Applications, services, or serverless functions typically require configurations and credentials for accessing various resources. These resources can include cloud service settings, framework configurations, database connections, API access, cloud service access, email provider access, and more.
Ensuring the secure handling of these parameters is crucial for maintaining the proper operation and data security of the application.
Often, exposing these variables can inadvertently reveal information about potential vulnerabilities or provide access to protected resources. This issue became so prevalent that GitHub initiated a program to scan all public repositories for hardcoded credentials, aiding developers in protecting their applications.
AWS offers an extensive array of solutions for securely managing application configurations and credentials. Additionally, AWS provides a comprehensive suite of security best practices to assist in this endeavor
Application configuration vs application credentials
At first glance, they appear similar. Indeed, there is some overlap, but they also concentrate on different aspects of securing applications in AWS.
Application configuration security - overview
Application configuration concentrates on settings and parameters that are responsible for how applications operates in AWS services like EC2, RDS, S3, CloudFront and so on.
Application configuration includes environmental variables, application settings, network configuration and resource specification.
The primary goal is to ensure that the application behaves as expected and that its interactions with other AWS services are secure.
The main services involved in application configurations are CloudFormation, AWS Config, AWS Systems Manager, AWS Secrets Manager, AWS Key Management Service, VPC, IAM, AWS CodePipeline and AWS CodeDeploy.
Application configuration security - best practices
The following points are best practices and examples how to utilize AWS servives for securely handling application configuration:
- Using services like AWS Secrets Manager and AWS Systems Manager Parameter Store to securely store and manage sensitive configuration
- Ensuring that sensitive data is encrypted in transit and at rest
- Implementing least privilege access using AWS Identity and Access Management (IAM) to ensure that only authorized users and services have access to configuration data
- Separating environments (development, staging, production) to prevent accidental or unauthorized access to sensitive resources. This can be achieved by using CloudFormation or AWS CodePipeline/ AWS CodeBuild
- Using different AWS accounts or Virtual Private Clouds (VPCs) for different environments
- Encrypting sensitive data using AWS Key Management Service (KMS) and ensuring that all data in transit is encrypted, typically using TLS/SSL
- Utilizing AWS Config, AWS CloudTrail and Amazon CloudWatch to monitor and log access and changes to application configurations and AWS resources
- Using tools like AWS Config and AWS Trusted Advisor to audit and ensure compliance with organizational policies and industry standards
- Regularly backing up configurations and using AWS features for disaster recovery to restore configurations in case of data loss or corruption
- Ensuring secure deployment pipelines in AWS, possibly using services like AWS CodePipeline and AWS CodeDeploy
- implementing processes for secure code deployment, including review and approval of changes
- Keeping the application and its dependencies up-to-date with the latest security patches and updates
Application credentials security - overview
Application credential security in AWS refers to the practices and measures specifically focused on protecting the credentials that applications use to authenticate and interact with AWS services and resources.
These credentials include AWS Access Keys, Secret Access Keys, IAM roles, database passwords, API keys, and other types of authentication tokens. The primary goal is to prevent unauthorized access to AWS resources, which could lead to data breaches, service disruptions, or other security incidents
Application credentials security - best practices
The following points are best practices and examples how to utilize AWS services for securely handling application credentials:
- Generally avoid using access keys (the keys consists of access key id and secret access key) which are by nature long-term, instead use roles utilizing short-term access
- Avoiding the hardcoding of credentials in application code or scripts. Instead, use IAM roles or environment variables for passing credentials securely
- Assigning IAM roles to AWS services like EC2 instances or Lambda functions, allowing these services to interact with other AWS resources securely
- Creating and managing IAM roles with the principle of least privilege, granting only the necessary permissions for a task
- Using IAM policies to restrict which users and services can access certain credentials. Policies can define conditions for access, such as time of day or requiring MFA.
- Using AWS Secrets Manager to securely store, rotate, and manage access to secrets such as database credentials, API keys, and OAuth tokens
- Alternatively, using AWS Systems Manager Parameter Store for managing configuration data, which can also store sensitive information securely
- Implementing regular rotation of credentials to reduce the risk of compromised credentials being used for unauthorized access. AWS Secrets Manager can automate the rotation process for AWS resources
- Encrypting sensitive credentials using AWS Key Management Service (KMS) both in transit and at rest
- Enabling AWS CloudTrail to log and monitor API calls and access to AWS resources, providing an audit trail for investigating security incidents