Photo Credit: Ewere Diagboya
As you move faster and faster with your DevOps practice, there is a piece of the puzzle that seems to be a little snag. That snag can cost you a whole lot, in terms of system security, management and updates. Application Parameters/Configurations; these guys practically determine how our applications run. It spans across database connection, to login credentials for RabbitMQ and other secret credentials. As a security practice, you do not want these credentials to be visible in your codebase when committing your code to your VCS (Version Control System). One of the ways to secure these credentials is by using Environment Variables which can be injected in the particular environment you need those secrets and configurations, instead of the values as they are. There also needs to be a place where these data need to be stored for safe keeping and if possible encrypted where they are stored.
We shall be looking at these 3 secret storage solution used by DevOps engineers. Each of these has their pros and cons and we shall be analyzing them with the following criteria:
a. Costb. Securityc. API/SDK Integrationd. Features
Cost
**AWS Secrets Manager**This is a managed service by AWS and according to AWS Pricing, this service costs $0.40 per secret per month $0.05 per 10,000 API calls. For context purposes, if you store 100 secrets (password, API Keys, etc) you pay $40 a month and if you request the value of the secret with a 40,000 API calls in a month you pay $0.2. more here
**Hashipcorp’s Vault**This is an open-source tool. Meaning you are in charge of setup and scaling the service. You will need to set it up on a Virtual Machine and the VM you use will determine the cost and other operational costs involved in updating, securing the server in which Vault will be installed and configured on.
**AWS Parameter Store**Still a managed service on AWS but this time it is under a feature called Systems Manager. It basically costs nothing. Did you just see that? Yes I mean it costs NOTHING. see here
Security
**AWS Secrets Manager**Secrets manager is quite a new service which is fully managed by AWS to the security of credentials stored on it is tied to IAM access on your AWS account. You can also integrate Secrets Manager with AWS KMS. Which helps to encrypt the data that is stored. Secrets Manager also comes with a secret rotation feature which allows you to automatically rotate API keys, passwords and more. This can be configured and wired with a Lambda Function to help with the rotation.
**Hashipcorp’s Vault**Everything that has to do with the security of the vault application is solely the user’s responsibility. Vault stores the passwords inside the machine it is installed in and encrypts the data. It supports various backend storages; Filesystem, AWS S3, Azure, Google Cloud Storage, MongoDB. more heresecret rotation feature here (https://www.vaultproject.io/docs/internals/rotation.html)
**AWS Parameter Store**Just like the Secrets Manager, the security is tied to your IAM account in AWS. All requests are made either via the API or CLI. The keys for both are generated from the console and used. There is no secret rotation feature of any sort, except you want to customize one.
API/SDK Integration
Here they all have APIs and SDKs to retrieve stored keys. So for this grading they all pass
General Features
**AWS Secrets Manager**- Secured storage of secrets on AWS- Allow encryption of keys stored via KMS- Key rotation can be configured within a specific period- Privilege Access Management (IAM)
**Hashipcorp’s Vault**- Stores secret in the filesystem or a database- Encryption as a Service- Privilege Access Management
**AWS Parameter Store**- Secured storage of secrets on AWS- Allow encryption of keys stored via KMS- Privilege Access Management (IAM)
Based on these features. You can choose which you can use for storing and retrieving your secrets. But it is crucial that you have a vault to store password, API Keys and connection strings.