包阅导读总结
1. `AWS Secrets Manager`、`Open-Source Agent`、`Retrieving Secrets`、`Secure Access`、`Configuration Options`
2. AWS 推出了用于 AWS Secrets Manager 的新开源代理,简化了从 AWS Secrets Manager 检索机密的过程,具有可定制配置选项,并提供安全保护,与 AWS SDK 有所不同,同时还有其他开源机密管理工具。
3.
– AWS 推出新的开源代理用于 AWS Secrets Manager
– 简化了从 Secrets Manager 检索机密的流程
– 应用可从本地 HTTP 服务而非网络获取机密
– 该代理特点
– 具有可定制的配置选项
– 内置防止 SSRF 攻击的保护
– 检索并在内存中存储机密,应用从本地主机获取
– 只能读取不能修改机密,AWS SDK 功能更多
– 与其他相关情况对比
– 与 AWS SDK 不同,例如创建机密
– 相比其他开源机密管理工具的特点
– 指出使用 Secrets Manager 的不同方式及优劣
思维导图:
文章来源:infoq.com
作者:Steef-Jan Wiggers
发布时间:2024/7/25 0:00
语言:英文
总字数:448字
预计阅读时间:2分钟
评分:85分
标签:AWS Secrets Manager,开源,安全性,云计算,秘密管理
以下为原文内容
本内容来源于用户推荐转载,旨在分享知识与观点,如有侵权请联系删除 联系邮箱 media@ilingban.com
Amazon Web Services (AWS) has launched a new open-source agent for AWS Secrets Manager. According to the company, this agent simplifies the process of retrieving secrets from AWS Secrets Manager, enabling secure and streamlined application access.
The Secrets Manager Agent is an open-source tool that allows your applications to retrieve secrets from a local HTTP service instead of reaching out to Secrets Manager over the network. It comes with customizable configuration options, including time to live, cache size, maximum connections, and HTTP port, allowing developers to tailor the agent to their application’s specific requirements. Additionally, the agent provides built-in protection against Server-Side Request Forgery (SSRF) to ensure security when calling the agent within a computing environment.
The Secrets Manager Agent retrieves and stores secrets in memory, allowing applications to access the cached secrets directly instead of calling Secrets Manager. This means that an application can retrieve its secrets from the local host. It’s important to note that the Secrets Manager Agent can only make read requests to the Secrets Manager and cannot modify the secrets, while the AWS SDK allows more.
A respondent on a Reddit thread explained the difference between the agent and AWS SDK, which, for instance, allows the creation of secrets:
This one caches secrets so that if the same secret is requested multiple times within the TTL, only a single API call is made, and the cached secret is returned for any subsequent requests.
In addition, on a Hacker News thread, a respondent wrote:
If I looked at what this does and none of the surrounding discussion/documentation, I’d say this is more about simplifying using Secrets Manager properly than for any security purpose.
To use the secret manager “properly,” in most cases, you’ll need to pull in the entire AWS SDK, maybe authenticate it, make your requests to the secret manager, cache values for some sort of lifetime before refreshing, etc.
To use it “less properly,” you can inject the values in environment variables, but then there’s no way to pick up changes, and rotating secrets becomes a _project_.
Or spin this up, and that’s all handled. It’s so simple you can even use it from your shell scripts.
Lastly, there are several open-source secret management tools available in the Cloud, like Infisical, an open-source secret management platform that developers can use to centralize their application configuration and secrets like API keys and database credentials, or Conjur, which provides an open-source interface to securely authenticate, control, and audit non-human access across tools, applications, containers, and cloud environments via robust secrets management. In addition to these, there are proprietary secret management solutions like HashiCorp Vault, Azure Key Vault, Google Secret Manager, and AWS Secrets Manager.
