Profile Applicability:
Level 1
Description:
AWS Secrets Manager helps you protect access to your applications, services, and IT resources by securely managing and retrieving database credentials, API keys, and other secrets. Configuring AWS Lambda functions to retrieve database credentials from AWS Secrets Manager ensures that sensitive information is securely stored and managed, reducing the risk of exposing secrets in code or configuration files.
Rationale:
Using AWS Secrets Manager to store and manage database credentials prevents sensitive information from being hard-coded in Lambda functions or configuration files. It enables centralized management of secrets, automatic rotation of credentials, and secure access policies for database credentials. This is a best practice for improving the security of Lambda functions that interact with databases.
Impact:
Pros:
Enhanced Security: Secrets are securely stored and managed, reducing the risk of exposure.
Centralized Management: Secrets can be managed and rotated centrally, simplifying credential management.
Compliance: Meets security standards that require the use of secure credential management, such as PCI DSS, HIPAA, and SOC 2.
Cons:
Configuration Complexity: Requires proper setup of AWS Secrets Manager and appropriate IAM roles and permissions for Lambda.
Cost: AWS Secrets Manager incurs costs based on the number of secrets stored and the number of API calls made.
Default Value:
By default, AWS Lambda does not use AWS Secrets Manager for retrieving database credentials. Secrets Manager must be explicitly configured and integrated with Lambda functions.
Pre-requisites:
IAM permissions to create and manage secrets in AWS Secrets Manager and to update Lambda function configurations.
Access to AWS Lambda and AWS Secrets Manager services.
Secrets stored in AWS Secrets Manager for database credentials.
Remediation:
Test Plan:
Using the AWS Console:
Log in to the AWS Management Console.
Navigate to Secrets Manager and create a new secret for your database credentials.
Select Store a new secret, choose the Other type of secret option (for database credentials), and fill in the key-value pairs (e.g., username, password, host, etc.).
Save the secret and note the Secret ARN.
Navigate to AWS Lambda and select the Lambda function that requires access to the database.
Under the Function code section, update the code to retrieve the database credentials from Secrets Manager using the SDK.
Under Environment variables, ensure that the Lambda function has the necessary IAM permissions to retrieve secrets from AWS Secrets Manager.
Save the changes to the Lambda function.
Test the Lambda function to ensure it can successfully retrieve database credentials from Secrets Manager.
Using AWS CLI:
Create a secret in AWS Secrets Manager to store the database credentials:
aws secretsmanager create-secret --name <secret-name> --secret-string '{"username":"<db-username>", "password":"<db-password>", "host":"<db-host>"}'Ensure that the Lambda function has the necessary IAM permissions to access the secret. Attach the policy or a custom policy allowing access to the secret.
SecretsManagerReadWrite
- Update the Lambda function to retrieve the secret using the boto3 SDK or AWS SDK for other languages. Example Python code:
import boto3 import json def get_secret(): secret_name = "<secret-name>" region_name = "<region>" client = boto3.client("secretsmanager", region_name=region_name) secret = client.get_secret_value(SecretId=secret_name) return secret['SecretString'] To verify that the Lambda function is properly configured to access Secrets Manager, run:
aws lambda invoke --function-name <lambda-function-name> output.txt
Check the output of the Lambda function to ensure it successfully retrieved the credentials.
Implementation Plan:
Using the AWS Console:
Log in to the AWS Management Console.
Go to Secrets Manager and create a new secret with the necessary database credentials.
Go to Lambda, select your function, and modify the code to retrieve the credentials from Secrets Manager using the SDK (as shown in the code example).
Ensure that the Lambda function has the appropriate IAM permissions to read the secret from Secrets Manager.
Save the changes and test the function to ensure it works correctly.
Using AWS CLI:
Create a secret with the database credentials:
aws secretsmanager create-secret --name <secret-name> --secret-string '{"username":"<db-username>", "password":"<db-password>", "host":"<db-host>"}'Update the Lambda function code to retrieve the secret using AWS SDK for the language in use.
Ensure the Lambda execution role has the correct permissions to access the secret: a
ws iam attach-role-policy --role-name <lambda-execution-role> --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite
Test the Lambda function to verify the integration.
Backout Plan:
Using the AWS Console:
If issues arise with accessing the database credentials, navigate to Lambda and disable the integration with Secrets Manager by removing or commenting out the code that retrieves the secret.
Verify that the Lambda function is still operational, potentially with hard-coded credentials as a temporary measure.
Restore the original configuration and address any issues with IAM permissions or secret retrieval.
Using AWS CLI:
If there are issues with the secret retrieval, remove the integration by modifying the Lambda function:
aws lambda update-function-code --function-name <lambda-function-name> --zip-file fileb://<path-to-new-code.zip>
Verify the Lambda function continues to function without using Secrets Manager.
Revert any IAM policy changes or restore the original configuration.