
How to manage any kind of secret with AWS Secrets Manager - SanderKnape
https://sanderknape.com/2018/07/manage-custom-secrets-aws-secrets-manager/
======
eropple
This write-up is solid - but man, this product looks questionable. 40 cents
per secret per month? With Credstash[0] or a moral equivalent[1] you pay a
buck for a KMS key and microcents for the data storage.

RDS rotation is...fine, I guess, if you have an auditor who really wants that
and can't write a scheduled job for the task (I've been using one with
credstash so long it's just an automatic part of a new environment), but it's
got me skeptical.

Something AWS _could_ do, and I'd be very interested in, is a hosted moral
equivalent to Vault. Give me a daemon or something to run on an instance,
allow me to IAM-gate temporary SSH credentials (and chuck it in CloudTrail)
and temporary SQL databases, and that I'd pay for 'cause I really don't want
to deal with Vault or HashiCorp. But AWS Secrets Manager, by itself, doesn't
really present a good reason-for-being to me.

[0] - [https://github.com/fugue/credstash](https://github.com/fugue/credstash)

[1] -
[https://github.com/codahale/sneaker](https://github.com/codahale/sneaker)

~~~
Spooky23
It’s replacing enterprise products that cost way more to meet compliance
requirements. It would have saved me about $50k on a project awhile back.

No open source product will meet the requirement, because you often need FIPS
validated crypto.

~~~
viraptor
> No open source product will meet the requirement, because you often need
> FIPS validated crypto.

What do you mean? Redhat has FIPS mode. Openssl has FIPS object module. You
can create a secrets storage product out of those blocks. Do you mean some
specific requirements for the project you were working on?

~~~
Spooky23
Rolling your own is expensive if you’re getting audited for compliance that
includes FIPS or other things.

You need to have a Dev who understands and documents everything, your ops guys
need to be careful to not fix a security bug in OpenSSL that leaves you with a
non-validated version, etc.

Or you can give AWS $5/secret/year. It’s the path of least resistance.

~~~
viraptor
I agree it's simple to use aws in this case. I meant specifically the claim
that "No open source product will meet the requirement". It may not be the
financially optimal solution, but that's not "open source" specific.

~~~
Spooky23
I see your POV, but I think the distinction is that RHEL or OpenSSL aren’t
vaults. They are components or tools. If RHEL includes a vault product, that
would be different.

If I need to sit, I need a chair can support my weight. A box containing 2x4s,
a hammer and box of nails doesn’t meet the need.

I’m not disparaging OSS — it just isn’t a good fit for use cases like this
when you need to deal with bullshit like FIPS 140-2.

------
scarface74
AWS’s secret manager seems like overkill for most projects and it’s expensive
- 40 cents per secret per month. The Parameter Store is free and much better
integrated with AWS’s other offerings. It also supports encrypted values.

~~~
dastbe
(I do work for AWS)

I was confused by the naming convention at launch, but a secret is a set of
key value pairs and not a single key value pair.

~~~
tbrock
Who says the value needs to represent a scalar value? Why not encode an
encrypted JSON string as the value.

~~~
scarface74
It kind of defeats the purpose if you are sharing common setting across
services, if you only need one value shared.

