SEC02-BP03: Store and use secrets securely

For workforce and machine identities that require secrets, such as passwords to third-party applications, store them with automatic rotation using the latest industry standards in a specialized service.

Implementation guidance

Secrets such as API keys, database passwords, and other credentials need to be stored securely and accessed only by authorized identities. Using a specialized service for secret management helps you protect sensitive information, implement automatic rotation, and maintain an audit trail of secret usage.

Key steps for implementing this best practice:

1. Identify and inventory all secrets:
   • Document all secrets used in your environment
   • Identify where secrets are currently stored
   • Classify secrets based on sensitivity and usage
   • Determine which secrets need to be migrated to a secure storage solution
   • Identify secrets that can be replaced with temporary credentials
2. Implement a secure secrets management solution:
   • Use AWS Secrets Manager for storing and managing secrets
   • Configure AWS Systems Manager Parameter Store for less sensitive configuration data
   • Implement appropriate encryption for all stored secrets
   • Set up appropriate access controls and permissions
   • Enable detailed logging and monitoring
3. Implement automatic secret rotation:
   • Configure automatic rotation for database credentials
   • Set up rotation for API keys and other application secrets
   • Implement custom rotation functions for specialized secrets
   • Test rotation procedures to ensure application continuity
   • Monitor rotation events and failures
4. Secure secret retrieval and usage:
   • Use IAM roles to control access to secrets
   • Implement the principle of least privilege for secret access
   • Use VPC endpoints to access secrets without traversing the internet
   • Cache secrets appropriately to minimize retrieval calls
   • Implement secure coding practices for handling secrets in applications
5. Monitor and audit secret access:
   • Enable AWS CloudTrail logging for secret access
   • Set up alerts for unusual access patterns
   • Regularly review access logs
   • Implement detective controls to identify unauthorized access
   • Conduct periodic access reviews
6. Eliminate hardcoded secrets:
   • Scan code repositories for hardcoded secrets
   • Implement pre-commit hooks to prevent committing secrets
   • Use tools like git-secrets or Amazon CodeGuru to detect secrets in code
   • Educate developers on secure secret handling
   • Implement CI/CD pipeline checks for secrets

Implementation examples

Example 1: Storing and retrieving a secret with AWS Secrets Manager

Code snippet hidden for website display

Example 2: Setting up automatic rotation for database credentials

Code snippet hidden for website display

Code snippet hidden for website display

Example 3: Using AWS Secrets Manager with AWS SDK in an application

Code snippet hidden for website display

AWS services to consider

AWS Secrets Manager

Helps you protect secrets needed to access your applications, services, and IT resources. Enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

AWS Systems Manager Parameter Store

Provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values.

AWS Key Management Service (KMS)

Makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. Used by Secrets Manager to encrypt secrets.

AWS Lambda

Lets you run code without provisioning or managing servers. Used by Secrets Manager for implementing custom secret rotation functions.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to monitor secret access and detect unauthorized access attempts.

Amazon CodeGuru

Uses machine learning to identify critical issues, security vulnerabilities, and hard-to-find bugs during application development. Can help identify hardcoded secrets in your code.

Benefits of storing and using secrets securely

• Enhanced security: Centralized management of secrets with encryption at rest and in transit
• Reduced risk of exposure: Elimination of hardcoded secrets in application code and configuration files
• Simplified secret rotation: Automatic rotation of secrets without application downtime
• Improved auditability: Detailed logs of secret access and usage
• Centralized control: Manage all secrets from a single service
• Fine-grained access control: Control who can access which secrets
• Compliance support: Meet regulatory requirements for secure credential management

Related resources

Related Resources

• AWS Well-Architected Framework - Store and use secrets securely
• AWS Secrets Manager User Guide
• AWS Systems Manager Parameter Store
• Rotating your AWS Secrets Manager secrets
• How to securely provide database credentials to Lambda functions by using AWS Secrets Manager
• How to use AWS Secrets Manager to securely store and rotate database credentials