Example: barber

AWS Secrets Manager

AWS Secrets ManagerUser GuideAWS Secrets Manager User GuideAWS Secrets Manager : User GuideCopyright 2019 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Secrets Manager User GuideTable of ContentsWhat Is AWS Secrets Manager ? .. 1 Getting Started with Secrets Manager .. 1 Basic Secrets Manager Scenario .. 1 Features of Secrets Manager .. 2 Programmatically Retrieve Encrypted Secret Values at Runtime Instead of Storing Them .. 2 Store Just About Any Kind of Secret .. 3 Encrypt Your Secret Data.

AWS Secrets Manager User Guide Features of Secrets Manager 1.The database administrator creates a set of credentials on the Personnel database for use by an app

Tags:

  Credentials

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of AWS Secrets Manager

1 AWS Secrets ManagerUser GuideAWS Secrets Manager User GuideAWS Secrets Manager : User GuideCopyright 2019 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Secrets Manager User GuideTable of ContentsWhat Is AWS Secrets Manager ? .. 1 Getting Started with Secrets Manager .. 1 Basic Secrets Manager Scenario .. 1 Features of Secrets Manager .. 2 Programmatically Retrieve Encrypted Secret Values at Runtime Instead of Storing Them .. 2 Store Just About Any Kind of Secret .. 3 Encrypt Your Secret Data.

2 3 Automatically Rotate Your Secrets .. 3 Control Who Can Access Secrets .. 4 Compliance with Standards .. 4 Accessing Secrets Manager .. 5 Pricing for Secrets Manager .. 6 AWS KMS Custom Encryption Keys .. 6 AWS CloudTrail Logging Storage and Notification .. 6 Support and Feedback for AWS Secrets Manager .. 6 Getting Started .. 8 Terms and Concepts .. 8 Secret .. 8 Secured Service .. 10 Rotation .. 10 Version .. 11 Staging 11 Tutorials .. 12 Tutorial: Storing and Retrieving a Secret .. 12 Tutorial: Rotating a Secret for an AWS Database .. 14 Tutorial: Rotating a User Secret with a Master Secret .. 21 Best Practices .. 28 Protect Additional Sensitive Information .. 28 Improve Performance by Using the AWS provided Client-side Caching Components .. 28 Mitigate the Risks of Logging and Debugging Your Lambda Function .. 29 Mitigate the Risks of Using the AWS CLI to Store Your Secrets .

3 29 Cross-Account Access Should I Specify a User/Role or the Account? .. 30 Run Everything in a VPC .. 31 Tag Your Secrets .. 32 Creating and Managing Secrets .. 33 Creating a Basic Secret .. 33 Modifying a Secret .. 36 Retrieving the Secret Value .. 47 Deleting and Restoring a Secret .. 49 Managing a Resource-based Policy for a Secret .. 53 Attaching a Resource-based Policy to a Secret .. 54 Retrieving a Resource-based Policy from a Secret .. 54 Deleting a Resource-based Policy from a Secret .. 55 Rotating Secrets .. 56 Permissions Required to Automatically Rotate Secrets .. 56 Permissions of Users Who Configure Rotation vs. Users Who Trigger Rotation .. 56 Permissions Associated with the Lambda Rotation Function .. 57 Configuring Your Network to Support Rotating Secrets .. 59 Connecting to Secrets Manager Through a VPC Endpoint .. 60 Create a Secrets Manager VPC Private Endpoint.

4 61 Connecting to a Secrets Manager VPC Private Endpoint .. 63 Using a VPC Private Endpoint in a Policy Statement .. 63 Audit the Use of Your Secrets Manager VPC Endpoint .. 65 Rotating Amazon RDS Secrets .. 66iiiAWS Secrets Manager User GuideEnabling Rotation for an Amazon RDS Database Secret .. 67 Customizing the Lambda Rotation Function Provided by Secrets Manager .. 73 Rotating Other Secrets .. 74 Rotating Other Secrets .. 75 Enabling Rotation for a Secret for Another Database or Service .. 77 Understanding and Customizing Your Lambda Rotation Function .. 79 Overview of the Lambda Rotation Function .. 80 Rotating Secrets - One User, One Password .. 83 Rotating Secrets - Switch Between Existing Users .. 86 Rotating Secrets - Passwords Only .. 90 Deleting Rotation Functions .. 93 Authentication and Access Control for AWS Secrets Manager .. 97 Overview .. 98 Access Control (Authorization).

5 99 Using Identity-based Policies (IAM Policies) for Secrets Manager .. 105 AWS Managed Policy for Secrets Manager .. 106 Granting Full Secrets Manager Administrator Permissions to a User .. 106 For the Consuming Application: Granting Read Access to One Secret .. 107 Limiting Access to Specific Actions .. 107 Limiting Access to Specific Secrets .. 108 Limiting Access to Secrets That Have Specific Staging Labels or Tags .. 109 Granting a Rotation Function Permission to Access a Separate Master Secret .. 109 Using Resource-based Policies for Secrets Manager .. 111 Controlling Which Principals Can Access a Secret .. 111 Grant Read-Only Access to a Role .. 112 Determining Access to a Secret .. 113 Understanding Policy Evaluation .. 113 Examining the Secret Policy .. 113 Examining IAM Policies .. 115 Monitoring Your Secrets .. 117 Logging AWS Secrets Manager API Calls with AWS CloudTrail.

6 117 Secrets Manager Information in CloudTrail .. 117 Retrieving Secrets Manager Log File Entries .. 118 Understanding Secrets Manager Log File Entries .. 119 Amazon CloudWatch Events .. 120 Monitoring Secret Versions Scheduled for Deletion .. 120 Working with Other Services .. 123 Automating Creation of Your Secrets with AWS CloudFormation .. 123 Securing Your Secrets with AWS Identity and Access Management (IAM) .. 123 Monitoring Your Secrets with AWS CloudTrail and Amazon CloudWatch .. 124 Encrypting Your Secrets with AWS KMS .. 124 Retrieving Your Secrets with the Parameter Store APIs .. 124 Automating Secret Creation in AWS CloudFormation .. 125 AWS Secrets Manager Reference .. 132 Limits of AWS Secrets Manager .. 132 Limits on 132 Maximum and Minimum Values .. 132 Maximum Rate 133 Rotation Function Templates .. 133 Templates for Databases Running on Amazon RDS .. 134 Templates for Other Services.

7 139 Managed Policies .. 139 Actions, Resources, and Context Keys .. 140 Actions .. 140ivAWS Secrets Manager User GuideResources .. 143 Context keys .. 143 Troubleshooting AWS Secrets Manager .. 147 Troubleshooting General Issues .. 147I get an "access denied" message when I make a request to AWS Secrets Manager .. 147I get an "access denied" message when I make a request with temporary security credentials .. 147 Changes that I make aren't always immediately visible.. 148 Troubleshooting Rotation .. 148I want to find the diagnostic logs for my Lambda rotation function .. 149I can't predict when rotation will start .. 149I get "access denied" when trying to configure rotation for my secret .. 149My first rotation fails after I enable rotation .. 149 Rotation fails because the secret value is not formatted as expected by the rotation function.. 150 Secrets Manager says I successfully configured rotation, but the password isn't rotating.

8 150 Rotation fails with an "Internal failure" error message .. 151 CloudTrail shows access-denied errors during rotation .. 151 Making HTTP Query Requests .. 153 HTTPS Required .. 153 Signing API Requests for Secrets Manager .. 153 Document History .. 155 AWS Glossary .. 157vAWS Secrets Manager User GuideGetting Started with Secrets ManagerWhat Is AWS Secrets Manager ?AWS Secrets Manager is an AWS service that makes it easier for you to manage Secrets . Secrets can bedatabase credentials , passwords, third-party API keys, and even arbitrary text. You can store and controlaccess to these Secrets centrally by using the Secrets Manager console, the Secrets Manager commandline interface (CLI), or the Secrets Manager API and the past, when you created a custom application that retrieves information from a database, youtypically had to embed the credentials (the secret) for accessing the database directly in the it came time to rotate the credentials , you had to do much more than just create new had to invest time to update the application to use the new credentials .

9 Then you had to distributethe updated application. If you had multiple applications that shared credentials and you missedupdating one of them, the application would break. Because of this risk, many customers have chosennot to regularly rotate their credentials , which effectively substitutes one risk for Manager enables you to replace hardcoded credentials in your code (including passwords), withan API call to Secrets Manager to retrieve the secret programmatically. This helps ensure that the secretcan't be compromised by someone examining your code, because the secret simply isn't there. Also,you can configure Secrets Manager to automatically rotate the secret for you according to a schedulethat you specify. This enables you to replace long-term Secrets with short-term ones, which helps tosignificantly reduce the risk of Started with Secrets ManagerFor a list of terms and concepts that you need to understand to make full use of Secrets Manager , seeKey Terms and Concepts for AWS Secrets Manager (p.)

10 8).Typical users of Secrets Manager fall into one or more of the following roles: Secrets Manager administrator Administers the Secrets Manager service. Grants permissions toindividuals who can then perform the other roles listed here. Database or service administrator Administers the database or service whose Secrets are stored inSecrets Manager . Determines and configures the rotation and expiration settings for the Secrets theyown. Application developer Creates the application, and configures it to request the appropriatecredentials from Secrets Secrets Manager ScenarioThe following diagram illustrates the most basic scenario. It shows how you can store credentials for adatabase in Secrets Manager , and then use those credentials in an application that needs to access Secrets Manager User GuideFeatures of Secrets Manager1. The database administrator creates a set of credentials on the Personnel database for use by an appcalled MyCustomApp.


Related search queries