How To Use AWS Secrets Manager
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Technical difficulty:
| Novice | Beginner | Competent | Proficient | Expert
What Is AWS Secrets Manager?
When we create a custom application to retrieve data from a database, we often incorporate the credentials, or secret, for directly accessing the database in the application. When the time came to rotate the credentials, we needed to do more than just creating new credentials. We needed to spend time updating the application to use the new credentials. Then we distribute the updated application. If we have numerous apps with shared credentials and if we fail to update one of them, the application will fail. Because of this problem, many customers prefer not to change credentials on a regular basis, thus substituting one risk for another.
Secrets Manager allows you to replace hardcoded credentials, such as passwords, in your code with an API call to Secrets Manager to get the secret programmatically. Because the secret no longer resides in the code, it cannot be compromised by someone analysing your code. You may also set Secrets Manager to automatically rotate the secret for you on a predefined period. This allows you to substitute long-term secrets with short-term ones, lowering the chance of compromise dramatically.
Types of secrets you can store in the secret manager:
Database credentials
Application credentials
OAuth tokens
Application Programming Interface (API) keys
Let’s understand more about secrets
A secret in Secrets Manager is made up of secret information, the secret value, and metadata about the secret. A secret value can be either a text or a binary value. To store several string values in a single secret, we propose using a JSON text string containing key/value pairs, such as:
{
"host" : "DevServer-001.databases.example.com",
"port" : "8888",
"username" : "admin",
"password" : "RANDOM-PASSWORD",
"dbname" : "MyDB",
"engine" : "mysql"
}
Now that we have covered all the key terms for the lab, let's carry out the experiment.
Lab Scenario
We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.
Lab Link: Secrets Manager
Objective
Interact with the instance metadata service and retrieve the secret from the Secrets Manager.
Solution
Step 1: Click the lab link button to get resource details and visit the target URL.
Step 2: Open the target URL in a web browser, it will open a ttyd shell form an EC2 instance.
Step 3: Try to interact with metadata services.
Use Instance metadata service version 1.
Command:
curl http://169.254.169.254/latest/meta-data
The response clearly states that the Instance metadata services version 2 is enabled.
Step 4: Generate a session token.
Command:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
Step 5: Try to interact with metadata services with the generated token.
Command:
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
Step 6: Navigate to “iam” directory.
Command: curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/
Step 7: Navigate to “security-credentials”.
Command: curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/
Step 8: Fetch IAM credentials from “instance_user_role”.
Command: curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/instance_user_role
We successfully got the temporary access credentials.
Step 9: Set the required environment variable to allow AWS CLI to use the temporary access credentials. AWS CLI prioritizes the environment variable over the stored credentials.
Now open a linux shell or a command prompt which has an AWS CLI installed on it and use the below commands to set the access credentials.
Commands:
export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID Value>
export AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY Value>
export AWS_SESSION_TOKEN=<AWS_SESSION_TOKEN Value>
Step 10: Check the caller identity.
Command:
aws sts get-caller-identity
Step 11: Try listing the secrets from Secrets Manager.
Command:
aws secretsmanager list-secrets --region us-east-1
Step 12: Retrieve the flag.
Command:
aws secretsmanager get-secret-value --secret-id Flag
If you got “You must specify a region” error then use the below-mentioned command:
aws secretsmanager get-secret-value --secret-id Flag --region us-east-1
Flag: 3a005871a57e706e603fbaee291f85c8
Congratulations! We successfully retrieved the flag.
References:
1. AWS EC2 documentation (https://docs.aws.amazon.com/ec2/index.html)
2. AWS CLI (https://docs.aws.amazon.com/cli/latest/reference/)
Try out AWS Secrets Manager hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!