Managing Secrets: AWS Systems Manager Parameter Store vs AWS Secrets Manager
If you have ever used any of those apps on the Internet which give you a personalized experience; better yet, if you have built one of those, you know of the struggles associated with maintaining secrets on your server. Security over the years has evolved when you would just store these creds in your code which is an absolute no-no to now having dedicated services that do this job for you. Due to the growing scale of the infrastructure; on-prem and in the cloud, the way software development processes have evolved over the years , the secrets are proliferating widely. Managing secrets is really important but also difficult.
Today, I want to mainly discuss the differences between the two AWS services that can help you manage your secrets or broadly speaking, how do you efficiently rotate, manage and retrieve dB credentials, API keys and other secrets throughout their lifecycle.
SIMILARITIES BETWEEN AWS PARAMETER STORE AND AWS SECRETS MANAGER
- ENCRYPTION
Both leverage AWS Key Management Service (KMS) to encrypt data. AWS KMS is a secure and resilient service that makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. You can use IAM policies, along with key policies to control access to your keys in AWS KMS as to which IAM users and roles would have permissions to decrypt the value of the key.
2. MANAGED KEY VALUE STORE
Your keys can store values up to 4096 characters and they can have prefixes.
3. INTEGRATION WITH CLOUDFORMATION
AWS CloudFormation allows you to model and provision all the resources that you need to stand up your application across all regions and accounts in an automated and secure manner. CloudFormation is used as a Infrastructure as a code model, and storing secrets in CloudFormation is a bad security practice. You can store the credentials in a secret which can be referenced in the CloudFormation template so that you just have a pointer to the value in your template. Here is a one way to do it using AWS Secrets Manager: https://github.com/singlestone/SecretsManagerwithCloudFormation.
With the above, it seems that both the services help achieve common goals.
Let us see what are the differences that will make you make informed decisions of choosing one over another.
1. COST
AWS Systems Manager Parameter Store consists of standard and advanced parameters. Standard parameters are available at no additional charge. With the standard tier, it lets you store up to 10,000 parameters and 4kB per parameter in value size. With the advanced tier, it lets you store up to 100,000 parameters, 8kB per parameter in value size and allows you to add policies to parameters. You do have the option to move from standard to advanced or vice-versa.
Secrets Manager operates on a pay-as-you-go model, there is no minimum fee. There are no set-up fees or commitments to begin using the service. You are charged for number of secrets you store and for API requests made to the service each month.
2. SECRETS ROTATION
To rotate secrets, it is not uncommon that applications are taken offline to rotate the secrets and then are put back online. With all these processes, if an application or a box is missed somewhere to update with the new secrets; that would just cause more downtime. That is where, leveraging AWS Secrets Manager is a big plus with it’s ability to rotate the secrets and generate random secrets.
Either using CloudFormation or AWS SDK, you can generate random passwords and store them.
To summarize, you can store encrypted or unencrypted secrets in AWS Parameter store and it free. With Secrets Manager, you can only store encrypted value and it makes it super easy to manage the rotation of the secrets as well. For instance, for organizations who have to be PCI compliant where the mandate is to rotate your passwords every 90d, AWS Secrets Manager makes that a very easy and a seamless process.
3. CROSS-ACCOUNT ACCESS
With AWS Organizations, different engineering teams can have their Production workloads under different AWS ‘linked’ accounts. There can be a need for these multiple accounts to share those secrets, say of a Production dB instance. This is where AWS Secrets Manager comes in handy as it makes it easier to share the secrets cross-accounts.
To summarize, you can use the Parameter store and choose the store the secrets encrypted or unencrypted. It helps you optimize and streamline application deployments by storing environmental config data, other parameter and it is free. AWS Secrets Manager takes it up by few notches by providing additional functionality such as rotation of keys, cross-account access and tighter integration with AWS services. It would be interesting to see what lies ahead with it.
