An Inside Look At AWS Secrets Manager vs Parameter Store
About a year ago (April, 2018), AWS introduced AWS Secrets Manager. Secrets Manager is a service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.
So why is this such a great development and what does this buy us?
Well, let’s take a step back to the old days of yore, just after politicians invented the internet ;-). Maybe we were developing web applications in old school ASP or any other language. And what if we had a database we wanted to connect to? No problem, let’s open up Netscape and do a search on connection strings for our database. Ah, there it is, really cool. We can plug this connection string right into our ASP code, hardcode our database credentials inline, access our database, perform a query, return a recordset and go to work on it! But of course there are always bad guys lurking around waiting for the good guys to do something stupid. And the something stupid turned out to be hardcoding your database credentials right in your code. Hackers probably learn how to grab this information in the first week of Hacker Boot Camp. So the good guys learn from their mistakes, get a new job after being fired for the massive security breach, and learn to remove the database credentials inline from their code. They create config files and reference their secrets in the config files from their code. And this is certainly a better solution than hard coding credentials. AWS comes along and other options become available.
In AWS, Developers could store their secrets in S3 and even encrypt the data at rest and in transit. As we know all too well, things move and evolve quickly in AWS. First came AWS Systems Manager Parameter Store. Parameter Store is a secured and managed key/value store perfect for storing parameters, secrets, and configuration information. And then in April, 2018 AWS announced Secrets Manager that offers similar functionality. So how do they differ and what are their similarities?
Similarities between Parameter Store and Secrets Manager
Well, there a lot of similarities which begs the question, what’s the point? And it’s probably best to reserve judgment on that as it is a good bet that AWS will continue to evolve Secrets Manager. But for now, let’s talk about the similarities. First, there is the encryption. Both Secrets Manager and Parameter Store can use AWS KMS to encrypt values. KMS is a managed service that enables you to easily encrypt your data. AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services. With KMS, and with the help of IAM, you can use policies to control permissions on which IAM users and roles have permission to decrypt the value. So the ability to easily encrypt your secrets is a huge feature for both Parameter Store and Secrets Manager. With IAM alone, you can control access to your secrets. Is encryption simply an extra layer of security for your secrets? Well, it can be, but what if encryption of your secrets is a compliance requirement? Well, it comes right out of the box with either Parameter Store or Secrets Manager. So if you’re looking to encrypt secrets, how do you decide between the two? In this case, Parameter Store provides a bit more versatility. Parameter Store provides the option to store data unencrypted or to encrypt the data with a KMS key. With Secrets Manager, the secrets are stored encrypted and there is no option to store unencrypted data. So that is one use case for Parameter Store.
Another important similarity is managed key/value store services. Both services allow you to store values under a name or key. They can also both store values up to 4096 characters and your keys can have prefixes. The final similarity I’ll mention is that both of these services can interact with CloudFormation. Let’s remember that CloudFormation is infrastructure as code! So storing are secrets in CloudFormation Templates is just the kind of bad practice that we want to get away from using Parameter Store or Secrets Manager. Values are referenceable in CloudFormation templates in both Parameter Store or Secrets Manager so you do not have to hard code your secrets! So there is no excuse for hard coding such things as database passwords in your CloudFormation Templates. Your templates are code and they should be handled with the same care, with an eye on security, as your application code. You can store your username and password in a secret and your CloudFormation template can reference that secret so you only have a pointer to the value in your template.
Differences between Parameter Store and Secrets Manager
OK, now we need to discuss the differences between Parameter Store and Secrets Manager. And let’s jump right to the bottom line, Cost. Parameter Store comes with no additional charges. There is a limit on the number of parameters you can store, and that limit is currently 10,000. AWS Secrets Manager does come with additional cost, and that cost is currently $ .40 per secret stored. Also, there is an additional $.05 per every 10,000 API calls. We’re talking cents here and it doesn’t sound like much, but as you would expect, these cents can add up for a large organization and should be considered if you are storing large amounts of secrets.
Where AWS Secrets Manager begins to win the day is the ability to automatically rotate secrets. Learn more about how that is the case with this AWS DevOps Pro certification course. Out of the box, AWS Secrets Manager provides full key rotation integration with RDS. What does this mean for you? Well, Secrets Manager can rotate keys and actually apply the new key/password in RDS for you. We all know we should rotate our keys, but do we actually do it? Secrets Manager makes it very simple to automate this process. What about key rotation for services other than RDS? We can use another valuable tool in the toolbox: Lambda! You can use AWS Lambda to write a function to rotate your keys and this is integrated directly in the Secrets Manager console.
Another huge difference, and again, a win for Secrets Manager is the ability to generate random secrets. You can randomly generate passwords in CloudFormation and store the password in Secrets Manager. And this is not just functionality for CloudFormation. The SDK can be used to do this in your application code. A final difference, and another win for Secrets Manager, is that secrets can be shared across accounts.
So in summary, yes there is still a place for Parameter Store. Again, you can store secrets and encrypt them, but you can also store unencrypted data and it is all free. Secrets Manager takes things several steps further and it would not be surprising to see AWS continue to build on this functionality.
Throughout the first quarter of the year, I have been updating this course with new sections and hands-on labs. The update has now been completed and I decided to add a small section on AWS Secrets Manager in addition to:
- Deployment Pipelines
- AWS Lambda, and
- AWS API Gateway
For more on AWS Secrets Manager check out Linux Academy’s AWS DevOps Pro certification course.