Introduction to Secrets Rotation
Rotation is the process of periodically updating a secret. The secret can be an API key, security credential, encryption key, or any other sensitive value.
Because secrets are sensitive to leakage or exposure, it’s important to rotate them often, at least every 60 days. Microsoft Azure DocumentationThe manual rotation process can be time consuming and human error prone, as a result making the process neglected. In this article, I will present how to automate the rotation process using the AWS Lambda service and the tradeoffs of this method.
Why rotate secretsAccording to community best practices, secrets should be rotated regularly, let’s look at the reasons why. Minimalizing the consequences of secrets leak is one of the main reasons behind secrets rotation. In a secrets leak event, a bad actor gains an access to one or more of your secrets. Such action often remains undetected for an unacceptably long period of time. This gives the attacker a chance to investigate your system and spread the attack over time, which decreases the chances of detecting the intrusion manually or by anomaly detection systems. Secrets can leak in various ways, but disturbingly often this happens by putting them as plain text in Git repositories. According to the GitGuardian report, over 6M secrets were detected in public GitHub repositories in 2021. Inaccurate employee offboarding is another process that can result in unauthorized persons having access to secrets. A former employee having a copy of still used API keys can easily become a security risk. As you can see, automatic secrets rotation will not solve the described issues, but it can decrease the bad consequences of compromising secrets even if you are not aware that the secret has been compromised. An important feature of secrets rotation is the possibility to rotate secrets on-demand. You can use it in addition to the automatic rotation every time when there is a suspicion of a secret being compromised.
Where to store secretsThis is a wide topic, but as you probably know, secrets shouldn’t be hardcoded directly in the application code. Generally, in the AWS cloud, we recommend storing secrets in the AWS Secrets Manager. If you’re looking for a cloud agnostic alternative, we can honestly recommend Hashicorp Vault.
If you are using Terraform, check out our module that simplifies the secrets management for ECS containers. Get it nowAWS Secrets Manager has built-in integration for rotating Amazon Relational Database Service (Amazon RDS) credentials. It also uses secrets versioning – such a mechanism allows uninterrupted application execution when secrets are rotated.