Resources
    How To Use AWS Secrets Ma ...
    20 October 22

    How To Use AWS Secrets Manager

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Technical difficulty:

    | Novice | Beginner | Competent | Proficient | Expert

    What Is AWS Secrets Manager?

    When we create a custom application to retrieve data from a database, we often incorporate the credentials, or secret, for directly accessing the database in the application. When the time came to rotate the credentials, we needed to do more than just creating new credentials. We needed to spend time updating the application to use the new credentials. Then we distribute the updated application. If we have numerous apps with shared credentials and if we fail to update one of them, the application will fail. Because of this problem, many customers prefer not to change credentials on a regular basis, thus substituting one risk for another.

    Secrets Manager0.png

    Secrets Manager allows you to replace hardcoded credentials, such as passwords, in your code with an API call to Secrets Manager to get the secret programmatically. Because the secret no longer resides in the code, it cannot be compromised by someone analysing your code. You may also set Secrets Manager to automatically rotate the secret for you on a predefined period. This allows you to substitute long-term secrets with short-term ones, lowering the chance of compromise dramatically.

    Types of secrets you can store in the secret manager:

    • Database credentials

    • Application credentials

    • OAuth tokens

    • Application Programming Interface (API) keys

    Let’s understand more about secrets

    A secret in Secrets Manager is made up of secret information, the secret value, and metadata about the secret. A secret value can be either a text or a binary value. To store several string values in a single secret, we propose using a JSON text string containing key/value pairs, such as:

    {

      "host"       : "DevServer-001.databases.example.com",

      "port"       : "8888",

      "username"   : "admin",

      "password"   : "RANDOM-PASSWORD",

      "dbname"     : "MyDB",

      "engine"     : "mysql"

    }

    Now that we have covered all the key terms for the lab, let's carry out the experiment.

    Lab Scenario

    We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.

    Lab Link: Secrets Manager

    Objective

    Interact with the instance metadata service and retrieve the secret from the Secrets Manager.

    Solution

    Step 1: Click the lab link button to get resource details and visit the target URL.

    Secrets Manager1.PNG

    Step 2: Open the target URL in a web browser, it will open a ttyd shell form an EC2 instance.

    Secrets Manager2.PNG

    Step 3: Try to interact with metadata services. 

    Use Instance metadata service version 1. 

    Command: 

    curl http://169.254.169.254/latest/meta-data

    Secrets Manager3.PNG

    The response clearly states that the Instance metadata services version 2 is enabled.

    Step 4: Generate a session token. 

    Command: 

    TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`

    Secrets Manager4.PNG

    Step 5: Try to interact with metadata services with the generated token. 

    Command: 

    curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

    Secrets Manager5.PNG

    Step 6: Navigate to “iam” directory. 

    Command: curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/

    Secrets Manager6.PNG

    Step 7: Navigate to “security-credentials”. 

    Command: curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/

    Secrets Manager7.PNG

    Step 8: Fetch IAM credentials from “instance_user_role”. 

    Command: curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/instance_user_role

    Secrets Manager8.PNG

    Secrets Manager9.PNG

    We successfully got the temporary access credentials.

    Step 9: Set the required environment variable to allow AWS CLI to use the temporary access credentials. AWS CLI prioritizes the environment variable over the stored credentials.

    Now open a linux shell or a command prompt which has an AWS CLI installed on it and use the below commands to set the access credentials.

    Commands:

    export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID Value>

    export AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY Value>

    export AWS_SESSION_TOKEN=<AWS_SESSION_TOKEN Value>

    Secrets Manager10.PNG

    Step 10: Check the caller identity. 

    Command: 

    aws sts get-caller-identity

    Secrets Manager11.PNG

    Step 11: Try listing the secrets from Secrets Manager. 

    Command: 

    aws secretsmanager list-secrets --region us-east-1

    Secrets Manager12.PNG

    Step 12: Retrieve the flag. 

    Command: 

    aws secretsmanager get-secret-value --secret-id Flag

    If you got “You must specify a region” error then use the below-mentioned command: 

    aws secretsmanager get-secret-value --secret-id Flag --region us-east-1

    Secrets Manager13.PNG

    Flag: 3a005871a57e706e603fbaee291f85c8

    Congratulations! We successfully retrieved the flag.

    References: 

    1. AWS EC2 documentation (https://docs.aws.amazon.com/ec2/index.html) 

    2. AWS CLI (https://docs.aws.amazon.com/cli/latest/reference/)

    Try out AWS Secrets Manager hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo