Which solution will meet these requirements with the LEAST development effort?
Save the secrets in a text file and store the text file in Amazon S3. Provision a customer managed key. Use the key for secret encryption in Amazon S3. Read the contents of the text file and read the export as environment variables. Configure S3 Object Lambda to rotate the text file every month.
Save the secrets as strings in AWS Systems Manager Parameter Store and use the default AWS Key Management Service (AWS KMS) key. Configure an Amazon EC2 user data script to retrieve the secrets during the startup and export as environment variables. Configure an AWS Lambda function to rotate the secrets in Parameter Store every month.
Save the secrets as base64 encoded environment variables in the application properties. Retrieve the secrets during the application startup. Reference the secrets in the application code. Write a script to rotate the secrets saved as environment variables.
Store the secrets in AWS Secrets Manager. Provision a new customer master key. Use the key to encrypt the secrets. Enable automatic rotation. Configure an Amazon EC2 user data script to programmatically retrieve the secrets during the startup and export as environment variables.
Explanations:
Storing secrets in a text file in Amazon S3 does not leverage AWS’s built-in secrets management capabilities. Additionally, managing rotation through S3 Object Lambda adds complexity and increases development effort, as it requires additional setup and maintenance.
While using AWS Systems Manager Parameter Store is a viable option, it does not natively support automatic rotation of secrets. The need for a Lambda function to handle rotation introduces additional complexity and development effort, making this solution less ideal.
Encoding secrets in environment variables is not a secure practice, as it exposes sensitive data in the environment. Additionally, the manual handling of secret rotation through a script adds unnecessary complexity and effort, failing to meet security best practices.
Storing secrets in AWS Secrets Manager provides built-in encryption, supports automatic rotation, and allows easy retrieval of secrets during application startup via an EC2 user data script. This solution minimizes development effort and meets all requirements effectively.
From what I’ve heard, the answer is:
Store the secrets in AWS Secrets Manager. Provision a new customer master key. Use the key to encrypt the secrets. Enable automatic rotation. Configure an Amazon EC2 user data script to programmatically retrieve the secrets during the startup and export as environment variables.