DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • Terraform Best Practices: The 24 Practices You Should Adopt
  • Keep Your Application Secrets Secret
  • Alexa Skill With Node.js
  • Alexa Skill With TypeScript

Trending

  • FIPS 140-3: The Security Standard That Protects Our Federal Data
  • Beyond Code Coverage: A Risk-Driven Revolution in Software Testing With Machine Learning
  • Unmasking Entity-Based Data Masking: Best Practices 2025
  • Scaling DevOps With NGINX Caching: Reducing Latency and Backend Load
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. How To Handle AWS Secrets

How To Handle AWS Secrets

This blog post will cover some best practices for managing AWS secrets when using the AWS SDK in Python.

By 
Keshav Malik user avatar
Keshav Malik
·
May. 09, 23 · Opinion
Likes (1)
Comment
Save
Tweet
Share
2.8K Views

Join the DZone community and get the full member experience.

Join For Free

Secure management of AWS secrets is essential for protecting sensitive data and preventing unauthorized access to critical systems and applications. In today's rapidly escalating threat landscape, organizations must ensure their secrets are appropriately managed and safeguarded.

The AWS SDK, also referred to as the AWS Software Development Kit is a set of software development tools and libraries created to make it easier for developers to utilize AWS services in their applications. It provides an accessible interface for accessing resources like EC2, S3, and DynamoDB on AWS with ease.

However, when using AWS SDK to interact with AWS services, it's essential that secrets used for authentication and authorization are managed appropriately. This blog post will cover some best practices for managing AWS secrets when using the AWS SDK in Python.

Prerequisites

Before using the AWS SDK for Python to manage your AWS secrets securely, ensure that:

  • Basic understanding and knowledge of Python and the ability to install packages using pip.
  • An AWS account with appropriate permissions to access AWS services.
  • An IAM user or role with necessary access rights.
  • Boto3, the AWS SDK for Python, should also be installed on your system using pip.

The Problem With Long-Lived Access Keys and Secret Keys in Code

When using AWS SDK with Python, hard-coding long-lived access keys and secret keys is not recommended. These credentials are used to authenticate AWS resources, and these keys pose a security risk since they aren't automatically rotated.

Here are some potential risks of hard-coding long-lived access keys and secret keys into your code:

  • Code sharing increases the risk of exposing sensitive information to those accessing it, whether through public sharing or accidental committing to a public repository.
  • It can be challenging to rotate access keys and secret keys, which could lead to version control issues and the need to update all instances of those keys within a codebase.

In the following section, we'll see how you can overcome this problem by using temporary keys.

Using Temporary Access Keys Instead

For better security when using AWS SDK with Python, temporary access keys are the better solution. Temporary keys are short-lived credentials that allow secure access to AWS resources.

Here are some advantages of using temporary access keys:

  • First, they expire after a specified period (e.g., one month or one week), decreasing the risk of unauthorized access and making it easier to manage resource access.
  • Temporary access credentials can be generated on demand, making it simpler and easier to provide end users with access to AWS resources without defining an AWS identity for each user.

Note*: The AWS Security Token Service (STS) is a utility that generates temporary access keys.*

Using AWS CLI To Manage AWS Secrets

AWS CLI is a command-line tool that enables engineers to interact with AWS services by using CLI commands. Also, AWS CLI can be utilized for managing AWS secrets.

One of the advantages of using AWS CLI is that it automatically fetches AWS credentials (access and secret keys) from a credentials file created by AWS CLI, so there's no need to manually supply access keys and secret keys when creating an AWS client.

Here's an example of creating an AWS client without specifying access keys and secret keys when using AWS CLI:

Python
 
import boto3
client = boto3.client('s3')


In this example, the boto3.client() function is called with the s3 argument to create a client for Amazon S3. Since access keys and secret keys are not specified, the AWS SDK will automatically retrieve them from the credentials file created by AWS CLI.

To create the credentials file, run the following command in the terminal:

Python
 
aws configure


This command will prompt you to enter your access key, secret key, default region, and output format. Once executed, a credentials file will be created on your machine, which the AWS SDK can automatically search for and retrieve when creating an AWS client.

Manual Way to Configure AWS Secrets

Another way to create a credentials file is to do it manually. The default location for the file is ~/.aws/credentials. The credentials file should have, at minimum, the access key and secret access key specified.

In the sample file provided below, the access key and secret key for the account are specified in the default profile:

Python
 
[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY


When you use the aws configure command, the configuration options that are not sensitive (such as region and output format) are saved in a file named config. This file is also stored in the .aws folder in your home directory.

Python
 
[default]
region=us-west-2
output=json


Creating Multiple Named Profiles

Developers can create and configure additional profiles to manage different sets of AWS credentials by using the aws configure command with the --profile option. Alternatively, you can manually add entries to the config and credentials files. These files store configurations and access keys for each profile.

To add new profiles, you can create separate named profiles in the config and credentials files.

Here's an example of the credentials file with two profiles:

Python
 
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY


In this example, the default profile ([default]) is used when the AWS CLI command is used without specifying a profile. The second profile ([user1]) is used when you run a command with the --profile user1 parameter. The file can be found in ~/.aws/credentials on Linux and Mac systems.

Note*: Credentials location for a Windows system is %USER%\.aws\credentials.*

Managing AWS CLI Configuration Settings

AWS CLI provides several commands to manage the configuration settings. You can use the aws configure set command to modify or set the configuration settings and the aws configure get command to retrieve the configuration settings. Here's how you can use them:

Setting Configuration Settings

To set any configuration settings, you can use the aws configure set command. Specify the profile you want to modify using the --profile option. For example, to set the region for the USER profile, run the following command:

Python
 
$ aws configure set region me-south-1 --profile USER


You can remove a configuration setting by using an empty string as the value or deleting the setting manually from the config and credentials files.

Retrieving Configuration Settings

You can retrieve the configuration settings that you've set using the aws configure get command. To retrieve the region setting for the USER profile, run the following command:

Python
 
$ aws configure get region --profile USER


Importing CSV Credentials

You can import the CSV credentials generated from the AWS web console using the aws configure import command. The CSV file must contain the following headers:

  • User Name
  • Access key ID
  • Secret access key

To import the credentials from the credentials.csv file, run the following command:

Python
 
$ aws configure import --csv file://credentials.csv


Listing Profiles

You can list all your profile names using the aws configure list-profiles command.

Python
 
$ aws configure list-profiles --region <<YOUR_REGION>


Best Practices for Secure Credential Management in AWS

When working with AWS, it's essential to adhere to best practices for credential management in order to protect your resources. Here are six top tips for AWS SDK credential management:

1. Use the AWS CLI to Configure AWS Keys: Avoid hardcoding AWS access keys and secret keys into your code. Instead, utilize the AWS CLI to configure your keys and store them securely.

2. Limit access to secrets with IAM policies and roles: Use AWS Identity and Access Management (IAM) policies and roles to limit access to your secrets only to the users and services that require them.

3. Regularly rotate secrets to minimize impact: Regularly rotate your access keys, passwords, and other secrets to minimize the impact of potential exposure.

4. Use Parameter Store to store secrets: Parameter Store is a secure and scalable AWS service that allows you to store and manage secrets securely.

5. Use AWS Secrets Manager for more advanced management: AWS Secrets Manager provides advanced secret management features, such as automatic rotation and integration with Amazon RDS.

6. Use tools like GitGuardian to detect leaked secrets: Leaked secrets can put your AWS resources at risk. Use tools like GitGuardian to detect and prevent leaks of your secrets in code repositories and other sources.

Conclusion

Properly managing AWS credentials is crucial to maintaining the security of your AWS resources. By using AWS's configuration and credential files, you can keep your AWS access and secret keys secure and separate from your code. Additionally, following best practices, such as limiting access to secrets with IAM policies and roles and regularly rotating secrets, can further enhance your AWS credential management.

As always, it's essential to stay vigilant against potential security breaches. So, whether you're new to AWS or a seasoned pro, remember the importance of proper AWS credential management and take steps to keep your AWS resources secure. 

We hope this blog post has provided you with a better understanding of how to manage AWS secrets and keep your applications secure.

AWS Command-line interface Software development kit Command (computing) Profile (engineering) security

Published at DZone with permission of Keshav Malik. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Terraform Best Practices: The 24 Practices You Should Adopt
  • Keep Your Application Secrets Secret
  • Alexa Skill With Node.js
  • Alexa Skill With TypeScript

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!