Implementing security with Workout Tracker using S3 SSE and KMS
Posted on Aug 9, 2017
5 mins read
Overview
Security is probably my least favorite topic all around. In this post I'm going to explore how we can use AWS S3 with KMS to lock down our secrets.
I'm choosing to go with this method over something like vault because I think this method is probably the easiest and covers the most use cases for
what we want here. My goal with this work is to simply secure the secrets for my application.
Goals
Secure secrets that can be exposed as environment variables and used at run time.
Prevent any exposure of these secrets through things like log files.
Give the operations teams a way to manage the secrets
Implementation
We start this by creating a script that we'll use as the entry point.
aws_sse_s3.sh
The implementation is used in docker as such:
Next the get_s3_env script will do the work to export the environment variables from the file we pull down from s3.
get_s3_env
This process allows us to create entry points for operations to modify the thing that gets our secrets, and exposes them to the applicaiton.
This way, all the application has to do is incorporate environment variables for secrets. Obviously there are different ways of doing this
for example baking vault integration into the application.
What I've found is that sometimes we need easy, simple ways to integrate our secrets. This is a super simple way of giving us a channel into
secrets management that does the job, and allows us a way to replace the system later. This is a great solution for a rev1 release where
we're just trying to get things up and rocking.
Ops
Now let's talk about how we allow our operations engineers to manage the secrets.
I usually wrap these things into Rake tasks rather than Make tasks because API's are fun.
I'm using a very simple, generic function to encapsulate the logic which gives me an encrypted s3 client using a specific KMS key.
As you can see, the KMS key alias is a calculated string using a variable name which is passed in from the docker environment.
Now we implement this with our two tasks: secrets:pushsecrets:pull.
How it works
When we push a secret up to S3 we're using the KMS key for this environment, then we're pushing the local file to s3 using SSE and KMS.
We can test the encryption by pulling the file down from s3 without using SSE.
This shows that if someone was able to somehow access the s3 object, they wouldn't be able to see the contents without also being
able to access the KMS key.