
        "arn": "arn:aws:iam::123456789123:user/myself",
        "accountId": "123456789123",
        "accessKeyId": "ASIA2BFBSAWR4L2JB7T",
        "userName": "myself",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "true",
                "creationDate": "2021-07-05T11:38:38Z"
            }
        }
    },
    "eventTime": "2021-07-05T11:40:09Z",
    "eventSource": "secretsmanager.amazonaws.com",
    "eventName": "PutSecretValue",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "11.11.190.191",
    "userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.109-57.183.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.292-b10 java/1.8.0_292 vendor/Oracle_Corporation cfg/retry-mode/legacy",
    "requestParameters": {
        "clientRequestToken": "61297703-b519-4e9e-8984-aacd40db826b",
        "secretId": "/demo"
    },
    "responseElements": null,
    "requestID": "97693f1b-f586-4641-af4c-b46d66fd27c1",
    "eventID": "192f8959-3c51-40f5-8ca6-88f9075dc2a3",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management",
    "recipientAccountId": "123456789123",
    "sessionCredentialFromConsole": "true"
}

Upvotes: 2

Related Questions