Secrets Manager & Cognito

The AWS Secrets Manager is a key-value service that allows the safe storage of secrets, which can be a plain-text value or a JSON document. A secret has a name, and that name becomes its key. A successful strategy involving its use relies on a proper granular IAM permissions scheme for any resource that uses a specific secret.

You can find the Secrets Manager in this link: https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#

Team

Informed

  • @ Stakeholder

  • @ Stakeholder

Status

/ / /

Last date updated

e.g.,24 Sep 2020

On this page

Name

Description

Operational Excellence

The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.

Security

The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Reliability

The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.

Performance Efficiency

The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve

Cost Optimization

The ability to run systems to deliver business value at the lowest price point.

AWS Well Architected Framework PDF

note

Goals

  • Keep the encryption secrets safely stored

  • Keep the secrets centralized

  • Keep the encryption secrets safely stored

  • Keep the secrets centralized

Architecture

There is no grand architecture for this service, python code using the Boto3 library should have access by just initializing a session and providing the service it wants to access. The boto library will run its magic and search for the name of the secret and provide it’s value.

Whatever process is running the python code (likely a Lambda function), it requires granular permissions to access the resource.

Here is the current policy atd-moped-users-cognito-hook-secrets-access, under the role atd-moped-cognito-hook

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:295525487728:secret:ATD_MOPED_USERS_COGNITO_DYNAMODB-txVJVP",
                "arn:aws:secretsmanager:us-east-1:295525487728:secret:ATD_MOPED_USERS_COGNITO_DYNAMODB_STAGING-NcR6wu"
            ]
        }
    ]
}

There are 4 variables needed to facilitate the authentication process:

Secret Name

Description

Date Created

This is the fernet key used in python to decrypt strings in DynamoDB production table.

9/24/2020

This secret is used in GitHub actions to deploy the cognito lambda functions. It contains important environment variables for the staging environment.

9/23/2020

This secret is used in GitHub actions to deploy the cognito lambda functions. It contains important environment variables for the production environment.

9/23/2020

This is is the fernet key used in python to decrypt strings in DynamoDB staging table.

9/23/2020

Architecture flow

This process assumes the lambda trigger running the python code has the IAM permissions to execute and access the specific secrets.

  1. The lambda executes the pre-token trigger, and runs the python code.

  2. The python code attempts to fetch the encryption secret.

  3. The encryption secret has the key to decrypt the claims stored in DynamoDB

  4. The python code returns the decrypted claims in DynamoDB

Other notes:

It’s worth mentioning that each secret is considered a different resource in AWS, and has its own ARN identifier.

Deployment strategy

The secrets are created and deployed manually.

References and documentation

Last updated

Was this helpful?