0

We have a service running on AWS. This service uses secrets such as API keys of third party services (in other words: secrets which do not rotate automatically). These secrets are stored in AWS secretsmanager. Let's call this the "traditional approach".

We want to evaluate this alternative approach:

  • The service will have a single secretsmanager entry which will be a private key.
  • The API keys that service needs will be stored encrypted (by the public key corresponding to that private key) in some other medium (e.g., a DB, a file, etc.).
  • The service will first read the private key from secretsmanger, then read the encrypted values from that other medium, and finally have them decrypted via the private key.

At the application level this approach is attractive to us because it provides us with greater flexibilty (It's a longer stroy, I am sparing the details). However, I want to transition to it only if it's just as secure as the "traditional" approach.

So the question is whether the alternative approach is as secure as the traditional approach?

Improve this question
2
  • welcome - have you considered using aws-kms instead of having your private key in secrets-manager? (this would give an additional layer of control) i haven't specifically done this, but the doco seems to suggest that what you want to do is possible using a customer-managed asymmetric key, see: Asymmetric keys and HMAC keys are portable and interoperable - also see these steps to create and import the private key: docs.aws.amazon.com/kms/latest/developerguide/… Commented Jul 16, 2024 at 12:03
  • (ps. if you use this mechanism don't forget to secure the un-encrypted private key after you've wrapped it for aws-kms import) Commented Jul 16, 2024 at 12:12

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.