包阅导读总结
1. `AWS Secrets Manager`、`Open-Source Agent`、`Application Access`、`Secure`、`Simplification`
2. AWS 推出了用于 AWS Secrets Manager 的新开源代理,简化了从 Secrets Manager 检索机密的流程,提供了定制选项和安全保护,能在本地缓存机密,同时与其他开源及专有秘密管理工具共存。
3.
– AWS 推出新的开源代理用于 AWS Secrets Manager
– 简化了从 AWS Secrets Manager 检索机密的过程,实现安全和高效的应用访问
– 应用可从本地 HTTP 服务而非网络获取机密
– 具有可定制的配置选项
– 提供针对 Server-Side Request Forgery (SSRF) 的内置保护
– 代理在内存中检索和存储机密,应用直接访问本地缓存机密
– 仅能对 Secrets Manager 进行读取请求,不能修改机密,AWS SDK 则功能更多
– 与其他开源及专有秘密管理工具共存
– 如 Infisical、Conjur 等开源工具
– 还有 HashiCorp Vault 等专有解决方案
思维导图:
文章来源:infoq.com
作者:Steef-Jan Wiggers
发布时间:2024/7/25 0:00
语言:英文
总字数:448字
预计阅读时间:2分钟
评分:85分
标签:AWS Secrets Manager,开源,安全性,云计算,秘密管理
以下为原文内容
本内容来源于用户推荐转载,旨在分享知识与观点,如有侵权请联系删除 联系邮箱 media@ilingban.com
Amazon Web Services (AWS) has launched a new open-source agent for AWS Secrets Manager. According to the company, this agent simplifies the process of retrieving secrets from AWS Secrets Manager, enabling secure and streamlined application access.
The Secrets Manager Agent is an open-source tool that allows your applications to retrieve secrets from a local HTTP service instead of reaching out to Secrets Manager over the network. It comes with customizable configuration options, including time to live, cache size, maximum connections, and HTTP port, allowing developers to tailor the agent to their application’s specific requirements. Additionally, the agent provides built-in protection against Server-Side Request Forgery (SSRF) to ensure security when calling the agent within a computing environment.
The Secrets Manager Agent retrieves and stores secrets in memory, allowing applications to access the cached secrets directly instead of calling Secrets Manager. This means that an application can retrieve its secrets from the local host. It’s important to note that the Secrets Manager Agent can only make read requests to the Secrets Manager and cannot modify the secrets, while the AWS SDK allows more.
A respondent on a Reddit thread explained the difference between the agent and AWS SDK, which, for instance, allows the creation of secrets:
This one caches secrets so that if the same secret is requested multiple times within the TTL, only a single API call is made, and the cached secret is returned for any subsequent requests.
In addition, on a Hacker News thread, a respondent wrote:
If I looked at what this does and none of the surrounding discussion/documentation, I’d say this is more about simplifying using Secrets Manager properly than for any security purpose.
To use the secret manager “properly,” in most cases, you’ll need to pull in the entire AWS SDK, maybe authenticate it, make your requests to the secret manager, cache values for some sort of lifetime before refreshing, etc.
To use it “less properly,” you can inject the values in environment variables, but then there’s no way to pick up changes, and rotating secrets becomes a _project_.
Or spin this up, and that’s all handled. It’s so simple you can even use it from your shell scripts.
Lastly, there are several open-source secret management tools available in the Cloud, like Infisical, an open-source secret management platform that developers can use to centralize their application configuration and secrets like API keys and database credentials, or Conjur, which provides an open-source interface to securely authenticate, control, and audit non-human access across tools, applications, containers, and cloud environments via robust secrets management. In addition to these, there are proprietary secret management solutions like HashiCorp Vault, Azure Key Vault, Google Secret Manager, and AWS Secrets Manager.
