This write-up is solid - but man, this product looks questionable. 40 cents per secret per month? With Credstash[0] or a moral equivalent[1] you pay a buck for a KMS key and microcents for the data storage.
RDS rotation is...fine, I guess, if you have an auditor who really wants that and can't write a scheduled job for the task (I've been using one with credstash so long it's just an automatic part of a new environment), but it's got me skeptical.
Something AWS could do, and I'd be very interested in, is a hosted moral equivalent to Vault. Give me a daemon or something to run on an instance, allow me to IAM-gate temporary SSH credentials (and chuck it in CloudTrail) and temporary SQL databases, and that I'd pay for 'cause I really don't want to deal with Vault or HashiCorp. But AWS Secrets Manager, by itself, doesn't really present a good reason-for-being to me.
No enterprise is going to care about that price. If an enterprise is willing to delegate secret management to an external service in the first place, part of the reason they're doing it is so that they don't have to manage it themselves internally, along with the staffing and related compliance issues, which would cost orders of magnitude more.
> No open source product will meet the requirement, because you often need FIPS validated crypto.
What do you mean? Redhat has FIPS mode. Openssl has FIPS object module. You can create a secrets storage product out of those blocks. Do you mean some specific requirements for the project you were working on?
Rolling your own is expensive if you’re getting audited for compliance that includes FIPS or other things.
You need to have a Dev who understands and documents everything, your ops guys need to be careful to not fix a security bug in OpenSSL that leaves you with a non-validated version, etc.
Or you can give AWS $5/secret/year. It’s the path of least resistance.
I agree it's simple to use aws in this case. I meant specifically the claim that "No open source product will meet the requirement". It may not be the financially optimal solution, but that's not "open source" specific.
I see your POV, but I think the distinction is that RHEL
or OpenSSL aren’t vaults. They are components or tools. If RHEL includes a vault product, that would be different.
If I need to sit, I need a chair can support my weight. A box containing 2x4s, a hammer and box of nails doesn’t meet the need.
I’m not disparaging OSS — it just isn’t a good fit for use cases like this when you need to deal with bullshit like FIPS 140-2.
Credstash uses KMS (in much the same way as AWS Secret Provider does) and AES-256 (which is a FIPS 140-2 validated algorithm) internally. If AWS's crypto validates, Credstash's will.
I do not see the value proposition of the RDS rotation feature. RDS supports IAM auth, which gives you a token that is valid for 15 minutes, no need to worry about rotating passwords anymore: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Using...
There are several key restrictions on IAM token auth, not to mention that it may not be feasible to integrate in a given framework. It definitely solves the problem for manual access, but automated access may be a different story.
That said, there are a handful of examples available to handle RDS secret rotation through parameter store with Lambdas and custom cloudformation resources.
Let's say you write a scheduled job - the auditor is going to ask who gets notified when it fails, how you know they will respond to the notification, etc. Much simpler to just rely on AWS to do it for you.
AWS’s secret manager seems like overkill for most projects and it’s expensive - 40 cents per secret per month. The Parameter Store is free and much better integrated with AWS’s other offerings. It also supports encrypted values.
I’m looking at the Boto3 docs. It looks like a “secret” is a single key where the value can be JSON text that is a key value pair. Parameter Store let’s you use do a simple key value pair. Am I missing something?
Vault is free and open source. Only the “Enterprise” version cost money. I’ve used the open source versions of Consul, Nomad, and Vault before for on prem implementation.
I see that _you_ are not familiar with AWS customer support.
I've been using EC2 for years, and every time I've had a problem, it's been solved with the first priority getting the (virtual) servers online. I've even had them waive a months' billing (<40 USD) as I was having trouble with the credit card company.
The only comparable experience that I've seen is Rackspace. They earn their "fanatic" moniker, I don't know if they still use it. But AWS is also fantastic and I highly recommend them.
$40 a month and EC2 is not “Enterprise level”. I am a developer for a small company and one of the AWS admins, but when I don’t want to be bothered with dealing with AWS support, I’ll punt to our outsourced AWS suppprt consultants and let them handle it.
I’ve had, at best, lukewarm experiences with AWS customer support. Anecdata it may be, but this seems to be largely in-line with the experiences of my peer group, professionally.
Not shilling for AWS, but I file at least 1 ticket a month. I haven't tried the phone option, but the web option works for resolving my complaints within 24 hours.
My use case might be different since the entire architecture is HA / ephemeral and I can spin up new instances etc while waiting on them.
On a high level, what types of issues have you had for which you have needed support? The only issue I’ve had was that we were using DAX wrong and they showed us the proper usage. It was a relatively new service st the time.
RDS rotation is...fine, I guess, if you have an auditor who really wants that and can't write a scheduled job for the task (I've been using one with credstash so long it's just an automatic part of a new environment), but it's got me skeptical.
Something AWS could do, and I'd be very interested in, is a hosted moral equivalent to Vault. Give me a daemon or something to run on an instance, allow me to IAM-gate temporary SSH credentials (and chuck it in CloudTrail) and temporary SQL databases, and that I'd pay for 'cause I really don't want to deal with Vault or HashiCorp. But AWS Secrets Manager, by itself, doesn't really present a good reason-for-being to me.
[0] - https://github.com/fugue/credstash
[1] - https://github.com/codahale/sneaker