Data breaches are becoming increasingly common, and one factor driving this escalation is the fact that today’s IT systems are integrated and interconnected, requiring login information from multiple parties and services.

In response, Amazon Web Services has newly launched the AWS Secrets Manager, a service designed to help organizations get a handle on these “secrets” by storing and accessing them in a secure way.

A modern IT system may require any combination of different types of secrets. Some classic examples include credentials for accessing file shares or database logins and passwords, but encryption keys and API keys for software as a service offerings are also increasingly used. Knowing what secrets your organization has and requires is a crucial first step in secrets management.

It is also common for DevOps team members with blended roles to have access to multiple types of systems and credentials that may have been previously segmented between different users. This may be placing more secrets into the hands of more people, so controlling who has access to each secret is also a must.

Another critical best practice is secret rotation. We have long been taught to rotate passwords, and the same goes for any type of service credential. Automated DevOps systems with stored secrets may be operating silently for long periods of time. The longer any secret exists, the higher the chance that it has been compromised. Frequent rotation helps to reduce the secret lifespan and with that the risk of exposure.

AWS Secrets Manager helps address all of these points. Any type of secret can be stored from database credentials to API keys to pure data blobs. The AWS Identity and Access Management (IAM) features allow for granular control over which users have access to which secrets. Automated secret rotation can be achieved with (Read more...)