AWS Secrets Manager / Secrets in GitHub

Axel Forstenhäusler (af096)

Where do you store your secrets?

Why should we use a Secrets Manager?

Github Credentials Leakage

100k repositories affected
almost 2000 new unique keys every day
20 seconds to discover a new key
89% aren't test keys
81% remain longer than 16 days

https://blog.acolyer.org/2019/04/08/how-bad-can-it-git-characterizing-secret-leakage-in-public-github-repositories/

Demo

Endpoint /search/code
Google API keys always start with "AIza"

Demo

2422933 matches
items array => includes information about the repository and a html_url

Demo

Private Repository?

Everyone who has access to the repository can see production keys
Rotation is difficult when secrets are hard coded (update and redeploy application)

AWS Secrets Manager- How does it work?

Create a secret

Retrieve a secret

Create a new access key and download it

Retrieve a secret

Save the key_id and the access_key in ~/.aws/credentials

Retrieve a secret

aws secretsmanager get-secret-value 
--secret-id prod/google/api
--version-stage AWSCURRENT

Secret id is the name of the secret

{
    "Name": "prod/google/api", 
    "VersionId": "dd5f7331-a99b-4417-9b42-f5c738e866f4", 
    "SecretString": "{\"googleApiKey\":\"asd897182kxakaksd\"}", 
    "VersionStages": [
        "AWSCURRENT"
    ], 
    "CreatedDate": 1559729811.626, 
    "ARN": "arn:aws:secretsmanager:us-east-2:254943305144:secret:prod/google/api-lfCYH5"
}

Response:

Retrieve a secret

var AWS = require('aws-sdk'),
    region = "us-east-2",
    secretName = "prod/google/api",
    secret,
    decodedBinarySecret;

// Create a Secrets Manager client
var client = new AWS.SecretsManager({
    region: region
});

client.getSecretValue({SecretId: secretName}, function(err, data) {
    if (err) {
        throw err;
    } else {
        if ('SecretString' in data) {
            secret = data.SecretString;
        } else {
            let buff = new Buffer(data.SecretBinary, 'base64');
            decodedBinarySecret = buff.toString('ascii');
        }
    }
    // Your code goes here. 
});

Rotate automatically

easy for other amazon services like RDS
Possible for custom services by implementing a lambda function

AWS Secrets Manager / Secrets in GitHub

Where do you store your secrets?

Why should we use a Secrets Manager?

Github Credentials Leakage

Demo

Demo

Demo

Demo

Demo

Private Repository?

AWS Secrets Manager- How does it work?

Create a secret

Create a secret

Create a secret

Create a secret

Retrieve a secret

Retrieve a secret

Retrieve a secret

Retrieve a secret

Rotate automatically

Help, I leaked a Secret

Help, I leaked a Secret

AWS Secrets Manager

AWS Secrets Manager

Axel Forstenhäusler

AWS Secrets Manager / Secrets in GitHub

Where do you store your secrets?

Why should we use a Secrets Manager?

Github Credentials Leakage

Demo

Demo

Demo

Demo

Demo

Private Repository?

AWS Secrets Manager- How does it work?

Create a secret

Create a secret

Create a secret

Create a secret

Retrieve a secret

Retrieve a secret

Retrieve a secret

Retrieve a secret

Rotate automatically

Help, I leaked a Secret

Help, I leaked a Secret

AWS Secrets Manager

More from Axel Forstenhäusler