Handle secrets securely – Automate Everything to Build Immutable and Ephemeral Resources

February 10th, 2022

Handle secrets securely

Secrets can include API keys, passwords, and certificates, are essential for authenticating and authorizing actions within cloud services and applications. However, if not managed with stringent security measures, they can become weaknesses that lead to significant breaches.

Secure storage of secrets

The first step in handling secrets securely is to ensure their secure storage. Secrets should never be hard-coded in IaC templates or scripts as this exposes them to unauthorized access, particularly when code repositories are public or shared among team members. Instead, secrets should be stored in a centralized and secure secrets management system, such as AWS Secrets Manager or AWS Systems Manager (SSM) Parameter Store. These systems are designed to securely store and manage secrets according to best practices, as discussed previously in Chapter 5.

Secret scanning and detection

Implement automated tools that scan repositories and codebases for hard-coded secrets. These tools can alert teams to potential security risks before the code is deployed. By integrating secret scanning into the continuous integration pipeline, organizations can catch and remediate issues early in the development cycle.

Tools such as GitGuardian, TruffleHog, and Amazon CodeGuru Security are adept at scanning code to identify embedded secrets and can be easily integrated into your IaC pipelines.

Access control and auditing

Access to secrets should be tightly controlled using fine-grained permissions. Only principles that require access to a specific secret for their operation should be granted access, and even then, only for the minimum period necessary. This is where IAM policies play a crucial role. They allow administrators to define who can retrieve which secrets under what conditions, often with the ability to set expiration times for temporary access.

Auditing is another critical aspect of secure secrets management. Every access or change to a secret should be logged and monitored, including calls made by CloudFormation, as well as regular IAM principals. This includes tracking who accessed a secret, when it was accessed, and what operation was performed. Such auditing capabilities are built into AWS secrets management systems and are vital for detecting unusual patterns that may indicate a security incident. Regular monitoring and alerting should be implemented to detect irregular access patterns.

Secret injection at runtime

To utilize secrets within IaC, they should be injected at runtime rather than being embedded in the code. This can be achieved through the use of environment variables or by retrieving the secrets directly from the secrets management system at the time they are needed. For example, CloudFormation stacks can reference secrets stored in Secrets Manager, ensuring that the secrets are only exposed to the resources that require them and only for the duration of their necessity.

Injecting secrets at runtime minimizes the risk of accidental exposure and provides an additional layer of security by keeping the secrets out of the code base. It also simplifies the process of updating secrets as they can be rotated or changed within the secrets management system without the need to update and redeploy IaC templates or scripts.

Managing access control for tenants – Secure Design Patterns for Multi-Tenancy in Shared Environments

February 10th, 2022

Managing access control for tenants

Access control is a cornerstone of multi-tenancy, ensuring that each tenant’s data and resources are only accessed by authorized parties, even when running in a shared component. In a multi-tenant environment, this involves a combination of authentication and authorization strategies that can be tailored to each tenant’s needs, as will be explored further in the following parts.

Tenant authentication

Tenant authentication is not just a security measure but a foundational element that proves that users are who they claim to be. Once authenticated, the system can then apply the appropriate access controls based on the tenant to which a user belongs.

Amazon Cognito excels in offering robust authentication capabilities, and it also provides the flexibility for tenants to integrate their own identity providers for even more customized and isolated authentication experiences. By allowing tenants to use separate identity providers or user pools, the system ensures that each tenant’s user base remains distinct and isolated, starting from the authentication phase.

Each of these identity providers or user pools can be configured with unique settings for user registration, login, and access control, offering an extra layer of customization and security tailored to each tenant’s specific needs. Custom attributes or tenant identifiers can be employed to associate users with the appropriate tenant-specific identity provider, reinforcing the isolation between different tenants.

To further streamline tenant onboarding and management, automation techniques can be applied. This automates the creation and configuration of new identity resources, whether they are Cognito user pools or external identity providers, each time a new tenant is integrated into the service. This ensures that each tenant’s authentication mechanism is set up in a way that maintains a strong boundary between different tenants while also meeting their individual authentication requirements.